[TLS] Thoughts on TLS 1.3 cryptography performance
Watson Ladd <watsonbladd@gmail.com> Thu, 13 March 2014 01:11 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D7F51A07E2 for <tls@ietfa.amsl.com>; Wed, 12 Mar 2014 18:11:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b15I8kC3_DV4 for <tls@ietfa.amsl.com>; Wed, 12 Mar 2014 18:10:58 -0700 (PDT)
Received: from mail-yh0-x22d.google.com (mail-yh0-x22d.google.com [IPv6:2607:f8b0:4002:c01::22d]) by ietfa.amsl.com (Postfix) with ESMTP id D6A101A07E5 for <tls@ietf.org>; Wed, 12 Mar 2014 18:10:37 -0700 (PDT)
Received: by mail-yh0-f45.google.com with SMTP id a41so362679yho.18 for <tls@ietf.org>; Wed, 12 Mar 2014 18:10:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=B7w2TJYHV4n4kEMO1zx2XShZbdZEtFRV9lPIgyOMGtU=; b=UQQYBNL73C0CGNbMRfO5yE7hpFduynOOjZz8Wtvoeku0XnqPwuI+K5IUQakuxK0zlw K4mYdArD0rB4aDoXsq1vgjexkBvaRZmvvT8SavohGEJuI/iW+koscpFPywc0VUU98Epb kGXGOe2oP9ifUwqTyNLj3BFCy/r93CsD5gxBbB/Nc3x2anEwMs8Biifh0wEeghM03QcD 8e8mb+a6autikPfd6FGZBDG8y1EbUUdd8LOk3nKz0v00/m7yBFzZTpxA7lsWmwgXMLL9 imWeYNRwgTgfgUSP0mIM3RApIXe1fiDrc2tsTQmeVvZ1icikRGG7MBMQ+ZT5QyJb2T71 3E1g==
MIME-Version: 1.0
X-Received: by 10.236.60.68 with SMTP id t44mr723585yhc.47.1394673031390; Wed, 12 Mar 2014 18:10:31 -0700 (PDT)
Received: by 10.170.80.214 with HTTP; Wed, 12 Mar 2014 18:10:31 -0700 (PDT)
Date: Wed, 12 Mar 2014 18:10:31 -0700
Message-ID: <CACsn0ckbrrt0rBsHM+5A_jNK6UvkaiO9mHx6=Jr+jjqy+bZ6MQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/4mtTYtRTcnuQzck0PSPtd6Eu82c
Subject: [TLS] Thoughts on TLS 1.3 cryptography performance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Mar 2014 01:11:01 -0000
Dear all, Below are some thoughts about the TLS 1.3 cryptography, based on actual performance measurements together with information about what is actually offered and new research. It also addresses some issues I have with the 1-RTT handshake currently proposed. Currently a state-of-the-art handshake involves 2 exponentiations and a signature on the server side and 2 exponentiations on the client side and a verification. One is fixed base, the other variable base. On haswell the fastest ECDHE agreement takes 45,468 cycles, using a GLS curve. Curve25519 weighs in at 162,460 cycles. These are medians. nistp256 would be in the neighborhood of efp256s, at 273,656 cycles, and the key generation for ECDSA signatures with P256 weighs in at 253,307. (Key generation can use precomputed multiples). This pattern holds for almost all architectures. Recent research gets 72,220 cycles using genus 2 curves: https://eprint.iacr.org/2014/134.pdf. Now, you may wonder why you've never heard of GLS, and the reason is that there is a slight loss of security from the endomorphisms. Point counting on surfaces is a pain, so that's why this is new work. In the land of signatures life is a bit harder. ECDSA validation for P256 takes 850,000 cycles, probably because multiexponentiation wasn't used. Signing takes 373,486 cycles. Even Ed25519 takes 68,552 cycles to sign and 206,886 to verify. What about RSA? Signing with a 1024 bit key takes 1,279,440cycles. I went and validated these numbers will OpenSSL speed on my machine. I can sign with ECDSA P256 ten times as fast as RSA 2048. There is a reason every heavily loaded server is moving to ECDSA_ECDHE as quickly as possible. However, we can do better. The trick is to note that the only time a signature needs to be generated is when the data it protects changes, and the only time it needs to be checked is when you forget whether what it was protecting was protected by it. Therefore, if we have the server send g^a, g^x, and the client g^c, g^y, and compute the premaster secret using the so-called "triple DH" H(g^(ay) |g^(cx) |g^(xy)), so long as the client remembers g^a, it doesn't need to check for a signature. And so long as the server doesn't change g^a, it doesn't need to recompute a signature. (Hashing in the transcript should be done, but I think the Premaster->Master transformation does that?) The extra work done is two exponentiations, replacing a signature generation. This is a slight loss if you are using ECDSA and replace it with ECDHE P256, but with Curve25519 replacing ECDSA it's a win. Furthermore, if the client recalls g^a it doesn't need to ask for a certificate, and we have a 1-RTT handshake, with obvious fallback to a negotiation if the group is wrong or the client wants to see the certificate for g^a again. Asking for the certificate can take place over the secure channel established If we don't mind licensing HMQV we can use that, or remove the g^(xy) if we want PFS so long as the client generated g^c randomly and forgot what c was. This adds a lot more performance by removing an exponentiation. Thanks to Dan Brown for pointing out that HMQV continues to exist on the CFRG list. End of the day, TLS 1.3 won't be adopted because it's more secure: look at TLS 1.0 vs. TLS 1.1 on the SSL Observatory. It will be adopted because it is faster and reduces load on servers, and we should do our best to make sure it is also more secure, simpler to implement well, and includes more of the necessary extension drafts then TLS 1.2 currently does. Lastly, we should strongly consider requiring that miTLS be updated in line with the TLS 1.3 spec. We finally have mechanical validation of security: we shouldn't lose it. Sincerely, Watson Ladd
- [TLS] Thoughts on TLS 1.3 cryptography performance Watson Ladd
- [TLS] Version negotiation (was: Thoughts on TLS 1… Michael D'Errico
- Re: [TLS] Version negotiation (was: Thoughts on T… Eric Rescorla
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Santosh Chokhani
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Watson Ladd
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Nico Williams
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Watson Ladd
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Nico Williams
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Trevor Perrin
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Nico Williams
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Eric Rescorla
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Nico Williams
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Trevor Perrin
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Watson Ladd
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Trevor Perrin
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Eric Rescorla