Re: [TLS] Curve25519 in TLS
Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed, 16 October 2013 06:37 UTC
Return-Path: <mpg@elzevir.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B10111E8257 for <tls@ietfa.amsl.com>; Tue, 15 Oct 2013 23:37:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.949
X-Spam-Level:
X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WH-J4S7TK4De for <tls@ietfa.amsl.com>; Tue, 15 Oct 2013 23:37:02 -0700 (PDT)
Received: from mordell.elzevir.fr (mordell.elzevir.fr [IPv6:2001:4b98:dc0:41:216:3eff:feeb:c406]) by ietfa.amsl.com (Postfix) with ESMTP id C5DA521F96DA for <tls@ietf.org>; Tue, 15 Oct 2013 23:36:58 -0700 (PDT)
Received: from thue.elzevir.fr (thue.elzevir.fr [88.165.216.11]) by mordell.elzevir.fr (Postfix) with ESMTPS id 6870916153; Wed, 16 Oct 2013 08:36:54 +0200 (CEST)
Received: from [192.168.0.124] (unknown [192.168.0.254]) by thue.elzevir.fr (Postfix) with ESMTPSA id 734BB260A6; Wed, 16 Oct 2013 08:36:53 +0200 (CEST)
Message-ID: <525E3404.2090808@elzevir.fr>
Date: Wed, 16 Oct 2013 08:36:52 +0200
From: Manuel Pégourié-Gonnard <mpg@elzevir.fr>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.0
MIME-Version: 1.0
To: Simon Josefsson <simon@josefsson.org>, tls@ietf.org
References: <a84d7bc61003011620i66fc7dfdre62b548fdd5ef7dd@mail.gmail.com> <522D25B9.7010506@funwithsoftware.org> <56C25B1D-C80F-495A-806C-5DD268731CD4@qut.edu.au> <87zjrl21wp.fsf_-_@latte.josefsson.org> <8738outeup.fsf@latte.josefsson.org>
In-Reply-To: <8738outeup.fsf@latte.josefsson.org>
X-Enigmail-Version: 1.5.2
OpenPGP: id=98EED379; url=https://elzevir.fr/gpg/mpg.asc
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Curve25519 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2013 06:37:06 -0000
Hi, On 24/09/2013 17:32, Simon Josefsson wrote: > http://tools.ietf.org/html/draft-josefsson-tls-curve25519-01 > I think a few points should be clarified in the draft. As the introduction correctly states, Curve25519 is a new ECDH function, not just a new curve for use with the usual ECDH construction. Let me sum up the constructions of ECDH in TLS and in Curve25519. TLS ECDH: 1. Private keys: random integer in the range [1, q-1] with q the order of G. 2. Public keys: a point on the curve (defined over F_p). 3. Public key encoding: either (a) the x and y coordinates of the point, or (b) the x coordinate and a bit for determination of the y coordinate, with integers represented as big-endian bytes strings, preceded by a first byte indicating which format was chosen (and holding the possible additional bit). Curve25519 ECDH: 1. Private keys: random 254-bit positive integer with the high-order bit set and the three lowest-order bits cleared. 2. Public keys: any number in the range [0, 2^{256}-1]. 3. Public key encoding: a byte string in little-endian convention. Now I'll discuss the differences and possible issues in more detail. 1. Concerning the private key, I think keeping the paper's definition does not raise any issue. Implementors should just be careful to use a special procedure for this curve. 2. Concerning the public key, the 256-bit integer in the paper represents (modulo p) the x coordinate of a point on the curve E, but this point may not be defined over F_p, but over F_{p^2}. An alternative way of seeing things is that the public key may be either the x coordinate of a point in E(F_p) or of a point in E'(F_p) where E' is the twist curve y^2 = x^3 + 2Ax^2 + 4x. By construction of E, this is not a security issue at all, and rather a fact that simplifies implementations of the Curve25519-ECDH protocol, since there is no need to check the validity of public keys and they are shorter, but it introduces a real difference (in the type of objects, not just their representation) with the usual TLS ECDH function. 3. So, if we want to preserve the nice property than any 32-byte string (ie, any 256-bit integer x) is a valid key (and I think we do), we don't have a y coordinate at our disposal for the normal encoding procedure. Some ideas around this issue: A. Just use the convention y = 0 and one of the existing formats. Pros: simple, just works. Cons: with the basic "uncompressed" format, wastes 32 bytes of bandwidth. B. Always use the "ansiX962_compressed_prime" format. Pros: doesn't waste bandwidth. Cons: forces applications to advertise support this format, which is a problem if they can't support it for other prime curves, unless we introduce an exception to the effect that support for this format with this particular curve is implied as soon as support for the curve is advertised. Does not seem very clean to me. C. Introduce a new point format "compressed_prime_montgomery". Pros: doesn't waste bandwidth, doesn't look hacky. Cons: a new point format only for one curve? OTOH, it is indeed a particular class of curve, since the recommended formulas work only with the x coordinate, and other curves in this class may be added later. Note that A and C may be combined. Any other idea? Manuel.
- [TLS] Testing consensus for adding curve25519 to … Adam Langley
- Re: [TLS] Testing consensus for adding curve25519… Russ Housley
- Re: [TLS] Testing consensus for adding curve25519… Rob P Williams
- Re: [TLS] Testing consensus for adding curve25519… Patrick Pelletier
- Re: [TLS] Testing consensus for adding curve25519… Douglas Stebila
- Re: [TLS] Testing consensus for adding curve25519… Douglas Stebila
- Re: [TLS] Testing consensus for adding curve25519… Nick Mathewson
- [TLS] Curve25519 in TLS Simon Josefsson
- Re: [TLS] Testing consensus for adding curve25519… Nico Williams
- Re: [TLS] Testing consensus for adding curve25519… Douglas Stebila
- Re: [TLS] Testing consensus for adding curve25519… Dan Brown
- Re: [TLS] Curve25519 in TLS Rob Stradling
- Re: [TLS] Testing consensus for adding curve25519… Nick Mathewson
- Re: [TLS] Testing consensus for adding curve25519… Dan Brown
- Re: [TLS] Curve25519 in TLS Simon Josefsson
- Re: [TLS] Testing consensus for adding curve25519… Douglas Stebila
- Re: [TLS] Curve25519 in TLS Kyle Hamilton
- Re: [TLS] Curve25519 in TLS Rob Stradling
- Re: [TLS] Curve25519 in TLS Yoav Nir
- Re: [TLS] Curve25519 in TLS Dan Brown
- Re: [TLS] Curve25519 in TLS Bodo Moeller
- [TLS] Koblitz curves [was RE: Curve25519 in TLS] Dan Brown
- Re: [TLS] Curve25519 in TLS Rob Stradling
- Re: [TLS] Curve25519 in TLS Simon Josefsson
- Re: [TLS] Curve25519 in TLS Rob Stradling
- Re: [TLS] Curve25519 in TLS Nico Williams
- Re: [TLS] Curve25519 in TLS Rob Stradling
- Re: [TLS] Curve25519 in TLS Paul Bakker
- Re: [TLS] Curve25519 in TLS Yoav Nir
- Re: [TLS] Curve25519 in TLS Rob Stradling
- [TLS] Curve25519 in TLS Simon Josefsson
- [TLS] Ed25519 for PKIX Simon Josefsson
- Re: [TLS] Ed25519 for PKIX Adam Langley
- Re: [TLS] Ed25519 for PKIX Simon Josefsson
- Re: [TLS] Curve25519 in TLS Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS Martin Rex
- Re: [TLS] Curve25519 in TLS Juho Vähä-Herttua
- Re: [TLS] Curve25519 in TLS Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS Watson Ladd
- Re: [TLS] Curve25519 in TLS Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS Simon Josefsson
- Re: [TLS] Curve25519 in TLS Martin Rex
- Re: [TLS] Curve25519 in TLS Nico Williams