Re: [TLS] draft-ietf-tls-curve25519-01 and the X25519 significant bit.

Brian Smith <brian@briansmith.org> Wed, 30 December 2015 23:04 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9B0B1B29ED for <tls@ietfa.amsl.com>; Wed, 30 Dec 2015 15:04:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eYnWhUAE61Ro for <tls@ietfa.amsl.com>; Wed, 30 Dec 2015 15:04:10 -0800 (PST)
Received: from mail-oi0-x22f.google.com (mail-oi0-x22f.google.com [IPv6:2607:f8b0:4003:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64E751B29EB for <tls@ietf.org>; Wed, 30 Dec 2015 15:04:10 -0800 (PST)
Received: by mail-oi0-x22f.google.com with SMTP id o124so208791756oia.1 for <tls@ietf.org>; Wed, 30 Dec 2015 15:04:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=T6+7/gzwWlhOVHbYBxkkSRFoDVctJIMdgCndhAn6SMI=; b=G7IOn0l48Y1LFjY5elYtJVzzsJwxJki6SVir9OCG7PyIxq9nQIblHxCoHEoYaUySPx V2mtRjDhqaZ3IPbwvXMkkIbCrEXaLGLtwA7Qsf0ZI89p1RQjNFWykcgoNl+CSDRUnO+d Ou5VTQw5l7hOM6tCKf+jGkCtPh57CXpFWT1IkZ9SItTJdHpvQMcgxL46UmiFtcB2UO0W J0JV2AammWSjnMSa510TrfurysIzHt5VsQP60H/Pt2QrBGNbdXqZdEss6fQFjFUbQI9n wLJJ2wGzuW28R2FHcslukyU1hNx7TzzCRKLYp1lTNLgXMuT8OjNCU/noTRYB63QDcuWr Xzow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=T6+7/gzwWlhOVHbYBxkkSRFoDVctJIMdgCndhAn6SMI=; b=Kbmh0qR7Wl8yEh3OdK40e8i3iGHoAfCZno8ZBlLDtnFhwzOxAVSXubaGLignWyjnxD FnjAQ3hqlakqnFhqT+SbVNIISVQgG9wI/vfipJJl3AVwESj5wn1NOB6xTMM1YBTZZdIX SAN5/kaSGRRjb3iFxPUvyMME14DW4TDhJUTtvafmUYOSJDLj1YYlePEcUALw8oKXjQsB 0BSu8AGfbox/owTtvXSv70ru+TmXnsN+gelRj/WLxRGJR7M1Gc9Bp6yZBVzl/TbAnTX1 z1g0HJlEnqIYnurNkYDtiF4qySTDE0rV7T2dDKtG/BUXTlBDGwdKXSmFzWCfvGgsTaNF iAXw==
X-Gm-Message-State: ALoCoQmKSTuovpYuAuVOoWM6TfLuT26UI1WAR9zWPpVM4Nopsi0Jh9zvvYIFm0K/Ah5ZdGNpzhXIbXYla+WwBbP+8RyzlSXrIg==
MIME-Version: 1.0
X-Received: by 10.202.186.198 with SMTP id k189mr41849665oif.105.1451516649654; Wed, 30 Dec 2015 15:04:09 -0800 (PST)
Received: by 10.76.62.8 with HTTP; Wed, 30 Dec 2015 15:04:09 -0800 (PST)
In-Reply-To: <20151230103040.GA6140@roeckx.be>
References: <CAMfhd9XDfwmoze+BdFVedhCGDQRNbL63ZT=KZc-7dEr0UMk4dA@mail.gmail.com> <CAFewVt7A_hBXBNzqaU6cQaU5Ysk86xo+fn69zDOn0oHYPiJazg@mail.gmail.com> <CAMfhd9WxSubu2dy9=RO94NSemzaRfr0TRoYGD7DS9L-9XdK=QA@mail.gmail.com> <CAFewVt6kn7tVvV51+gm1tuCnitLnLSNTJsOqxNYRLi7zDhag6Q@mail.gmail.com> <CAMfhd9XNDh8Cf42as7fdeA8sqpo-tkzr9udMgEWaqisc43aKjg@mail.gmail.com> <CAFewVt5u1pBxt_i2nhWv1XhrvC7bD0rC+TdUenJ9cXhStrkY6g@mail.gmail.com> <20151230103040.GA6140@roeckx.be>
Date: Wed, 30 Dec 2015 13:04:09 -1000
Message-ID: <CAFewVt6JXmJ9BN9fdcR1F8iEcet5+rsbCthntNaCe5Rehbf==A@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Kurt Roeckx <kurt@roeckx.be>
Content-Type: multipart/alternative; boundary=001a113cd2b049effd0528258e97
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/CCitjnxJSpexuR5zhDz0Ke_k9tg>
Cc: Adam Langley <agl@imperialviolet.org>, Simon Josefsson <simon@josefsson.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-ietf-tls-curve25519-01 and the X25519 significant bit.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Dec 2015 23:04:12 -0000

Kurt Roeckx <kurt@roeckx.be> wrote:

> On Tue, Dec 29, 2015 at 09:02:25AM -1000, Brian Smith wrote:
> >
> > Does that matter, though? The CFRG document doesn't allow the sender to
> set
> > the high bit to 1, right? In particular, it says "All calculations are
> > performed in GF(p), i.e., they are performed modulo p." and "For X25519,
> > the unused, most-significant bit MUST be zero."
> >
> > If the receiver can detect that the sender is non-conforming, then it
> > should be able to stop talking to it on that basis alone.
>
> I don't know enough about all the various draft to know if this
> might be a problem or not, but I'm concerned about providing an
> error oracle.
>

It's a public value sent by the other side, so that's not an issue.

Cheers,
Brian
-- 
https://briansmith.org/