Re: [TLS] Should we require compressed points
Rene Struik <rstruik.ext@gmail.com> Wed, 22 October 2014 20:24 UTC
Return-Path: <rstruik.ext@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A3F61A03A0 for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 13:24:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_46=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7td9Uwmfz5xy for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 13:24:38 -0700 (PDT)
Received: from mail-ig0-x22b.google.com (mail-ig0-x22b.google.com [IPv6:2607:f8b0:4001:c05::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C7581A0263 for <tls@ietf.org>; Wed, 22 Oct 2014 13:24:38 -0700 (PDT)
Received: by mail-ig0-f171.google.com with SMTP id l13so85789iga.4 for <tls@ietf.org>; Wed, 22 Oct 2014 13:24:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=bUMUzd7hrdnT9FbNAWnFbkO2XL5AcunZenskkc/ZKVU=; b=SSKwmonJfe1Rno5TWNlgD64kseV1uG54DUahKDvS2ZSH/7eA1FxQs05Qjs6kMQ1ioO A+rKfQI3N/acgmbw6jXBY3DLQNA9Hyz/7DxHc37J5E7AP+K38kkhAaNVFWOIK/Bx/AwM rxN89UeUC1ngTLNR/pwHI9/ewz2r/mrAU+MbChTHl9ewhYZVgizKrPXPDLTvVmj98OKa WJ28M5mV3s4Nrkgg4UAFaryTCYTbYPv7bnV4/4gETX1kf8RvyeMXx4GLwtLIqICxMh3N Eh6lbnZ3/Ws3swyNNL0XjcfXbc/Lm6PRYMJxStbS7cdmyPG79KpSw0L/6ouI/Yu6Geg4 zmkg==
X-Received: by 10.50.79.232 with SMTP id m8mr37247920igx.11.1414009477104; Wed, 22 Oct 2014 13:24:37 -0700 (PDT)
Received: from [192.168.0.10] (CPE7cb21b2cb904-CM7cb21b2cb901.cpe.net.cable.rogers.com. [99.231.49.38]) by mx.google.com with ESMTPSA id y64sm8000647iod.0.2014.10.22.13.24.36 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Oct 2014 13:24:36 -0700 (PDT)
Message-ID: <54481274.2020008@gmail.com>
Date: Wed, 22 Oct 2014 16:24:20 -0400
From: Rene Struik <rstruik.ext@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Watson Ladd <watsonbladd@gmail.com>
References: <CABcZeBMqdwWTFxGAqaC9PqhzbgZM5yOf2TTq7pVCjyw_X+3Zkg@mail.gmail.com> <544677AE.4000005@nthpermutation.com> <CACsn0cnbgHbkdpcoUYfrkzCWkB-XS6ZFD7F96bWHsU+tiLRCGg@mail.gmail.com> <5447E307.3010104@gmail.com> <CACsn0c=xkw24PJjEw+GZaQPAT-mRT24FkndfPU=jzHkkyrOnwA@mail.gmail.com>
In-Reply-To: <CACsn0c=xkw24PJjEw+GZaQPAT-mRT24FkndfPU=jzHkkyrOnwA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------070107000000020604040400"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/G-J_0j0AdM3gXogeixJVNwLacIo
Cc: tls@ietf.org
Subject: Re: [TLS] Should we require compressed points
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 20:24:41 -0000
Hi Watson: Your argument seems to be biased towards x-coordinate only calculations. There may very well be good reasons for implementations using the y-coordinate of a received point in their implementation as well, in which case forcing those to incur a ~10% of scalar multiply performance hit by offering only compressed objects seems to be somewhat brutal. Best regards, Rene On 10/22/2014 2:52 PM, Watson Ladd wrote: > > > On Oct 22, 2014 10:02 AM, "Rene Struik" <rstruik.ext@gmail.com > <mailto:rstruik.ext@gmail.com>> wrote: > > > > Hi Watson: > > > > I do not understand your statement below: the cost of > "decompressing" points may be not that insignificant and, depending on > application, one might rather send uncompressed points instead. > > > > For simplicity, let us assume a short-Weierstrass curve E with > defining equation y^2 = x^3 + a x + b (mod p). (A similar argument > holds for other curves, of course.) > > > > If one receives an uncompressed alleged point R:=(x,y), one has to > check whether this is indeed on the curve E. This comes roughly at > cost 2S+1M (where S=squaring; M=multiply). > > If one receives a compressed point R':=(x,y') and requires the > corresponding uncompressed point R, one has to compute a solution y to > the equation y^2=alpha, where alpha:=x^3+ax+b (mod p) and (if there is > a solution) pick y or p-y, depending on the binary value y'. This > comes at roughly cost 1S + 1M+1SQRT (where SQRT=square root). > > > > The trade-off here is that point compression slightly saves on > communication bandwidth, whereas it does increase computational cost > of scalar multiplies. > > {Rough ballpark for 256-bit curve: 64 octet uncompressed point vs. > 32 octet compressed point; curve check uncompressed point roughly > <0.2% cost scalar multiply vs. ~10% cost scalar multiply (based on > figures I have seen floating around on the cfrg mailing list).} > > > > Your suggested "security concern" seems to be that implementers will > somehow not perform the curve check (why?) and that, by using point > compression, you simply enforce it indirectly (since recomputing the > uncompressed point from the compressed one includes checking whether > the x-value is indeed the x-coordinate of a possible curve point). For > implementers that *do* perform the curve check and do care more about > performance than about the 32-octet communication savings, this would > present a disadvantage. > > Ask Bouncycastle, Apple, and Go why they don't do this check. > (Bouncycastle fixed it). The fact is implementations are exploitable > as a result of taking shortcuts not revealed in ordinary testing. > > Furthermore, x coordinate only is adequate for ECDH and was suggested > in the original ECC paper. > > > > > The only case where the latter does not incur such a large > performance hit seems to be in cases where scalar multiplication does > not use the y-coordinate at all (since then one does not care about y' > and simply sees whether alpha is a quadratic residue). This does > however restrict implementation freedom. > > Brier - Joyce is also slower then table based fixed window methods. > Furthermore, not all curves in TLS are twist secure. > > > > If one were to be concerned about implementation attacks, why not > have people compute a compressed point R':=(x,y') from a received > uncompressed point R:=(x,y) {this simply requires taking y':=y (mod > 2), i.e., determining the parity of y} and then do as you suggested. > > They could validate the received point instead. Why decompress when > you don't have to? > > > > Using uncompressed points gives people two mechanisms for preventing > invalid point attacks (via curve check or point decompression), at > slightly higher communication cost (32 octets) that seems easy to > accept in most TLS applications. Allowing freedom to choose either > format gives people choice, also on communication cost side, at > trivial cost of having a single octet indicator. > > > > This leads us back to the representation formats we currently have. > > > > Best regards, Rene > > > > == > > > > Yes, but uncompressed points are not a security concern in X509, but > they are in ECDH. Furthermore, the cost of adding compression support > is very small: it's a square root, a check, and potentially flipping > the sign. The benefit is that invalid point attacks are much harder to > carry out. > > > > On 10/22/2014 12:11 PM, Watson Ladd wrote: > >> > >> On Tue, Oct 21, 2014 at 8:11 AM, Michael StJohns > <msj@nthpermutation.com <mailto:msj@nthpermutation.com>> wrote: > >> > On 10/21/2014 10:52 AM, Eric Rescorla wrote: > >> > > >> > https://github.com/tlswg/tls13-spec/issues/80 > >> > > >> > Today we discussed the possibility of requiring support for > compressed > >> > points > >> > in TLS 1.3 now that the IPR has expired. > >> > > >> > Specifically, I propose that for TLS 1.3, we: > >> > > >> > - Use only compressed points for the existing curves (and presumably > >> > whatever superior format is defined for the CFRG-recommended > >> > curves, as appropriate). > >> > > >> > - Deprecate the Supported Point Formats extension for TLS 1.3 > >> > > >> > > >> > I'm pretty much opposed to the former and I guess by extension > the latter. > >> > > >> > There's a very large body of code that doesn't support anything > except type > >> > 0x04(uncompressed) X9.63 point encodings. If you want to add > support for > >> > compressed points (or hybrid compressed), I don't think that's > necessarily a > >> > bad idea, but not at the expense of removing support for uncompressed > >> > points. If you wanted to remove the supported point format > extension, I > >> > guess you could mandate support for both compressed and > uncompressed (and > >> > hybrid?). > >> > >> There is a large body of code that doesn't support TLS 1.3 as well. > >> > > >> > As a second item, I would estimate the chance we're going to see > compressed > >> > points in X509 certificates as a regular thing prior to about 10 > years from > >> > now as very small, meaning that any general transition to EC > based suites is > >> > going to require uncompressed point support. > >> > >> Yes, but uncompressed points are not a security concern in X509, > but they are in ECDH. Furthermore, the cost of adding compression > support is very small: it's a square root, a check, and potentially > flipping the sign. The benefit is that invalid point attacks are much > harder to carry out. > >> > >> > > >> > Lastly, while the base IPR for point compression seems to be no > longer of > >> > concern, I've still been told to avoid it for a few more years due to > >> > implementation patents related to compression. I'm not sure how > worrisome > >> > that is, but its one of the reasons that binary curves aren't in > broader use > >> > still. > >> > > >> > Just my $.02 > >> > > >> > Mike > >> > > >> > > >> > > >> > For RFC 4492-bis, we might also consider requiring support for > compressed > >> > points as well as uncompressed (already required) but this seems > like a > >> > separable issue, since it's mostly in service of optimization > rather than > >> > simplicity. > >> > > >> > What do people think? > >> > -Ekr > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > _______________________________________________ > >> > TLS mailing list > >> > TLS@ietf.org <mailto:TLS@ietf.org> > >> > https://www.ietf.org/mailman/listinfo/tls > >> > > >> > > >> > > >> > _______________________________________________ > >> > TLS mailing list > >> > TLS@ietf.org <mailto:TLS@ietf.org> > >> > https://www.ietf.org/mailman/listinfo/tls > >> > > >> > >> -- > >> "Those who would give up Essential Liberty to purchase a little > Temporary Safety deserve neither Liberty nor Safety." > >> -- Benjamin Franklin > >> > >> > >> > >> _______________________________________________ > >> TLS mailing list > >> TLS@ietf.org <mailto:TLS@ietf.org> > >> https://www.ietf.org/mailman/listinfo/tls > > > > > > > > -- > > email: rstruik.ext@gmail.com <mailto:rstruik.ext@gmail.com> | Skype: > rstruik > > cell: +1 (647) 867-5658 | US: +1 (415) 690-7363 > -- email: rstruik.ext@gmail.com | Skype: rstruik cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
- [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Hubert Kario
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Yoav Nir
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Dan Harkins
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Rene Struik
- Re: [TLS] Should we require compressed points Andrei Popov
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Andrei Popov
- Re: [TLS] Should we require compressed points Rene Struik
- Re: [TLS] Should we require compressed points Jeffrey Walton
- Re: [TLS] Should we require compressed points Peter Gutmann
- Re: [TLS] Should we require compressed points Peter Gutmann
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Bodo Moeller
- Re: [TLS] Should we require compressed points Viktor Dukhovni
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Michael StJohns