IETF Logo Mail Archive

Re: [TLS] Should we require compressed points

Rene Struik <rstruik.ext@gmail.com> Wed, 22 October 2014 20:24 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A3F61A03A0 for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 13:24:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_46=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7td9Uwmfz5xy for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 13:24:38 -0700 (PDT)
Received: from mail-ig0-x22b.google.com (mail-ig0-x22b.google.com [IPv6:2607:f8b0:4001:c05::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C7581A0263 for <tls@ietf.org>; Wed, 22 Oct 2014 13:24:38 -0700 (PDT)
Received: by mail-ig0-f171.google.com with SMTP id l13so85789iga.4 for <tls@ietf.org>; Wed, 22 Oct 2014 13:24:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=bUMUzd7hrdnT9FbNAWnFbkO2XL5AcunZenskkc/ZKVU=; b=SSKwmonJfe1Rno5TWNlgD64kseV1uG54DUahKDvS2ZSH/7eA1FxQs05Qjs6kMQ1ioO A+rKfQI3N/acgmbw6jXBY3DLQNA9Hyz/7DxHc37J5E7AP+K38kkhAaNVFWOIK/Bx/AwM rxN89UeUC1ngTLNR/pwHI9/ewz2r/mrAU+MbChTHl9ewhYZVgizKrPXPDLTvVmj98OKa WJ28M5mV3s4Nrkgg4UAFaryTCYTbYPv7bnV4/4gETX1kf8RvyeMXx4GLwtLIqICxMh3N Eh6lbnZ3/Ws3swyNNL0XjcfXbc/Lm6PRYMJxStbS7cdmyPG79KpSw0L/6ouI/Yu6Geg4 zmkg==
X-Received: by 10.50.79.232 with SMTP id m8mr37247920igx.11.1414009477104; Wed, 22 Oct 2014 13:24:37 -0700 (PDT)
Received: from [192.168.0.10] (CPE7cb21b2cb904-CM7cb21b2cb901.cpe.net.cable.rogers.com. [99.231.49.38]) by mx.google.com with ESMTPSA id y64sm8000647iod.0.2014.10.22.13.24.36 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Oct 2014 13:24:36 -0700 (PDT)
Message-ID: <54481274.2020008@gmail.com>
Date: Wed, 22 Oct 2014 16:24:20 -0400
From: Rene Struik <rstruik.ext@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Watson Ladd <watsonbladd@gmail.com>
References: <CABcZeBMqdwWTFxGAqaC9PqhzbgZM5yOf2TTq7pVCjyw_X+3Zkg@mail.gmail.com> <544677AE.4000005@nthpermutation.com> <CACsn0cnbgHbkdpcoUYfrkzCWkB-XS6ZFD7F96bWHsU+tiLRCGg@mail.gmail.com> <5447E307.3010104@gmail.com> <CACsn0c=xkw24PJjEw+GZaQPAT-mRT24FkndfPU=jzHkkyrOnwA@mail.gmail.com>
In-Reply-To: <CACsn0c=xkw24PJjEw+GZaQPAT-mRT24FkndfPU=jzHkkyrOnwA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------070107000000020604040400"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/G-J_0j0AdM3gXogeixJVNwLacIo
Cc: tls@ietf.org
Subject: Re: [TLS] Should we require compressed points
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 20:24:41 -0000

Hi Watson:

Your argument seems to be biased towards x-coordinate only calculations. 
There may very well be good reasons for implementations using the 
y-coordinate of a received point in their implementation as well, in 
which case forcing those to incur a ~10% of scalar multiply performance 
hit by offering only compressed objects seems to be somewhat brutal.

Best regards, Rene

On 10/22/2014 2:52 PM, Watson Ladd wrote:
>
>
> On Oct 22, 2014 10:02 AM, "Rene Struik" <rstruik.ext@gmail.com 
> <mailto:rstruik.ext@gmail.com>> wrote:
> >
> > Hi Watson:
> >
> > I do not understand your statement below: the cost of 
> "decompressing" points may be not that insignificant and, depending on 
> application, one might rather send uncompressed points instead.
> >
> > For simplicity, let us assume a short-Weierstrass curve E with 
> defining equation y^2 = x^3 + a x + b (mod p). (A similar argument 
> holds for other curves, of course.)
> >
> > If one receives an uncompressed alleged point R:=(x,y), one has to 
> check whether this is indeed on the curve E. This comes roughly at 
> cost 2S+1M (where S=squaring; M=multiply).
> > If one receives a compressed point R':=(x,y') and requires the 
> corresponding uncompressed point R, one has to compute a solution y to 
> the equation y^2=alpha, where alpha:=x^3+ax+b (mod p) and (if there is 
> a solution) pick y or p-y, depending on the binary value y'. This 
> comes at roughly cost 1S + 1M+1SQRT (where SQRT=square root).
> >
> > The trade-off here is that point compression slightly saves on 
> communication bandwidth, whereas it does increase computational cost 
> of scalar multiplies.
> > {Rough ballpark for 256-bit curve: 64 octet uncompressed point vs. 
> 32 octet compressed point; curve check uncompressed point roughly 
> <0.2% cost scalar multiply vs. ~10% cost scalar multiply (based on 
> figures I have seen floating around on the cfrg mailing list).}
> >
> > Your suggested "security concern" seems to be that implementers will 
> somehow not perform the curve check (why?) and that, by using point 
> compression, you simply enforce it indirectly (since recomputing the 
> uncompressed point from the compressed one includes checking whether 
> the x-value is indeed the x-coordinate of a possible curve point). For 
> implementers that *do* perform the curve check and do care more about 
> performance than about the 32-octet communication savings, this would 
> present a disadvantage.
>
> Ask Bouncycastle, Apple, and Go why they don't do this check. 
> (Bouncycastle fixed it). The fact is implementations are exploitable 
> as a result of taking shortcuts not revealed in ordinary testing.
>
> Furthermore, x coordinate only is adequate for ECDH and was suggested 
> in the original ECC paper.
>
> >
> > The only case where the latter does not incur such a large 
> performance hit seems to be in cases where scalar multiplication does 
> not use the y-coordinate at all (since then one does not care about y' 
> and simply sees whether alpha is a quadratic residue). This does 
> however restrict implementation freedom.
>
> Brier - Joyce is also slower then table based fixed window methods. 
> Furthermore,  not all curves in TLS are twist secure.
> >
> > If one were to be concerned about implementation attacks, why not 
> have people compute a compressed point R':=(x,y') from a received 
> uncompressed point R:=(x,y) {this simply requires taking y':=y (mod 
> 2), i.e., determining the parity of y} and then do as you suggested.
>
> They could validate the received point instead. Why decompress when 
> you don't have to?
> >
> > Using uncompressed points gives people two mechanisms for preventing 
> invalid point attacks (via curve check or point decompression), at 
> slightly higher communication cost (32 octets) that seems easy to 
> accept in most TLS applications. Allowing freedom to choose either 
> format gives people choice, also on communication cost side, at 
> trivial cost of having a single octet indicator.
> >
> > This leads us back to the representation formats we currently have.
> >
> > Best regards, Rene
> >
> > ==
> >
> > Yes, but uncompressed points are not a security concern in X509, but 
> they are in ECDH. Furthermore, the cost of adding compression support 
> is very small: it's a square root, a check, and potentially flipping 
> the sign. The benefit is that invalid point attacks are much harder to 
> carry out.
> >
> > On 10/22/2014 12:11 PM, Watson Ladd wrote:
> >>
> >> On Tue, Oct 21, 2014 at 8:11 AM, Michael StJohns 
> <msj@nthpermutation.com <mailto:msj@nthpermutation.com>> wrote:
> >> > On 10/21/2014 10:52 AM, Eric Rescorla wrote:
> >> >
> >> > https://github.com/tlswg/tls13-spec/issues/80
> >> >
> >> > Today we discussed the possibility of requiring support for 
> compressed
> >> > points
> >> > in TLS 1.3 now that the IPR has expired.
> >> >
> >> > Specifically, I propose that for TLS 1.3, we:
> >> >
> >> > - Use only compressed points for the existing curves (and presumably
> >> > whatever superior format is defined for the CFRG-recommended
> >> > curves, as appropriate).
> >> >
> >> > - Deprecate the Supported Point Formats extension for TLS 1.3
> >> >
> >> >
> >> > I'm pretty much opposed to the former and I guess by extension 
> the latter.
> >> >
> >> > There's a very large body of code that doesn't support anything 
> except type
> >> > 0x04(uncompressed) X9.63 point encodings. If you want to add 
> support for
> >> > compressed points (or hybrid compressed), I don't think that's 
> necessarily a
> >> > bad idea, but not at the expense of removing support for uncompressed
> >> > points. If you wanted to remove the supported point format 
> extension, I
> >> > guess you could mandate support for both compressed and 
> uncompressed (and
> >> > hybrid?).
> >>
> >> There is a large body of code that doesn't support TLS 1.3 as well.
> >> >
> >> > As a second item, I would estimate the chance we're going to see 
> compressed
> >> > points in X509 certificates as a regular thing prior to about 10 
> years from
> >> > now as very small, meaning that any general transition to EC 
> based suites is
> >> > going to require uncompressed point support.
> >>
> >> Yes, but uncompressed points are not a security concern in X509, 
> but they are in ECDH. Furthermore, the cost of adding compression 
> support is very small: it's a square root, a check, and potentially 
> flipping the sign. The benefit is that invalid point attacks are much 
> harder to carry out.
> >>
> >> >
> >> > Lastly, while the base IPR for point compression seems to be no 
> longer of
> >> > concern, I've still been told to avoid it for a few more years due to
> >> > implementation patents related to compression. I'm not sure how 
> worrisome
> >> > that is, but its one of the reasons that binary curves aren't in 
> broader use
> >> > still.
> >> >
> >> > Just my $.02
> >> >
> >> > Mike
> >> >
> >> >
> >> >
> >> > For RFC 4492-bis, we might also consider requiring support for 
> compressed
> >> > points as well as uncompressed (already required) but this seems 
> like a
> >> > separable issue, since it's mostly in service of optimization 
> rather than
> >> > simplicity.
> >> >
> >> > What do people think?
> >> > -Ekr
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > TLS mailing list
> >> > TLS@ietf.org <mailto:TLS@ietf.org>
> >> > https://www.ietf.org/mailman/listinfo/tls
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > TLS mailing list
> >> > TLS@ietf.org <mailto:TLS@ietf.org>
> >> > https://www.ietf.org/mailman/listinfo/tls
> >> >
> >>
> >> --
> >> "Those who would give up Essential Liberty to purchase a little 
> Temporary Safety deserve neither Liberty nor Safety."
> >> -- Benjamin Franklin
> >>
> >>
> >>
> >> _______________________________________________
> >> TLS mailing list
> >> TLS@ietf.org <mailto:TLS@ietf.org>
> >> https://www.ietf.org/mailman/listinfo/tls
> >
> >
> >
> > --
> > email: rstruik.ext@gmail.com <mailto:rstruik.ext@gmail.com> | Skype: 
> rstruik
> > cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
>


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363

v2.23.0 | Report a Bug | By Email