IETF Logo Mail Archive

Re: [TLS] Curve25519 in TLS and Additional Curves in TLS

Watson Ladd <watsonbladd@gmail.com> Wed, 09 April 2014 15:00 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B43641A034A for <tls@ietfa.amsl.com>; Wed, 9 Apr 2014 08:00:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fUK5z5OO7uT1 for <tls@ietfa.amsl.com>; Wed, 9 Apr 2014 08:00:41 -0700 (PDT)
Received: from mail-yk0-x22b.google.com (mail-yk0-x22b.google.com [IPv6:2607:f8b0:4002:c07::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 1C5B11A02AA for <tls@ietf.org>; Wed, 9 Apr 2014 08:00:41 -0700 (PDT)
Received: by mail-yk0-f171.google.com with SMTP id q9so2263962ykb.2 for <tls@ietf.org>; Wed, 09 Apr 2014 08:00:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=MHSXUq95KrTzR2ypoVU2MKUvPxQM4Do+cATuhkrjF7s=; b=G8E6lwFNM7WX4QXHF/QMYzXcTSXzpHe6tpqsaSMjLyeXcqxn7JmWsNVZ+eoBHQP32l MZmff5zqdodcSrpK8AELKYKcc4YK7E3MegarHwZDk1M5N0oYDthSrVKbRM2vHjhuAHdO /oGDseUQJkFNAIBU/F/uSNjzaXiloyU6/rn742oqUHa0QOC+Km7gr08ZvzOi8Y/NJ2B0 TNaspdfMsrC6Vwpf05OoVV00A8HfSwmhGEdUUJ7CkiRvj8xcqC+LNi5LE5sqTcmMnaGM nGX70u+ykbugpO0L3T04lq1QYMChL3X6OSAzj2og3jUbNRyY20YrkdApe0kge3XoPKij n5dQ==
MIME-Version: 1.0
X-Received: by 10.236.199.78 with SMTP id w54mr330468yhn.139.1397055640466; Wed, 09 Apr 2014 08:00:40 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Wed, 9 Apr 2014 08:00:40 -0700 (PDT)
In-Reply-To: <1397048457.4019.22.camel@dhcp-2-127.brq.redhat.com>
References: <87ob3456s1.fsf@latte.josefsson.org> <20140402164340.GA14790@roeckx.be> <20140407115102.3011d2e5@latte.josefsson.org> <CACsn0cmFLO2n8d-FVVb4wu=G5T88E7rRd8b=eYo-1uMZnMxkOQ@mail.gmail.com> <5344BD77.2020106@fifthhorseman.net> <2A0EFB9C05D0164E98F19BB0AF3708C7120AC18CAE@USMBX1.msg.corp.akamai.com> <1397044231.4019.4.camel@dhcp-2-127.brq.redhat.com> <4abda243-3fc2-4087-92f8-3db02769384f@email.android.com> <1397048457.4019.22.camel@dhcp-2-127.brq.redhat.com>
Date: Wed, 09 Apr 2014 08:00:40 -0700
Message-ID: <CACsn0ckyaGO9hqn7pDVE2VR-TWs5v+Y6NsnCqCvrwFGyUGfZ3A@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/G437jXUN6RrumZgZWooWixc3GxQ
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Apr 2014 15:00:43 -0000

On Wed, Apr 9, 2014 at 6:00 AM, Nikos Mavrogiannopoulos <nmav@redhat.com> wrote:
> On Wed, 2014-04-09 at 13:17 +0100, Alyssa Rowan wrote:
>
>> >I believe you have already made your point several times. I think it is
>> >important to see comments from people who plan or work on implementing
>> >this draft, how each format affects them and whether there is a need
>> >for
>> >little-endian.
>> Don't we already seem to have consensus on little-endian, and that is what will be in the revised draft-04?
>
> I believe that you summarized the issue very nicely in a previous
> e-mail, but my reading of having a consensus for little-endian is
> different than yours.
>
> As far as I am concerned, I do not see why an implementation which will
> not use the existing code, must treat the endianness of points from
> curve25519 differently than the points of any other curve in TLS. In any
> case, the arguments are already presented and that's what I mentioned to
> Rich. I think we need more input from other people who plan or are
> already implementing this curve in TLS.

Your code should not use the bignum library you already have. It
should call into libnacl or the guts that are in libsodium, both quite
liberally licensed.

This is because DJB writes and distributes perfect code, and you do
not. Your bignum implementation has data-dependent branches and so
leaks information to an attacker on the same hardware, as well as
taking different times depending on branch state. If particularly bad,
you have data dependent loops in reduction modulo a prime. libnacl
avoids all these problems.

In fact, because you are the GnuTLS developer, I know exactly what
your bignum library, gmp does. And it isn't pretty: operations can
take different paths depending on argument size, which includes
lopping off zero limbs. Modulo is computed by division, which involves
an instruction that is notoriously variable-time on many
architectures.

Your bignum implementation is also slow. This is because it has to
permit arbitrary chains of addition between multiplications, which
don't happen in ECC. As a result it needs to reduce each sum, which is
unnecessary and slow. The libnacl implementations defer this reduction
until the end, and partially reduce products for additional speed,
taking advantage of the prime.

The gap between the implementation you will write, and the
implementation you can just use, in security, speed, and safety, is
enormous.

If you do decide to persist in this folly, reversing the bytes won't
stop you, sadly. But I wish it could.

Sincerely,
Watson Ladd

>
> regards,
> Nikos
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email