IETF Logo Mail Archive

Re: [TLS] Curve25519 in TLS and Additional Curves in TLS

Robert Ransom <rransom.8774@gmail.com> Fri, 24 January 2014 21:18 UTC

Return-Path: <rransom.8774@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53EF91A01E6 for <tls@ietfa.amsl.com>; Fri, 24 Jan 2014 13:18:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.45
X-Spam-Level:
X-Spam-Status: No, score=-1.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oXZavIZAKiiK for <tls@ietfa.amsl.com>; Fri, 24 Jan 2014 13:18:01 -0800 (PST)
Received: from mail-qc0-x22f.google.com (mail-qc0-x22f.google.com [IPv6:2607:f8b0:400d:c01::22f]) by ietfa.amsl.com (Postfix) with ESMTP id DF5491A01CA for <tls@ietf.org>; Fri, 24 Jan 2014 13:18:00 -0800 (PST)
Received: by mail-qc0-f175.google.com with SMTP id x13so5057313qcv.6 for <tls@ietf.org>; Fri, 24 Jan 2014 13:17:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=wdKGQm5eKebIAE/EUJKWBSzHWLHvD6qIPx1usI0YIqM=; b=SHyAgeLlHIAzRz6NzNL+x/6XGFCYVhoyjn5RT+Xnq7+CA49/nnlfPER4SO9LznrwoO 9zZqLxX+U3gUDEDm4C+Os+PoMC5AzPivbCL7M2uTEemsDE7HH0aLcXsHXr3SgsatzrED eJ1cxddgyPbpXT1Ynoj67m7CKoIoGKlK+8Pa4et7UKMbG5BPjP1veoau1SqmxjwCKVxy Q6lOuDzy7iMMQYnNhs9SCrtJtc8TV6D6t9DtKyJGt/mvyuvQTEvg27PuIXO4YUHFj/kj kEQOwd3s6fNhnHSdDyv8MebF/wdxr9nz3gY/BmCIlzz3xrcAOEffvFhhr7Ueok7GtVpH UwNw==
MIME-Version: 1.0
X-Received: by 10.224.111.195 with SMTP id t3mr24162988qap.2.1390598279460; Fri, 24 Jan 2014 13:17:59 -0800 (PST)
Received: by 10.229.181.132 with HTTP; Fri, 24 Jan 2014 13:17:59 -0800 (PST)
In-Reply-To: <52E2B5C7.5040600@polarssl.org>
References: <87ob3456s1.fsf@latte.josefsson.org> <CABqy+spt7BYqjsqLAkZssGp3aY9M+iLqV+pmyr7ZN-TXmJJpVg@mail.gmail.com> <52E060D0.9030801@polarssl.org> <CABqy+spJoswrPovxf18QS1SGdk6K=mfny6joJm3X24Vh65oagQ@mail.gmail.com> <52E0E241.40406@polarssl.org> <CABqy+sqs31ATDWJSum55m1o5pRvw8Wq5GtB-mF-hgP2emB5eFQ@mail.gmail.com> <52E2B5C7.5040600@polarssl.org>
Date: Fri, 24 Jan 2014 13:17:59 -0800
Message-ID: <CABqy+soNQu9Jyx24S2rO885MpwGTuEmb2d8jzWsCXqzroAP-qg@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Manuel Pégourié-Gonnard <mpg@polarssl.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2014 21:18:02 -0000

On 1/24/14, Manuel Pégourié-Gonnard <mpg@polarssl.org> wrote:
> On 23/01/2014 20:45, Robert Ransom wrote:

>> Remember that what Dr. Bernstein refers to as ‘public key validation’
>> in the Curve25519 paper is considerably more expensive than one
>> bitwise AND:
>> [...]
>
> Sure.. Another point I thought about in the meantime is that the security
> consequences of not doing that check are minimal for Curve25519
> (implementation
> fingerprinting) as opposed to short Weierstrass curves with (x, y)
> coordinate
> (small subgroup attack).

Yes.

>> If you add a leading byte as an extension hook *and* specify an
>> ECPointFormat value for the current ‘Montgomery-form x’ point format,
>> current implementations can refuse to receive point formats which they
>> won't understand.
>
> Haha, I think I finally understood. You're referring to this paragraph of
> the
> draft, right?

Yes, I am.

>    Since only one point format can be used with Curve25519, which is
>    distinct from the formats used by short Weierstrass curves, the
>    contents of the "Supported Point Formats" extension is irrelevant for
>    this curve.
>
> Yes, if we add a leading byte, and we want to be able to use other formats
> (hence other leading bytes) with Curve25519 in TLS in the future, then this
> phrase should be removed and a new ECPointFormat value requested from IANA.

Yes.

>> If you don't add a leading byte, I think the ECPoint length byte can
>> still be used as an adequate extension mechanism for future non-ECDH
>> protocols.
>>
> As long as there is no more than one future format mapping to the same
> length.
> Eg, is for some reason some people want to send
>
>> I agree, but future implementations should be allowed to send an
>> uncompressed second coordinate without breaking compatibility with
>> implementations of this protocol.  What I'm suggesting is that (a)
>> current implementations send 32-byte points; (b) current
>> implementations accept both 32-byte and 64-byte point objects, and
>> ignore the second half of a 64-byte point.
>>
> That's an option too, but compared to a leading byte, it doesn't allow to
> define
> two different 64-byte point formats in the future, right? So maybe the
> leading
> byte (with ECPointFormat negociation) is the most future-proof way.

Yes.  (Even though I am now convinced that there is only one
reasonable choice for the other coordinate for Curve25519.)


Robert Ransom

v2.23.0 | Report a Bug | By Email