Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
Robert Ransom <rransom.8774@gmail.com> Fri, 24 January 2014 21:18 UTC
Return-Path: <rransom.8774@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53EF91A01E6 for <tls@ietfa.amsl.com>; Fri, 24 Jan 2014 13:18:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.45
X-Spam-Level:
X-Spam-Status: No, score=-1.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oXZavIZAKiiK for <tls@ietfa.amsl.com>; Fri, 24 Jan 2014 13:18:01 -0800 (PST)
Received: from mail-qc0-x22f.google.com (mail-qc0-x22f.google.com [IPv6:2607:f8b0:400d:c01::22f]) by ietfa.amsl.com (Postfix) with ESMTP id DF5491A01CA for <tls@ietf.org>; Fri, 24 Jan 2014 13:18:00 -0800 (PST)
Received: by mail-qc0-f175.google.com with SMTP id x13so5057313qcv.6 for <tls@ietf.org>; Fri, 24 Jan 2014 13:17:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=wdKGQm5eKebIAE/EUJKWBSzHWLHvD6qIPx1usI0YIqM=; b=SHyAgeLlHIAzRz6NzNL+x/6XGFCYVhoyjn5RT+Xnq7+CA49/nnlfPER4SO9LznrwoO 9zZqLxX+U3gUDEDm4C+Os+PoMC5AzPivbCL7M2uTEemsDE7HH0aLcXsHXr3SgsatzrED eJ1cxddgyPbpXT1Ynoj67m7CKoIoGKlK+8Pa4et7UKMbG5BPjP1veoau1SqmxjwCKVxy Q6lOuDzy7iMMQYnNhs9SCrtJtc8TV6D6t9DtKyJGt/mvyuvQTEvg27PuIXO4YUHFj/kj kEQOwd3s6fNhnHSdDyv8MebF/wdxr9nz3gY/BmCIlzz3xrcAOEffvFhhr7Ueok7GtVpH UwNw==
MIME-Version: 1.0
X-Received: by 10.224.111.195 with SMTP id t3mr24162988qap.2.1390598279460; Fri, 24 Jan 2014 13:17:59 -0800 (PST)
Received: by 10.229.181.132 with HTTP; Fri, 24 Jan 2014 13:17:59 -0800 (PST)
In-Reply-To: <52E2B5C7.5040600@polarssl.org>
References: <87ob3456s1.fsf@latte.josefsson.org> <CABqy+spt7BYqjsqLAkZssGp3aY9M+iLqV+pmyr7ZN-TXmJJpVg@mail.gmail.com> <52E060D0.9030801@polarssl.org> <CABqy+spJoswrPovxf18QS1SGdk6K=mfny6joJm3X24Vh65oagQ@mail.gmail.com> <52E0E241.40406@polarssl.org> <CABqy+sqs31ATDWJSum55m1o5pRvw8Wq5GtB-mF-hgP2emB5eFQ@mail.gmail.com> <52E2B5C7.5040600@polarssl.org>
Date: Fri, 24 Jan 2014 13:17:59 -0800
Message-ID: <CABqy+soNQu9Jyx24S2rO885MpwGTuEmb2d8jzWsCXqzroAP-qg@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Manuel Pégourié-Gonnard <mpg@polarssl.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2014 21:18:02 -0000
On 1/24/14, Manuel Pégourié-Gonnard <mpg@polarssl.org> wrote: > On 23/01/2014 20:45, Robert Ransom wrote: >> Remember that what Dr. Bernstein refers to as ‘public key validation’ >> in the Curve25519 paper is considerably more expensive than one >> bitwise AND: >> [...] > > Sure.. Another point I thought about in the meantime is that the security > consequences of not doing that check are minimal for Curve25519 > (implementation > fingerprinting) as opposed to short Weierstrass curves with (x, y) > coordinate > (small subgroup attack). Yes. >> If you add a leading byte as an extension hook *and* specify an >> ECPointFormat value for the current ‘Montgomery-form x’ point format, >> current implementations can refuse to receive point formats which they >> won't understand. > > Haha, I think I finally understood. You're referring to this paragraph of > the > draft, right? Yes, I am. > Since only one point format can be used with Curve25519, which is > distinct from the formats used by short Weierstrass curves, the > contents of the "Supported Point Formats" extension is irrelevant for > this curve. > > Yes, if we add a leading byte, and we want to be able to use other formats > (hence other leading bytes) with Curve25519 in TLS in the future, then this > phrase should be removed and a new ECPointFormat value requested from IANA. Yes. >> If you don't add a leading byte, I think the ECPoint length byte can >> still be used as an adequate extension mechanism for future non-ECDH >> protocols. >> > As long as there is no more than one future format mapping to the same > length. > Eg, is for some reason some people want to send > >> I agree, but future implementations should be allowed to send an >> uncompressed second coordinate without breaking compatibility with >> implementations of this protocol. What I'm suggesting is that (a) >> current implementations send 32-byte points; (b) current >> implementations accept both 32-byte and 64-byte point objects, and >> ignore the second half of a 64-byte point. >> > That's an option too, but compared to a leading byte, it doesn't allow to > define > two different 64-byte point formats in the future, right? So maybe the > leading > byte (with ECPointFormat negociation) is the most future-proof way. Yes. (Even though I am now convinced that there is only one reasonable choice for the other coordinate for Curve25519.) Robert Ransom
- [TLS] Curve25519 in TLS and Additional Curves in … Simon Josefsson
- Re: [TLS] Curve25519 in TLS and Additional Curves… Rob Stradling
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Rob Stradling
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andy Lutomirski
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andy Lutomirski
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… James Cloos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Bill Frantz
- Re: [TLS] Curve25519 in TLS and Additional Curves… Kurt Roeckx
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Simon Josefsson
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Daniel Kahn Gillmor
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Yoav Nir
- Re: [TLS] Curve25519 in TLS and Additional Curves… Fabrice
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard