IETF Logo Mail Archive

Re: [TLS] Curve25519 in TLS and Additional Curves in TLS

Manuel Pégourié-Gonnard <mpg@polarssl.org> Thu, 23 January 2014 00:22 UTC

Return-Path: <mpg@polarssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E41181A01D6 for <tls@ietfa.amsl.com>; Wed, 22 Jan 2014 16:22:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.994
X-Spam-Level:
X-Spam-Status: No, score=0.994 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_RELAY_NODNS=1.451, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.793] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kgmqfEICDmFj for <tls@ietfa.amsl.com>; Wed, 22 Jan 2014 16:22:46 -0800 (PST)
Received: from mordell.elzevir.fr (unknown [IPv6:2001:4b98:dc0:41:216:3eff:feeb:c406]) by ietfa.amsl.com (Postfix) with ESMTP id DE3861A01A5 for <tls@ietf.org>; Wed, 22 Jan 2014 16:22:45 -0800 (PST)
Received: from thue.elzevir.fr (thue.elzevir.fr [88.165.216.11]) by mordell.elzevir.fr (Postfix) with ESMTPS id 93E6A16431 for <tls@ietf.org>; Thu, 23 Jan 2014 01:22:44 +0100 (CET)
Received: from [192.168.0.124] (unknown [192.168.0.254]) by thue.elzevir.fr (Postfix) with ESMTPSA id 8F2CE2986C for <tls@ietf.org>; Thu, 23 Jan 2014 01:22:42 +0100 (CET)
Message-ID: <52E060D0.9030801@polarssl.org>
Date: Thu, 23 Jan 2014 01:22:40 +0100
From: Manuel Pégourié-Gonnard <mpg@polarssl.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.1.1
MIME-Version: 1.0
To: tls@ietf.org
References: <87ob3456s1.fsf@latte.josefsson.org> <CABqy+spt7BYqjsqLAkZssGp3aY9M+iLqV+pmyr7ZN-TXmJJpVg@mail.gmail.com>
In-Reply-To: <CABqy+spt7BYqjsqLAkZssGp3aY9M+iLqV+pmyr7ZN-TXmJJpVg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Subject: Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2014 00:22:47 -0000

On 22/01/2014 22:16, Robert Ransom wrote:
> * The draft still specifies a big-endian point format.  What is the
> technical benefit of requiring every TLS implementation which uses one
> of the existing efficient, secure implementations of Curve25519
> Montgomery-form scalar multiplication to reverse the byte order of its
> input and output?  (Note that people want to use Curve25519 in TLS
> because of those existing implementations, so deliberately breaking
> compatibility with them seems especially unwise.)
> 
I have no objection to changing the byte ordering if nobody speaks up for
big-endian in the next few days.

> * The draft should specify that implementations MUST discard (i.e. set
> to zero) the most significant bit of a received public key, for two
> reasons: (a) Existing Curve25519 scalarmult implementations differ in
> their handling of inputs with that bit set, and could be distinguished
> by an active attacker using that difference.

I wasn't aware that some implementations ignored the most significant bit. Out
of curiosity, could you cite examples?

One of the "selling points" of Curve25519 is that no public key validation is
needed, so I find it quite unfortunate that after all there is something to do
when receiving public keys.

> (b) Future specifications
> may wish to include the sign bit of an Edwards-form x coordinate in a
> Curve25519 point format for use with other protocols (e.g. Schnorr
> signature, Ace) without breaking backwards compatibility with use in
> ECDH.
> 
This is a serious concern indeed. By the way, there was another issue under
discussion that is related: should the point format be just the 32 bytes, or
should we use a leading byte to follow the existing practice from X9.62, as Salz
Rich suggested? If we use a leading byte, maybe it's better to have two formats,
one for "x coordinate only", one for "y + bit sign of x"?

> * The draft does not specify the curve equation of Curve25519 or the
> basepoint for use in ECDH.
> 
Of course it's no problem to add it. Do you think we should explain the
arithmetic too (Montgomery ladder + differential addition formulas)?

> * The ‘Security Considerations’ section suggests that Curve25519 can
> be implemented securely using bignum libraries which leak information
> about the numbers they operate on to a side-channel attacker, as long
> as the internal projective representation of each point is randomized.
>  Has this proposed side-channel countermeasure been evaluated?  If so,
> which types of information leakage does the countermeasure render
> harmless?
> 
I'm not aware of any specific analysis of this countermeasure for this type of
curves.

> * The draft claims that every curve listed in RFC 4492 whose name ends
> in “k1” is defined over a binary (characteristic 2) field.  This is
> false: RFC4492 defines several GLV curves over prime fields (e.g.
> ‘secp256k1’), and their names also end in “k1”.
> 
Right, this should have been corrected already.

Manuel.

v2.23.0 | Report a Bug | By Email