Re: [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement
Watson Ladd <watsonbladd@gmail.com> Mon, 13 January 2014 03:23 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 917E71ADBCF for <tls@ietfa.amsl.com>; Sun, 12 Jan 2014 19:23:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Z1dpzAmMfZP for <tls@ietfa.amsl.com>; Sun, 12 Jan 2014 19:23:07 -0800 (PST)
Received: from mail-we0-x230.google.com (mail-we0-x230.google.com [IPv6:2a00:1450:400c:c03::230]) by ietfa.amsl.com (Postfix) with ESMTP id 79BAB1ADBCC for <tls@ietf.org>; Sun, 12 Jan 2014 19:23:07 -0800 (PST)
Received: by mail-we0-f176.google.com with SMTP id q58so1768113wes.35 for <tls@ietf.org>; Sun, 12 Jan 2014 19:22:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=QuYATVakO3Gvc0rHAA0bNJLFRqi38rnANa+g6swLPAg=; b=PLuA5WGRZRkYnrGQdlO56d7NQpT7P7tyJ2TXkOXS/gk7DCbAtpRHKY75Cj5JHUV7+W iL6FaJpuRUbwI3yj/+Fd31/2C70mYyP7twqq+rHiVfn79NpQXVPznip1Drc2OBZTznEG dmhIgFEbPZZoFPHXBai05a7tKRNSB89mIHnMVQbxFEJSE2+uJuQ9X+E46grQvhQqfzDH 5sFq3Z6ZG/Kxoy+VccA3KPuIi0vuYmRBo+CUw/pbgXXhEXwizSIEWqDjosnnQv4cZUi+ LAy+gbhlUGPtVWKgYTLtXdl8vQJzQIAwsatfQx3PY0KltpaVHolKmXT6c8jY7DO0vD/Q vy2A==
MIME-Version: 1.0
X-Received: by 10.180.19.35 with SMTP id b3mr4917326wie.20.1389583376086; Sun, 12 Jan 2014 19:22:56 -0800 (PST)
Received: by 10.194.242.131 with HTTP; Sun, 12 Jan 2014 19:22:55 -0800 (PST)
In-Reply-To: <87eh4e7a2y.fsf@latte.josefsson.org>
References: <87eh4e7a2y.fsf@latte.josefsson.org>
Date: Sun, 12 Jan 2014 19:22:55 -0800
Message-ID: <CACsn0ckHSx=aVETzgJu9kMNjT6vCMis_-dDBVWVmwv+Rw-V8-w@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Simon Josefsson <simon@josefsson.org>
Content-Type: text/plain; charset="UTF-8"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jan 2014 03:23:09 -0000
On Sat, Jan 11, 2014 at 8:32 AM, Simon Josefsson <simon@josefsson.org> wrote: > Dear WG, > > I may have missed to announce this document before, since some people > appear to have missed it. This email is an attempt to introduce the > draft to the TLS WG properly. > > This draft started out as specifying Curve25519 ECDHE key agreement for > TLS, back on September. Manuel Pegourie-Gonnard jumped in as co-author > and has added details on public/private key representation, shared > secret computation, and test vectors, for the -02 draft. > > In the latest -03 version of the draft, I have changed the document to > specify EC Named Curve code points for all "additional elliptic curves" > (i.e., Curve25519, E382, M383, Curve3617, M511, E521). Some of the > Curve25519-related text may no longer be applicable to all curves, but > hopefully that can be fixed later on. > > The latest draft is here: > http://tools.ietf.org/html/draft-josefsson-tls-curve25519-03 > > The additional curves come from the following CFRG draft, and my current > thinking is that our draft (for TLS) would stay in sync with the list of > curves in the CFRG document. > > http://tools.ietf.org/html/draft-ladd-safecurves-02 > > We'd appreciate general feedback on the draft, especially if there is > any interest in adopting this document, and particular feedback on the > following points: > > 1) Do we need all these curves defined for TLS? What is the selection > critera for including/exluding some of the curves? Is that a TLS > process, or an CFRG process? It's unclear. Eric Resola (in a cousin n-removed from this email) seems to think that CFRG should do it, but unless he asks the CFRG chairs there doesn't seem to be a process for this conversation to happen. Part of the reason is that Curve25519 is secure, so in some sense there is nothing to discuss on the CFRG end. It comes down to "what should be supported" and efficiency argues Curve25519 should be in the mix. The easiest solution is someone to ask if anyone disagrees, and if no one does, consider the security conversation over. > > 2) Does description of private/public key representation and computation > of shared secret belong in draft-josefsson-tls-curve25519? It has to > be somewhere, I believ, but possibly this could go into > draft-ladd-safecurves, or some other generic document, unless there > are TLS-specific aspects. Insight into this would be appreciated. It looks good, but the specification should ideally be in the draft or cited in an informative RFC. draft-ladd aims to completely specify what is exchanged, and so is a better (IMHO) source for the normative part then the curve25519 paper. Worst case you can write something close to the specification section of "Cryptography in NaCl" or "Curve25519: New Diffie-Hellman Speed Records" in the case draft-ladd fails to progress. Sincerely, Watson Ladd > > Cheers, > /Simon > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [TLS] Additional Elliptic Curves (Curve25519 etc)… Simon Josefsson
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Dr Stephen Henson
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Watson Ladd
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Dr Stephen Henson
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Robert Ransom
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Alyssa Rowan
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Dr Stephen Henson
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Robert Ransom
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Alyssa Rowan
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Adam Langley
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Kurt Roeckx
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Adam Langley
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Matt Caswell
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Stephen Farrell
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Eric Rescorla
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Matt Caswell
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Eric Rescorla
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Salz, Rich
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Matt Caswell
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Peter Gutmann
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Ilari Liusvaara
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Peter Gutmann
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Ilari Liusvaara
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Robert Ransom
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Robert Ransom
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Ilari Liusvaara
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Robert Ransom
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Alex Elsayed
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Watson Ladd
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Kurt Roeckx
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Dr Stephen Henson
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Robert Ransom
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Salz, Rich
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Dr Stephen Henson
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Watson Ladd
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Sean Turner
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Sean Turner
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Adam Langley
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Jim Schaad
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Salz, Rich
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Adam Langley
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Salz, Rich
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Watson Ladd
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Watson Ladd
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Salz, Rich
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Yoav Nir
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Watson Ladd