Re: [TLS] Channel ID and server load: comment on draft-balfanz-tls-channelid-00

Adam Langley <agl@google.com> Wed, 23 October 2013 18:16 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED27811E82D2 for <tls@ietfa.amsl.com>; Wed, 23 Oct 2013 11:16:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hUhRDluZwWEn for <tls@ietfa.amsl.com>; Wed, 23 Oct 2013 11:16:22 -0700 (PDT)
Received: from mail-vc0-x22e.google.com (mail-vc0-x22e.google.com [IPv6:2607:f8b0:400c:c03::22e]) by ietfa.amsl.com (Postfix) with ESMTP id AD3CB11E83CA for <tls@ietf.org>; Wed, 23 Oct 2013 11:16:20 -0700 (PDT)
Received: by mail-vc0-f174.google.com with SMTP id ld13so418773vcb.5 for <tls@ietf.org>; Wed, 23 Oct 2013 11:16:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=UKxWfKqZ4OkgoZ1K5e1fmNsDq2BNIuOOhfFN/l9+nIs=; b=eFTZ5yYLMP4sAcpj5h63s24DliFJej0eZGtdJNRaOOxRgL22ydA4/8Shs2EO+0uF99 HrWVJoCc9rBF3U9yXeN/C8Vr9bRQzwRMQjIV5k9xJ2rJ3mkUlPThoxHV2D/46hpGqOkb 04fRZi/uxUecs9B/vPDGyZ5D6cjz3xVolOs5HlZ4ZFO9CcoknIybkwOjZnH7P+69c03D 1sJ6ALyPqJs6lGrcO/P+J9ufnsEjkYHtzLGJ1hNyzyoIWEgkfJecANmLw2O5SMsg0sAL 3g63XMp+uuY6yM+IXVezD5AXs1ZrVABs7/7NwTkANcidaALbaEwhRKiuOhszKz+20Q3f mKOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=UKxWfKqZ4OkgoZ1K5e1fmNsDq2BNIuOOhfFN/l9+nIs=; b=KUYYC2a0E/roz6WAtPheXMoUNiE8rklQ0js1nwqt1JZcEnME7ixVdjT46kjGRQmDYZ Xs2uPl9UtulO/jFBapr6N/zWqEUAbXEcEfSKdSksoYF9qpinbOxgmOBcixAJcIUO/1Df AKJhptupXrz5gV7Znx2uoIY/TesjdszK6GwZnwGONgUYge4Ic9HYqLQov+Fiq0Jx9qVs tZ0BaJVuHmd1rHafTLhn9wbWQTkKca3mxY988U6FqvezxRzx7tMAw2MnqmwYAGt8yBMi KE4XpnxLWGANL6vCH0R7r4+RsuMDvGBZIlVFsbk1Vv1n7o29chnvCKlHQ7HKTnKjEHZ/ Z9LA==
X-Gm-Message-State: ALoCoQmsGDu3MVExZEHD2YbcLj9TJB2xDUykj92BNk+Ux4ApgpvAEZcI1Q3Hx//VUn8n7NKMLbpx0ncxfVxQTiQJswlLP6EAFx3/Z10VeffCuLX6m8+wupBtyH4m2RoN2Cz35QHpTVc8FmNJnY3KMegWWyLnBTouI84ISxCQlF5Ofaxa9MhZJvvtKETUt7Qs39IwWmuvNZRU
X-Received: by 10.58.107.4 with SMTP id gy4mr17580veb.39.1382552180182; Wed, 23 Oct 2013 11:16:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.100.40 with HTTP; Wed, 23 Oct 2013 11:15:59 -0700 (PDT)
In-Reply-To: <CAL9PXLxq91G+Es0J+tvPFO9BAyedA6Z0CmMqPqq4UC6hAbtSbw@mail.gmail.com>
References: <CACsn0cnzTuyezaCj0AmxtV_-6a04TZeAJtbBovAUQQfy16ua7w@mail.gmail.com> <CAL9PXLxdAGK2E5577xHJGexQpEWwrbC_Y+otEQmWfv2pV211HQ@mail.gmail.com> <CACsn0c=4HHw3PfCsRxnuHf+Rca1GrOSi60OjJQ4qoJKGcP60Pw@mail.gmail.com> <CAL9PXLxq91G+Es0J+tvPFO9BAyedA6Z0CmMqPqq4UC6hAbtSbw@mail.gmail.com>
From: Adam Langley <agl@google.com>
Date: Wed, 23 Oct 2013 14:15:59 -0400
Message-ID: <CAL9PXLxFsEAiNVefdOWHdfiijLwwMuZ4HY7Y3FwTJ83JnPnJhQ@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset=UTF-8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Channel ID and server load: comment on draft-balfanz-tls-channelid-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2013 18:16:23 -0000

On Wed, Oct 23, 2013 at 11:21 AM, Adam Langley <agl@google.com>; wrote:
> I have not looked into batching ECDSA verifies but [1] seems quite
> clear that it's dealing with unmodified ECDSA signatures (paywalled
> I'm afraid, but the first two pages are free). They report a speedup
> of 2x for batches with multiple signers, which is roughly equal to the
> reported speedup for Ed25519 (273K -> 134K cycles).
>
> [1] http://rd.springer.com/chapter/10.1007%2F978-3-642-31410-0_1

It's been pointed out to me that the technique described in that paper
is broken in [2] (see section 2). So it may well be that ECDSA batch
verification is infeasible.

[2] http://cr.yp.to/badbatch/badbatch-20120919.pdf


Cheers

AGL