IETF Logo Mail Archive

Re: [TLS] Why Edwards? (was Re: TLS process thread)

Russ Housley <housley@vigilsec.com> Mon, 14 April 2014 15:50 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B877E1A04AE for <tls@ietfa.amsl.com>; Mon, 14 Apr 2014 08:50:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oqr6hiB43eQ4 for <tls@ietfa.amsl.com>; Mon, 14 Apr 2014 08:50:11 -0700 (PDT)
Received: from odin.smetech.net (mail.smetech.net [209.135.209.4]) by ietfa.amsl.com (Postfix) with ESMTP id EAF2E1A04D2 for <tls@ietf.org>; Mon, 14 Apr 2014 08:50:10 -0700 (PDT)
Received: from localhost (unknown [209.135.209.5]) by odin.smetech.net (Postfix) with ESMTP id 03537F3C03C; Mon, 14 Apr 2014 11:49:59 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([209.135.209.4]) by localhost (ronin.smeinc.net [209.135.209.5]) (amavisd-new, port 10024) with ESMTP id s0lOJob43E5i; Mon, 14 Apr 2014 11:49:37 -0400 (EDT)
Received: from [192.168.2.100] (pool-96-241-160-129.washdc.fios.verizon.net [96.241.160.129]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id C6131F3C036; Mon, 14 Apr 2014 11:49:37 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset="us-ascii"
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <CACsn0cnVSVOht2OVKSQOrX-hSTO=7_h0KY5SbQ_5ZVOueJWWfw@mail.gmail.com>
Date: Mon, 14 Apr 2014 11:49:26 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <44747264-0367-49BD-AFC7-BB35AEDA12A6@vigilsec.com>
References: <CACsn0cn1EBhtvtq4X3J0h1TUq5nGvRyP818oY4rhqfqJA4aELg@mail.gmail.com> <93DF63D4-B003-4B9D-9D55-E3F065724081@vigilsec.com> <CACsn0cnVSVOht2OVKSQOrX-hSTO=7_h0KY5SbQ_5ZVOueJWWfw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
X-Mailer: Apple Mail (2.1085)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/QV-CmZ6zKggKwqQHGiIQL7pYdq4
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] Why Edwards? (was Re: TLS process thread)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Apr 2014 15:50:15 -0000

> On Mon, Apr 14, 2014 at 7:48 AM, Russ Housley <housley@vigilsec.com> wrote:
>> 
>>> On Sun, Apr 13, 2014 at 11:24 PM, Dan Harkins <dharkins@lounge.org> wrote:
>>>> 
>>>> On Sun, April 13, 2014 10:44 pm, Watson Ladd wrote:
>>>>> That's going to be a pretty big change from RFC 5246. Trying to keep
>>>>> the textual changes minimal probably a lost cause at this point, and
>>>>> will hurt, rather than help clarity. This is before we try to reduce
>>>>> round-trips, eliminate unused ciphersuites, introduce the Edwards
>>>>> curves (necessary for security because people do not write perfect
>>>>> code, even when they should), and ensure that what we write matches
>>>>> what we prove (because as I'm sure you know from my opposition to
>>>>> Dragonfly, I do not support mechanisms that are not shown to be secure
>>>>> from well picked assumptions)
>>>> 
>>>> Really? And Edwards curves will necessarily result in perfect code?
>>>> Certainly not as a result of draft-ladd-safecurves! So what assures
>>>> perfection in Edwards curves implementations then?
>>> 
>>> Nothing: you can always do something stupid that leaks information.
>>> But on a Weierstrass curve, to add two points you have to
>>> 0: Be assured they are on the curve
>>> 1: Check that both are not the identity
>>> 2: Check they are not the same (and if so double them instead)
>>> 3: Check they are not inverses of each other
>>> 4: Add them
>>> 
>>> Doing this without branching is hard. Furthermore, to avoid leaking
>>> information about the top bit of your exponent, you need to either
>>> massage the exponent representation or do dummy calculations, along
>>> with tracking when to start doing the real calculations.
>>> 
>>> I've written constant time P256 code. It wasn't easy, and there is one
>>> particular exponent that will not get handled correctly (namely the
>>> group order, which is fine because I'm doing ECDH with random secret
>>> keys, and signature verification runs in not constant time). RFC 6090
>>> gets this completely wrong.
>>> 
>>> By contrast on Edwards curves, there are no cases to consider: there
>>> is only a formula that holds true for all cases. There can be no curve
>>> checks: via compression we ensure that all considered points are on
>>> the curve. There are no side channels at this level if you use a
>>> masked table load, as there are no branches. It's significantly easier
>>> to write the code and reason about it: naive double and add will work.
>>> 
>>> The same holds true for Montgomery curves, which is why the Curve25519
>>> has attracted a lot of interest.
>>> 
>>> Of course, you could always suggest text to be added to
>>> draft-ladd-safecurves or write one yourself on implementation of these
>>> curves if you are dissatisfied with it. You could always write your
>>> own draft if you had an alternative approach to presenting them.
>>> 
>>> Sincerely,
>>> Watson Ladd
>> 
>> 
>> Watson:
>> 
>> One thing that I like about the Weierstrass form is that we already have a lot of code that uses it.
>> 
>> Unfortunately, the NIST Prime Curves do not transform onto Edwards for because they are co-factor 1, and Edwards curves are co-factoer 4. There are many people that will want FIPS 140 certification of their implementations, so we need to find a way to accommodate the NIST Prime Curves even if they are not the default curve.
> 
> I'm not suggesting we throw out short Weierstrass. I'm saying that
> Edwards curves need to be a viable alternative for people who don't
> want the extra complexity and lower performance of short Weierstrass.
> But yes, the low round trip handshake does have its own requirement on
> a few commonly supported curves or else the initial offering will be
> rejected unnecessarily.
> 
> Having separate curve specific implementations is necessary anyway for
> optimal performance as the primes are different and the performance
> characteristics of fields change as you increase the size. Kasper's
> P224 and AGL's P256 use different radices. Embedded implementations
> can pick one curve and stick with it, and use generic bignums (with
> some care to avoid timing issues).
> 
> Adding Edwards curves to a Weierstrass implementation can be as small
> as writing a new add and double function, each of about 20 indirect
> calls, if the implementation was highly generic in the first place. If
> not, you have to recode and rename more functions.
> 
> Sincerely,
> Watson Ladd


Watson:

As you say, code optimization is a curve-specific activity.  Some people have spent a fair amount of time to make the modular reduction very efficient for the NIST Prime curves.  If these primes are used in other contexts, then we can continue to use these efficient routines.  Are there other places we can leverage existing efficient code?

Russ

v2.23.0 | Report a Bug | By Email