Re: [TLS] draft-ietf-tls-curve25519-01 and the X25519 significant bit.

Brian Smith <brian@briansmith.org> Tue, 22 December 2015 23:15 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32DE81A92EC for <tls@ietfa.amsl.com>; Tue, 22 Dec 2015 15:15:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Go7iYEf4h0y for <tls@ietfa.amsl.com>; Tue, 22 Dec 2015 15:15:39 -0800 (PST)
Received: from mail-oi0-x234.google.com (mail-oi0-x234.google.com [IPv6:2607:f8b0:4003:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDD631A92EA for <tls@ietf.org>; Tue, 22 Dec 2015 15:15:38 -0800 (PST)
Received: by mail-oi0-x234.google.com with SMTP id o62so110748407oif.3 for <tls@ietf.org>; Tue, 22 Dec 2015 15:15:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=p8xWtfFNNxXptAxJ1Et9lWWdBaTMPMERmyQh6lKag+I=; b=DTmww8EzelTPW8PRQkK5d0nBL+8PVF4cn1lx3kDbwJ10jLHL/+OZbkrACDMcSMZXGU TecTR2CAOO58fU28iKYG586AVzE7xEpZWcrAC0WpQ9NHMlYdHtVv3Gq9c70OWODZa3LH uS0CN1PLDuiu7elRXu0yOE6/x2bbwQC5Rs9DRoiXmTEzHqf97ISXRKeYvuhimlOC4l17 aUUrxkPBlv6nfHgu70w+c2/Y4D0UURAIINmkyOfSOpECNwAbB7Wt49NNzPC81aYYuTHj EfWm78r/emukhnqEIh6oFlJAUj7ZVLSmFwgfg82/hJqpimtvzO5+BgHrGwI+O4CrPM3f mU+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=p8xWtfFNNxXptAxJ1Et9lWWdBaTMPMERmyQh6lKag+I=; b=LatvZfDESVT7VpyP5MzraYZYmK3TKw6wLflQ80xPhrcRxLUJkcEyBRZJG7BWYfztzG LQQtM3FNFoucU8VMwh/l9OTa1a8xqvLV6x07wUj/2BPUjkNBoOT3M6IHmdM7YbKnY+LU wBPF+Apglkk/i4giSaaT75lQlWxlSQ9Yv2TX2cdReIhhPCc1V3U0JFgKq56yZ4gPcHOT DZt+0XaLZXwmIWnDAGUUzPpV+spSQschAJIgl7W3kPaEFzNTT7yQ4Ftt4piumL797BXO /wN7Cc4twyQlnPCqQjDUdiODsI5/t40xnYsKwBwXUrwpM675xKHIEueYLUaAlBK4EtKb xC1Q==
X-Gm-Message-State: ALoCoQlkByclkXAdt3tGNax/Di7pP57/7ryNWOYSbIJiDFRWNG3TUCyw1LIVYLSE/8NTuwdEwo0WtD/rAHxIWBpL6dClWu211Q==
MIME-Version: 1.0
X-Received: by 10.202.189.7 with SMTP id n7mr12079371oif.55.1450826138216; Tue, 22 Dec 2015 15:15:38 -0800 (PST)
Received: by 10.76.62.8 with HTTP; Tue, 22 Dec 2015 15:15:38 -0800 (PST)
In-Reply-To: <CAMfhd9WxSubu2dy9=RO94NSemzaRfr0TRoYGD7DS9L-9XdK=QA@mail.gmail.com>
References: <CAMfhd9XDfwmoze+BdFVedhCGDQRNbL63ZT=KZc-7dEr0UMk4dA@mail.gmail.com> <CAFewVt7A_hBXBNzqaU6cQaU5Ysk86xo+fn69zDOn0oHYPiJazg@mail.gmail.com> <CAMfhd9WxSubu2dy9=RO94NSemzaRfr0TRoYGD7DS9L-9XdK=QA@mail.gmail.com>
Date: Tue, 22 Dec 2015 13:15:38 -1000
Message-ID: <CAFewVt6kn7tVvV51+gm1tuCnitLnLSNTJsOqxNYRLi7zDhag6Q@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Adam Langley <agl@imperialviolet.org>
Content-Type: multipart/alternative; boundary=001a113d70329989ce052784c8ef
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/R5SextKKXX7Amp-p4k29W9xbtc4>
Cc: Simon Josefsson <simon@josefsson.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-ietf-tls-curve25519-01 and the X25519 significant bit.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Dec 2015 23:15:40 -0000

On Tue, Dec 22, 2015 at 11:59 AM, Adam Langley <agl@imperialviolet.org>
wrote:

> You're correct, but I'm trying to say that the CFRG document defines a
> function that operates on bytestrings so that higher-level protocols
> don't have to worry about things like this. I think TLS should handle
> the byte strings opaquely so that we have uniform behaviour for
> X25519/X448 and only a single place where it needs to be tested. The
> behaviour of X25519/X448 for non-reduced values is also specified in
> the CFRG document.
>

I agree with all of that in principle. In fact, I think that most
of section 2.3 should be removed in deference to the CFRG document, and
only TLS-specific concerns should be given.

I still think there is value in requiring senders to send their public
value in the "normalized" form and for allowing (if not requiring)
receivers to reject, at least, public values >= q, for the reasons I gave
in my previous email. Ideally that would happen in the CFRG document. But,
what is the status of the CFRG document? I've heard that it's past the
point where changes will be accepted.

Cheers,
Brian
-- 
https://briansmith.org/