[TLS] CPU cost of 1RTT handshake

Watson Ladd <watsonbladd@gmail.com> Sun, 10 August 2014 20:35 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 3F5051A0045 for <tls@ietfa.amsl.com>; Sun, 10 Aug 2014 13:35:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id UHgiZI1cQpTE for <tls@ietfa.amsl.com>; Sun, 10 Aug 2014 13:35:14 -0700 (PDT)
Received: from mail-yk0-x22e.google.com (mail-yk0-x22e.google.com [IPv6:2607:f8b0:4002:c07::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 171621A000E for <tls@ietf.org>; Sun, 10 Aug 2014 13:35:14 -0700 (PDT)
Received: by mail-yk0-f174.google.com with SMTP id q9so5334407ykb.5 for <tls@ietf.org>; Sun, 10 Aug 2014 13:35:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=lB8yJV50Vpsqwfyp8SalCjCdfIGdExdr5A2LjQ2Q0d4=; b=BBo0zHktHmnaBK8dOErn5vMB8QtjbjMVGmWja93F8+WLXOefbvrb/+myu4a/nmmAYi nUI36SwfXQyoHlSwu5M5XVz16Ujslvxb/139GXAF/+vDtMgeGMzk+zoQZCQliV+s9+9F ZK+vUFa73DTmjFE6H2cY21Za1VhRzhz7NYv3RUDPsSNGNf6/4pRVebRM0C3SBINZQi34 vJHGwpF8oHBqJMuqSPDhIbu7ThsqTMV7SxRuiCX9B8lan5DrKzhopdOpn6quN5Z6aPCC l0abt5HAdcQ7lXNn2AM/IwMzASGSd+bL0ZO5VZzYYGUX+A8yFfMkFUe5EViMM70G6oZt HfxQ==
MIME-Version: 1.0
X-Received: by with SMTP id w27mr36446380yhf.109.1407702913199; Sun, 10 Aug 2014 13:35:13 -0700 (PDT)
Received: by with HTTP; Sun, 10 Aug 2014 13:35:13 -0700 (PDT)
Date: Sun, 10 Aug 2014 13:35:13 -0700
Message-ID: <CACsn0cmxi5DdJz=XosLe3Kw=NYQnpm7PbzyPtqZAQrinzTsgAQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/U1R8HanKoVloGynU0ZOYdTwCf2A
Subject: [TLS] CPU cost of 1RTT handshake
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Aug 2014 20:35:15 -0000

Dear all,

Right now, instead of the server defining the group to be used and
sending a key in the group, the client computes multiple keys, and the
server selects one. This is very bad for embedded devices with
constrained CPU, especially if they are connecting to a server over
high-latency, low-bandwidth links.

The justification for the current behavior is similarity to 0-RTT. But
I'm not convinced that this actually makes the protocol or
implementations any simpler, and it has real costs for many devices
that will otherwise not adopt TLS or try to invent their own encrypted

Watson Ladd