Re: [TLS] Should we require compressed points
Michael StJohns <msj@nthpermutation.com> Tue, 28 October 2014 02:07 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4E6B1A1B15 for <tls@ietfa.amsl.com>; Mon, 27 Oct 2014 19:07:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_66=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XOMFTiD26YJD for <tls@ietfa.amsl.com>; Mon, 27 Oct 2014 19:07:16 -0700 (PDT)
Received: from mail-qc0-f181.google.com (mail-qc0-f181.google.com [209.85.216.181]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 910A01A1B1F for <tls@ietf.org>; Mon, 27 Oct 2014 19:07:15 -0700 (PDT)
Received: by mail-qc0-f181.google.com with SMTP id w7so2304522qcr.26 for <tls@ietf.org>; Mon, 27 Oct 2014 19:07:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type; bh=lLI0B85U2rZD0R89mYH5R3Pwqp9Wq0Wru7XWI56pGyc=; b=j7yJj73Jiu7BZw61gpvWme/3LFLXAWIUQXpSeXKwHIMkMRAJjokSf7Iy3bdFo5F6HQ 6Sol8QnTtclv1IbakWCVvgqeQmLa9xg32r74orJYGZnS1xhhcdSOatsItuNwBw838Q4e 9mNfWrn9cf3EgRMJSY9wTYnqy/fr1tplYDxHVdKnTljFUmPfEd/FFFb+HZi47ODpFnbl Lbg3A+8BkBD/lG7QN1yJE01iaJU6gqCkjBWbONXcqrPD34auB4sZwUFVo1NF7n8FFfx7 hikp2fPADJcgdQ98iHDMD7TlaEyFploT/OKA8i2zOCfhSQURm+cCoORkQ/DyEr8iFbTY ZGoA==
X-Gm-Message-State: ALoCoQn2/4+VaxlMWXNUp7NpmsqNhaKV85JHyqwb7A0Cu1uA22DR+I4vh1+Aew089m5ZJuUF9IDW
X-Received: by 10.140.31.139 with SMTP id f11mr490412qgf.30.1414462034503; Mon, 27 Oct 2014 19:07:14 -0700 (PDT)
Received: from ?IPv6:2601:a:2a00:e7:4db0:7b95:1f7b:4e12? ([2601:a:2a00:e7:4db0:7b95:1f7b:4e12]) by mx.google.com with ESMTPSA id 94sm171654qgg.33.2014.10.27.19.07.13 for <tls@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 Oct 2014 19:07:14 -0700 (PDT)
Message-ID: <544EFA73.6060206@nthpermutation.com>
Date: Mon, 27 Oct 2014 22:07:47 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: tls@ietf.org
References: <9A043F3CF02CD34C8E74AC1594475C739B9D6102@uxcn10-5.UoA.auckland.ac.nz> <CABcZeBOWR4BVy0e3TY3FVB8wqOwrUgD6OfHLTJS_iXUZv30CsA@mail.gmail.com>
In-Reply-To: <CABcZeBOWR4BVy0e3TY3FVB8wqOwrUgD6OfHLTJS_iXUZv30CsA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------060504060605020407080003"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/We3QEZVeEnByomAuVHBgbVFwkeo
Subject: Re: [TLS] Should we require compressed points
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2014 02:07:22 -0000
On 10/27/2014 6:10 PM, Eric Rescorla wrote: > > > On Wed, Oct 22, 2014 at 3:01 PM, Peter Gutmann > <pgut001@cs.auckland.ac.nz <mailto:pgut001@cs.auckland.ac.nz>> wrote: > > Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> writes: > > >Given that people seem to think that compressed points are > better, I figured > >that was the way to go. If people prefer to just require > uncompressed points > >(at least for the existing X9.63 curves) I could certainly live > with that. > > Uncompressed points have been a MUST in TLS since ECC was > introduced, and are > also a MUST everywhere else. So adding compressed points as a > MUST as well > won't get rid of uncompressed points in any way, it'll just add > more options > that need to be supported. > > > As I said above, I'm principally trying to get rid of negotiation so > we have one > point format for each curve. I could certainly live with requiring > uncompressed > only for the X9.62 curves and then defining a new, cleaner format for the > new CFRG curves. You've said this before and it's unclear that this is the correct approach. Curve25519 has one (or maybe two) representation(s) (public keys are basically Bignums - DJB has the representation as fixed length octet strings representing the little endian encoding - but that seems to be based on his specific implementation - its not required by the math as far as I can tell) - it also doesn't have multiple curve types. NUMS/Edwards curves have another format (I think still undefined). NUMS/Montgomery/X9.62 curves a third (a format byte plus one or two fixed length octet strings representing big endian bignums). The math for each of these is different - the only thing they really share is the name "Elliptic Curve". It's unclear that you gain anything trying to shoehorn all of these into the same overlying structure except a small amount of compression and a large amount of complexity. Think of it this way - if you can combine this to cover all of the various curve structures, why stop there? Why not integrate generic DH for key agreement and RSA and DSA for signatures? Instead, treat each of the different elliptic cryptomath systems as distinct and separate. Define suites that don't require across the board mappings of incompatible data and formats. Retain the pluggability of new systems as units. We've got legacy X9.62 - let's leave it alone. All the stuff that's already defined (suites, formats, certificates, etc) remains as X9.62 (and the various RFCs) defined it. New systems, as they are defined, get their own code points,suites, public key formats, key agreement protocols, signature methods and extensions (if necessary) appropriate only for them. On the point above, uncompressed X9.62 public keys are not going away anytime soon and are MUSTs in all the existing standards. Making them MUST NOT's in TLS1.3 seems to be a bad idea. If we want to require support for compressed points in addition as the next step then *maybe* that's the right answer. But then we probably need to go back to X9.62 and get them to make that recommendation as well. Later, Mike
- [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Hubert Kario
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Yoav Nir
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Dan Harkins
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Rene Struik
- Re: [TLS] Should we require compressed points Andrei Popov
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Andrei Popov
- Re: [TLS] Should we require compressed points Rene Struik
- Re: [TLS] Should we require compressed points Jeffrey Walton
- Re: [TLS] Should we require compressed points Peter Gutmann
- Re: [TLS] Should we require compressed points Peter Gutmann
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Bodo Moeller
- Re: [TLS] Should we require compressed points Viktor Dukhovni
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Michael StJohns