IETF Logo Mail Archive

Re: [TLS] Why Edwards? (was Re: TLS process thread)

Watson Ladd <watsonbladd@gmail.com> Mon, 14 April 2014 15:03 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77C9C1A04A1 for <tls@ietfa.amsl.com>; Mon, 14 Apr 2014 08:03:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UFpNjZ7OKYX5 for <tls@ietfa.amsl.com>; Mon, 14 Apr 2014 08:03:44 -0700 (PDT)
Received: from mail-yh0-x236.google.com (mail-yh0-x236.google.com [IPv6:2607:f8b0:4002:c01::236]) by ietfa.amsl.com (Postfix) with ESMTP id 408261A01A6 for <tls@ietf.org>; Mon, 14 Apr 2014 08:03:44 -0700 (PDT)
Received: by mail-yh0-f54.google.com with SMTP id f73so8092943yha.41 for <tls@ietf.org>; Mon, 14 Apr 2014 08:03:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=zwmTonPF3ndtxryOpWxy/V4uHyWhjYXD1KiiLf6ZYUE=; b=URPDQArsFUykGee0KXF6yvCd+vKhXhYGs1icn2YUGX4cYUS1gUNpxIntwBdLrc5M8I 92s/s1++MVm9AisGWCv64ot6j/nVmhMEQ5dSRcVBZC8HkTOz6t5+Rt+JuHqUjLfwGoLh ohSTp0hK+uBZNLY9bOfF3fnwXiwjnZHakc4GimfidwXL5yviglEOrGQVQ8j2B3Adydop k4i15vV9Aw8Ea2kEgJacz2DtYlDs5iXlGpbAgfIDgBKjNhGTW694RyX0W2Zg026+k7Gv sRFsnPcW//qcKP7vnpFoclB90neSFeZGVpoZIGinP0tbIVTh0eUhvktUD0IIgqrHkTpN PtQw==
MIME-Version: 1.0
X-Received: by 10.236.134.71 with SMTP id r47mr13732455yhi.83.1397487821655; Mon, 14 Apr 2014 08:03:41 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Mon, 14 Apr 2014 08:03:41 -0700 (PDT)
In-Reply-To: <93DF63D4-B003-4B9D-9D55-E3F065724081@vigilsec.com>
References: <CACsn0cn1EBhtvtq4X3J0h1TUq5nGvRyP818oY4rhqfqJA4aELg@mail.gmail.com> <93DF63D4-B003-4B9D-9D55-E3F065724081@vigilsec.com>
Date: Mon, 14 Apr 2014 08:03:41 -0700
Message-ID: <CACsn0cnVSVOht2OVKSQOrX-hSTO=7_h0KY5SbQ_5ZVOueJWWfw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/XstFC4H6hKBDR_vsO0Qgz3EUjgs
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] Why Edwards? (was Re: TLS process thread)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Apr 2014 15:03:49 -0000

On Mon, Apr 14, 2014 at 7:48 AM, Russ Housley <housley@vigilsec.com> wrote:
>
>> On Sun, Apr 13, 2014 at 11:24 PM, Dan Harkins <dharkins@lounge.org> wrote:
>>>
>>> On Sun, April 13, 2014 10:44 pm, Watson Ladd wrote:
>>>> That's going to be a pretty big change from RFC 5246. Trying to keep
>>>> the textual changes minimal probably a lost cause at this point, and
>>>> will hurt, rather than help clarity. This is before we try to reduce
>>>> round-trips, eliminate unused ciphersuites, introduce the Edwards
>>>> curves (necessary for security because people do not write perfect
>>>> code, even when they should), and ensure that what we write matches
>>>> what we prove (because as I'm sure you know from my opposition to
>>>> Dragonfly, I do not support mechanisms that are not shown to be secure
>>>> from well picked assumptions)
>>>
>>>  Really? And Edwards curves will necessarily result in perfect code?
>>> Certainly not as a result of draft-ladd-safecurves! So what assures
>>> perfection in Edwards curves implementations then?
>>
>> Nothing: you can always do something stupid that leaks information.
>> But on a Weierstrass curve, to add two points you have to
>> 0: Be assured they are on the curve
>> 1: Check that both are not the identity
>> 2: Check they are not the same (and if so double them instead)
>> 3: Check they are not inverses of each other
>> 4: Add them
>>
>> Doing this without branching is hard. Furthermore, to avoid leaking
>> information about the top bit of your exponent, you need to either
>> massage the exponent representation or do dummy calculations, along
>> with tracking when to start doing the real calculations.
>>
>> I've written constant time P256 code. It wasn't easy, and there is one
>> particular exponent that will not get handled correctly (namely the
>> group order, which is fine because I'm doing ECDH with random secret
>> keys, and signature verification runs in not constant time). RFC 6090
>> gets this completely wrong.
>>
>> By contrast on Edwards curves, there are no cases to consider: there
>> is only a formula that holds true for all cases. There can be no curve
>> checks: via compression we ensure that all considered points are on
>> the curve. There are no side channels at this level if you use a
>> masked table load, as there are no branches. It's significantly easier
>> to write the code and reason about it: naive double and add will work.
>>
>> The same holds true for Montgomery curves, which is why the Curve25519
>> has attracted a lot of interest.
>>
>> Of course, you could always suggest text to be added to
>> draft-ladd-safecurves or write one yourself on implementation of these
>> curves if you are dissatisfied with it. You could always write your
>> own draft if you had an alternative approach to presenting them.
>>
>> Sincerely,
>> Watson Ladd
>
>
> Watson:
>
> One thing that I like about the Weierstrass form is that we already have a lot of code that uses it.
>
> Unfortunately, the NIST Prime Curves do not transform onto Edwards for because they are co-factor 1, and Edwards curves are co-factoer 4. There are many people that will want FIPS 140 certification of their implementations, so we need to find a way to accommodate the NIST Prime Curves even if they are not the default curve.

I'm not suggesting we throw out short Weierstrass. I'm saying that
Edwards curves need to be a viable alternative for people who don't
want the extra complexity and lower performance of short Weierstrass.
But yes, the low round trip handshake does have its own requirement on
a few commonly supported curves or else the initial offering will be
rejected unnecessarily.

Having separate curve specific implementations is necessary anyway for
optimal performance as the primes are different and the performance
characteristics of fields change as you increase the size. Kasper's
P224 and AGL's P256 use different radices. Embedded implementations
can pick one curve and stick with it, and use generic bignums (with
some care to avoid timing issues).

Adding Edwards curves to a Weierstrass implementation can be as small
as writing a new add and double function, each of about 20 indirect
calls, if the implementation was highly generic in the first place. If
not, you have to recode and rename more functions.

Sincerely,
Watson Ladd

>
> Russ
>



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email