IETF Logo Mail Archive

Re: [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement

Adam Langley <agl@imperialviolet.org> Mon, 13 January 2014 01:13 UTC

Return-Path: <alangley@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFCC91ACCEA for <tls@ietfa.amsl.com>; Sun, 12 Jan 2014 17:13:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TaAkZmApckyN for <tls@ietfa.amsl.com>; Sun, 12 Jan 2014 17:13:01 -0800 (PST)
Received: from mail-lb0-x22b.google.com (mail-lb0-x22b.google.com [IPv6:2a00:1450:4010:c04::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 301A81ACC91 for <tls@ietf.org>; Sun, 12 Jan 2014 17:13:00 -0800 (PST)
Received: by mail-lb0-f171.google.com with SMTP id w7so4925487lbi.30 for <tls@ietf.org>; Sun, 12 Jan 2014 17:12:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=n/gjIEP0YGKtoiYjIcM39XV0teFcvX0LG8uRmDCZxwI=; b=IiFNc/kS5+SKv2bT/JOWQdcUIZ91w349An3J/i2HLUbizbnqS6qzIf+8InCvQfDAko fNSO+i033nS90g7yzAZqoxPU98unPCzVaIt4eQhKngcGTa5FJAC4iX45QP2oArK+7Oud GcJ69/HVKD7M7upoLXvh3BsOMLRkfjm/bNMRenGLOcy5O0726vlCmB1TAYPBRo+nhtMD bBxXGpVy1gO3awrzJDM/TocLahGrUJb4NJSCqgg6Umpi7+ckgyqwImQbwYEdmhcIKi9b /Zry26R5W8LyNOmwzS1f5KJ6iJlXDcheld8YI12z0ambph1CaEQ6SLYWzM6BIv/31e+O UB4w==
MIME-Version: 1.0
X-Received: by 10.152.170.199 with SMTP id ao7mr9387906lac.40.1389575569724; Sun, 12 Jan 2014 17:12:49 -0800 (PST)
Sender: alangley@gmail.com
Received: by 10.112.162.200 with HTTP; Sun, 12 Jan 2014 17:12:49 -0800 (PST)
In-Reply-To: <52D32766.3000202@polarssl.org>
References: <87eh4e7a2y.fsf@latte.josefsson.org> <52D18475.10709@akr.io> <CAMfhd9VwW+XOQSRQ9sPjWvwP3Aj0jXj=hOER3g8qK8UXCYnm4A@mail.gmail.com> <52D2C028.4090001@polarssl.org> <CAL9PXLwTDHVWnQ1pAdpoyoe1MeN3VwZudnw5jbxR_Js+aT7-=A@mail.gmail.com> <52D32766.3000202@polarssl.org>
Date: Sun, 12 Jan 2014 20:12:49 -0500
X-Google-Sender-Auth: 6ws8wql48RYwXOLWHm4LwruyYpc
Message-ID: <CAMfhd9Vkki+uXGX5-SC0ykuKnEdjkmpyTcQCGKvHWyOa+GwAJA@mail.gmail.com>
From: Adam Langley <agl@imperialviolet.org>
To: Manuel Pégourié-Gonnard <mpg@polarssl.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jan 2014 01:13:03 -0000

On Sun, Jan 12, 2014 at 6:38 PM, Manuel Pégourié-Gonnard
<mpg@polarssl.org> wrote:
> If there was currently no concept of "integer" in TLS, I'd totally agree with
> you here. But since there is, and they usually are represented as big-endian,
> there is a tension between being consistent with existing usage and going the
> arguably better way.

When it comes down to it - reversing 32 bytes isn't going to make or
break it in either way.

I guess I just see a byte string orientated interface to DH functions
as being the right way to go. We have a legacy of over-general
elliptic curve support that tries to support arbitrary curves and that
led to 'integers' being a concept in TLS regarding EC. However,
nobody(?) implements explicit_prime/explicit_char2 so what we actually
have are three DH functions: p256, p384 and p521 and they serialise as
0x04 <big-endian x> <big-endian y> in practice. Although it's an
opaque <1..2^8-1> in RFC 4492, the big-endian is coming from X9.62.

So, given an opaque<1..2^8-1> in TLS and a desire to plug curve25519
in there, using curve25519's format just seems less surprising and
simpler.


Cheers

AGL


-- 
Adam Langley agl@imperialviolet.org http://www.imperialviolet.org

v2.23.0 | Report a Bug | By Email