Re: [TLS] Thoughts on TLS 1.3 cryptography performance

Trevor Perrin <trevp@trevp.net> Thu, 13 March 2014 17:46 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83A2E1A0A16 for <tls@ietfa.amsl.com>; Thu, 13 Mar 2014 10:46:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ojQdxmCPVivi for <tls@ietfa.amsl.com>; Thu, 13 Mar 2014 10:46:31 -0700 (PDT)
Received: from mail-wi0-f170.google.com (mail-wi0-f170.google.com [209.85.212.170]) by ietfa.amsl.com (Postfix) with ESMTP id 154CC1A0A33 for <tls@ietf.org>; Thu, 13 Mar 2014 10:46:30 -0700 (PDT)
Received: by mail-wi0-f170.google.com with SMTP id n15so3893167wiw.5 for <tls@ietf.org>; Thu, 13 Mar 2014 10:46:24 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=vnQAuZPm9hNNPYydHaE6b8s3CWF8LCblaD9SyrbKIhk=; b=iCUiwFxooofgeXZ8CTYWBR3jXofqSzaA99CAOEDfWs+FvMV2jaU7kWlRzRWpo6qka2 8Mtp8wM9Nw/j/Qz100KuMgQBoTM2Ge9uWYlq7JRG/tYj2URaox+bepMbLLrTEMFU2dWx AYvdxn0HfrWU4KlJLZvCSh6oBtpu8kzPSB2F7Q7qT96tv1pxaves8R5uyZ9gdywhNrdQ JhzGu5s9uOdc29O3KR3yvf9dE8p+KCDF1PV9oty2BLwNBSMVIIGLSBsyKCVY4dkuiAwX +Ne8mdwSa5L5i/oBBdfjLVYB8o0pqylfgw2f9d5BN+fS1x1QVm1zH8cvHSdDCqaKrU+X kCHQ==
X-Gm-Message-State: ALoCoQnM7WXqu77qzZ8AhHk/rqH7NfiFli9Gkr8oKKWqKxiwppfDvOyRAb7gqNDlkxXWwx8McRGi
MIME-Version: 1.0
X-Received: by 10.194.60.16 with SMTP id d16mr2770362wjr.46.1394732784068; Thu, 13 Mar 2014 10:46:24 -0700 (PDT)
Received: by 10.216.45.146 with HTTP; Thu, 13 Mar 2014 10:46:24 -0700 (PDT)
X-Originating-IP: [184.23.29.222]
In-Reply-To: <CACsn0c=XA3fvLobQ07bkKoZF+X5hfGat30BRfn1J+5iEYsCAmg@mail.gmail.com>
References: <CACsn0ckbrrt0rBsHM+5A_jNK6UvkaiO9mHx6=Jr+jjqy+bZ6MQ@mail.gmail.com> <CAK3OfOj_+RzqPj0LJa=EyeJ5UqSy42z-_kF2tqYYZb=efFEwrQ@mail.gmail.com> <CACsn0ckVq5wkjsZgV6XrsgA6tU6_6YLKOsJQMivFY59esX1Ywg@mail.gmail.com> <CAK3OfOhzD+D2Tf=1JwzCfPf_m5uWhBj3sVd=UQw8b4fthGt-Bw@mail.gmail.com> <CAGZ8ZG3JXiJiCRUUBGGuaVTabn11yZ2u+Nv9cWHO8yagoxr+yw@mail.gmail.com> <CAK3OfOiGCidqTPDcnrMY+prbxYzS76v4JiDo51=z5n3296x8Dw@mail.gmail.com> <CABcZeBMwUHjdSdXyYPzb3NBxEF4vT87r6qOWWM=g18LuBUXNLQ@mail.gmail.com> <CAK3OfOiX9TJxt_4HhiJrE_S8x9v7y=5+75Bbg9y+_PQPuvNoGA@mail.gmail.com> <CACsn0c=XA3fvLobQ07bkKoZF+X5hfGat30BRfn1J+5iEYsCAmg@mail.gmail.com>
Date: Thu, 13 Mar 2014 10:46:24 -0700
Message-ID: <CAGZ8ZG19=wFrFYM12jwrUg6+21d8C-wwQQVckayeJn+oGRyhYg@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="047d7b86ccbc26bf6e04f48088b6"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/bHm924M-mtO52pmYLchQDzmqH6s
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Thoughts on TLS 1.3 cryptography performance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Mar 2014 17:46:33 -0000

On Thu, Mar 13, 2014 at 10:29 AM, Watson Ladd <watsonbladd@gmail.com> wrote:

> On Thu, Mar 13, 2014 at 9:52 AM, Nico Williams <nico@cryptonector.com>
> wrote:
> > On Thu, Mar 13, 2014 at 11:48 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> >> On Thu, Mar 13, 2014 at 9:34 AM, Nico Williams <nico@cryptonector.com>
> >> wrote:
> >>>
> >>>  But I am concerned about the need for PFS on
> >>> resumption in order to limit the extent of resumption ticket cache
> >>> compromise; if you're going to lose the 0-RTT resumption for it, might
> >>> as well pick the best "fast reauthentication" protocol possible, and
> >>> that might be Watson's.
> >>
> >>
> >> WRT this specific point, I wanted to observe that computational cost
> >> (within reason) is less important than round trip delay, for a number of
> >> reasons:
> >
> > My concern is in the sense of "this needs to be a security
> > consideration, and Watson's protocol is worth considering at least as
> > an option" (modulo IPR, if any).
>
> Triple DH is unpatented AFAIK. MQV patent expires soon


It's a little more complex than this.

I think HMQV has a patent from IBM as well as the Certicom MQV patents.

Triple DH itself is unpatented and derives from [1,2].  But when hashing
identity information into the session key, Microsoft's KEA+ patent (which
covers doing this with a "Double DH") might possibly be viewed as relevant.

(I think that's an obvious combination of prior art, and arguably not
directly relevant.  But it creates some uncertainty.)


Trevor


[1] http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.27.8493
[2] http://www.iacr.org/cryptodb/archive/2005/ASIACRYPT/283/283.pdf