IETF Logo Mail Archive

Re: [TLS] OPTLS: Signature-less TLS 1.3

Eric Rescorla <ekr@rtfm.com> Sun, 02 November 2014 22:39 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F4D51A0687 for <tls@ietfa.amsl.com>; Sun, 2 Nov 2014 14:39:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.377
X-Spam-Level:
X-Spam-Status: No, score=-1.377 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_55=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AarVxdIx4Giv for <tls@ietfa.amsl.com>; Sun, 2 Nov 2014 14:39:24 -0800 (PST)
Received: from mail-wi0-f177.google.com (mail-wi0-f177.google.com [209.85.212.177]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C7C31A005F for <tls@ietf.org>; Sun, 2 Nov 2014 14:39:24 -0800 (PST)
Received: by mail-wi0-f177.google.com with SMTP id ex7so5028304wid.10 for <tls@ietf.org>; Sun, 02 Nov 2014 14:39:23 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=w9xa9XJaUD2WjVyPiZfrHYgZ9C6SuI8okJNHV1u9xeE=; b=lS3Hmk//ocsCkWRmsz70yUMagppM4F7VvLeHLhJISuSQkuItTOFzqIhmm/xcU58Uqb 8SJNYXq4JU6filYU7O+5bn12RR2CVCDIqkmxHwzhMZkvr/uJZeH3tSkeTAYB462I/RGR i6y/qyM0r8Ll3/qIsYfk3xTtyiKZSPJ959UJ0SxYVq0if7YvwPP3IM/474xx5CtB0dQH HAeKTn/2gSpkT1N6149Wt/My6BbrabqIB0u4XId5p9Sko7Dp1Z0G2oWtzZIZplDjSDGe KBVywfyMP6RIXLv1E/7WY5bm1QbYxTHWLTXJwwRnR2emWDWafdIT5Cr44MfJrgqJPUnb IVSg==
X-Gm-Message-State: ALoCoQm4ATAK8419je+xN2TYcBCBxlRfVN710ghRSBI6J+yToz4GyESuch/Wi64dwjgSHSgni90l
X-Received: by 10.180.103.233 with SMTP id fz9mr11831651wib.80.1414967963204; Sun, 02 Nov 2014 14:39:23 -0800 (PST)
MIME-Version: 1.0
Received: by 10.216.49.198 with HTTP; Sun, 2 Nov 2014 14:38:43 -0800 (PST)
In-Reply-To: <CADi0yUNCGAVvqFF9t1X+gRf36iHsxZOFOVacA=PfrV9-JcArqQ@mail.gmail.com>
References: <CADi0yUObKsTvF6bP=SxAwYA05odyWdzR1-sWutrDLUeu+VJ1KQ@mail.gmail.com> <CABcZeBNQBC1XXFR5sGo=V8WmxmL5thaBpeHSasy3SordbqNRTQ@mail.gmail.com> <CABcZeBMEmoR18O0-NjuEeoPGTTVuOrwa_WM8YBiS=yd5-NWMbA@mail.gmail.com> <CACsn0cmmtUY17gMk537p8EiXuR3sNMb+rHY2b2nfK3S7-TE+1Q@mail.gmail.com> <CADi0yUNCGAVvqFF9t1X+gRf36iHsxZOFOVacA=PfrV9-JcArqQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 02 Nov 2014 14:38:43 -0800
Message-ID: <CABcZeBPyvzVsZiTk+Q00K=awQRNfMi=eAGgwynkqfV9Ut8_9vg@mail.gmail.com>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Content-Type: multipart/alternative; boundary="f46d044280cad0d1db0506e7e6b7"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/eDQhLQ_ZVzcsun9BUQT2TMfVfeo
Cc: "tls@ietf.org" <tls@ietf.org>, Hoeteck Wee <hoeteck@alum.mit.edu>
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Nov 2014 22:39:25 -0000

On Sun, Nov 2, 2014 at 2:24 PM, Hugo Krawczyk <hugo@ee.technion.ac.il>
wrote:

>
>
> On Sat, Nov 1, 2014 at 7:15 AM, Watson Ladd <watsonbladd@gmail.com> wrote:
>
>> Dear Hugo,
>>
>> There are some issues I can see:
>>
>> -Servers already supporting ECDSA certificates seem to not win. If I'm
>> understanding correctly, a server does three exponentiations, one of
>> which can be optimized by ephemeral reuse, when using ECDSA+ECDHE. The
>> servers that win are the ones with RSA certs. The only way to win vs
>> ECDSA is if DH only permits faster exponentiation, which it does, and
>> removing the ancillary junk in ECDSA.  However, here we have two
>> variable base exponentiations after ephemeral reuse, as opposed to one
>> fixed, one variable, so there is a loss in performance on the same
>> group, made up for by removing inversions modulo the group order.
>>
>
> ​Don't forget that 0-RTT cannot be supported with a signature-based
> protocol
>

I'm not sure that this is correct. If a client does a 1-RTT exchange first
(which he will have to do if he is naive about the server) then the
server can provide a semi-static DH key for future use at that time
and use a signature over the entire transcript to authenticate it, no?

-Ekr

v2.23.0 | Report a Bug | By Email