Re: [TLS] OPTLS: Signature-less TLS 1.3
Eric Rescorla <ekr@rtfm.com> Sun, 02 November 2014 22:39 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F4D51A0687 for <tls@ietfa.amsl.com>; Sun, 2 Nov 2014 14:39:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.377
X-Spam-Level:
X-Spam-Status: No, score=-1.377 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_55=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AarVxdIx4Giv for <tls@ietfa.amsl.com>; Sun, 2 Nov 2014 14:39:24 -0800 (PST)
Received: from mail-wi0-f177.google.com (mail-wi0-f177.google.com [209.85.212.177]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C7C31A005F for <tls@ietf.org>; Sun, 2 Nov 2014 14:39:24 -0800 (PST)
Received: by mail-wi0-f177.google.com with SMTP id ex7so5028304wid.10 for <tls@ietf.org>; Sun, 02 Nov 2014 14:39:23 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=w9xa9XJaUD2WjVyPiZfrHYgZ9C6SuI8okJNHV1u9xeE=; b=lS3Hmk//ocsCkWRmsz70yUMagppM4F7VvLeHLhJISuSQkuItTOFzqIhmm/xcU58Uqb 8SJNYXq4JU6filYU7O+5bn12RR2CVCDIqkmxHwzhMZkvr/uJZeH3tSkeTAYB462I/RGR i6y/qyM0r8Ll3/qIsYfk3xTtyiKZSPJ959UJ0SxYVq0if7YvwPP3IM/474xx5CtB0dQH HAeKTn/2gSpkT1N6149Wt/My6BbrabqIB0u4XId5p9Sko7Dp1Z0G2oWtzZIZplDjSDGe KBVywfyMP6RIXLv1E/7WY5bm1QbYxTHWLTXJwwRnR2emWDWafdIT5Cr44MfJrgqJPUnb IVSg==
X-Gm-Message-State: ALoCoQm4ATAK8419je+xN2TYcBCBxlRfVN710ghRSBI6J+yToz4GyESuch/Wi64dwjgSHSgni90l
X-Received: by 10.180.103.233 with SMTP id fz9mr11831651wib.80.1414967963204; Sun, 02 Nov 2014 14:39:23 -0800 (PST)
MIME-Version: 1.0
Received: by 10.216.49.198 with HTTP; Sun, 2 Nov 2014 14:38:43 -0800 (PST)
In-Reply-To: <CADi0yUNCGAVvqFF9t1X+gRf36iHsxZOFOVacA=PfrV9-JcArqQ@mail.gmail.com>
References: <CADi0yUObKsTvF6bP=SxAwYA05odyWdzR1-sWutrDLUeu+VJ1KQ@mail.gmail.com> <CABcZeBNQBC1XXFR5sGo=V8WmxmL5thaBpeHSasy3SordbqNRTQ@mail.gmail.com> <CABcZeBMEmoR18O0-NjuEeoPGTTVuOrwa_WM8YBiS=yd5-NWMbA@mail.gmail.com> <CACsn0cmmtUY17gMk537p8EiXuR3sNMb+rHY2b2nfK3S7-TE+1Q@mail.gmail.com> <CADi0yUNCGAVvqFF9t1X+gRf36iHsxZOFOVacA=PfrV9-JcArqQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 02 Nov 2014 14:38:43 -0800
Message-ID: <CABcZeBPyvzVsZiTk+Q00K=awQRNfMi=eAGgwynkqfV9Ut8_9vg@mail.gmail.com>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Content-Type: multipart/alternative; boundary="f46d044280cad0d1db0506e7e6b7"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/eDQhLQ_ZVzcsun9BUQT2TMfVfeo
Cc: "tls@ietf.org" <tls@ietf.org>, Hoeteck Wee <hoeteck@alum.mit.edu>
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Nov 2014 22:39:25 -0000
On Sun, Nov 2, 2014 at 2:24 PM, Hugo Krawczyk <hugo@ee.technion.ac.il> wrote: > > > On Sat, Nov 1, 2014 at 7:15 AM, Watson Ladd <watsonbladd@gmail.com> wrote: > >> Dear Hugo, >> >> There are some issues I can see: >> >> -Servers already supporting ECDSA certificates seem to not win. If I'm >> understanding correctly, a server does three exponentiations, one of >> which can be optimized by ephemeral reuse, when using ECDSA+ECDHE. The >> servers that win are the ones with RSA certs. The only way to win vs >> ECDSA is if DH only permits faster exponentiation, which it does, and >> removing the ancillary junk in ECDSA. However, here we have two >> variable base exponentiations after ephemeral reuse, as opposed to one >> fixed, one variable, so there is a loss in performance on the same >> group, made up for by removing inversions modulo the group order. >> > > Don't forget that 0-RTT cannot be supported with a signature-based > protocol > I'm not sure that this is correct. If a client does a 1-RTT exchange first (which he will have to do if he is naive about the server) then the server can provide a semi-static DH key for future use at that time and use a signature over the entire transcript to authenticate it, no? -Ekr
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nikos Mavrogiannopoulos
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Ilari Liusvaara
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Manuel Pégourié-Gonnard
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hanno Böck
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Peter Gutmann
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Dan Brown
- Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk