IETF Logo Mail Archive

Re: [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement

Manuel Pégourié-Gonnard <mpg@polarssl.org> Sun, 12 January 2014 23:38 UTC

Return-Path: <mpg@polarssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E305E1ACC8B for <tls@ietfa.amsl.com>; Sun, 12 Jan 2014 15:38:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.394
X-Spam-Level:
X-Spam-Status: No, score=0.394 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DVZ42flZRj3w for <tls@ietfa.amsl.com>; Sun, 12 Jan 2014 15:38:27 -0800 (PST)
Received: from vps2.brainspark.nl (vps2.brainspark.nl [141.138.204.106]) by ietfa.amsl.com (Postfix) with ESMTP id 6BC831AC7F3 for <tls@ietf.org>; Sun, 12 Jan 2014 15:38:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=polarssl.org; s=exim; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To:References:CC:To:MIME-Version:From:Date:Message-ID; bh=50vi3oesV5YHiSd14cQDQ/XBTAqbeotzNXiW6FdpJuo=; b=iYir4Uyyc+wd3Lo3v7L9yWs0vXFsqyCyvSQS7pgKOAfDMhGGTzqTuRJBboSoDQZit9JraSpcQIN7BcnR6XoIn+MKw6T4RaFq0oOG+Kn6K8oowCzAYQVVudN23tUUj9OfGD474E3FLvzhhcw1XDuAzL0Bc4e8mpxl0aKERa0S3cg=;
Received: from thue.elzevir.fr ([88.165.216.11] helo=[192.168.0.124]) by vps2.brainspark.nl with esmtpsa (TLS1.0:DHE_RSA_CAMELLIA_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <mpg@polarssl.org>) id 1W2UUi-0004Kv-Bo; Mon, 13 Jan 2014 00:31:04 +0100
Message-ID: <52D32766.3000202@polarssl.org>
Date: Mon, 13 Jan 2014 00:38:14 +0100
From: Manuel Pégourié-Gonnard <mpg@polarssl.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.1.1
MIME-Version: 1.0
To: Adam Langley <agl@google.com>
References: <87eh4e7a2y.fsf@latte.josefsson.org> <52D18475.10709@akr.io> <CAMfhd9VwW+XOQSRQ9sPjWvwP3Aj0jXj=hOER3g8qK8UXCYnm4A@mail.gmail.com> <52D2C028.4090001@polarssl.org> <CAL9PXLwTDHVWnQ1pAdpoyoe1MeN3VwZudnw5jbxR_Js+aT7-=A@mail.gmail.com>
In-Reply-To: <CAL9PXLwTDHVWnQ1pAdpoyoe1MeN3VwZudnw5jbxR_Js+aT7-=A@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-SA-Exim-Connect-IP: 88.165.216.11
X-SA-Exim-Mail-From: mpg@polarssl.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.brainspark.nl)
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Jan 2014 23:38:29 -0000

On 12/01/2014 20:53, Adam Langley wrote:
> On Sun, Jan 12, 2014 at 11:17 AM, Manuel Pégourié-Gonnard
> <mpg@polarssl.org> wrote:
>> Concerning implementations, unless I'm mistaken all the implementations of
>> Curve25519 you mention use custom routines for field arithmetic. I was thinking
>> about other implementations might want to use a more generic bignum library,
>> whose output function will probably be big-endian since that's the ordering
>> generally used in protocols. So for these implementations, big-endian would
>> probably be more natural.
> 
> Using a generic bigint library is tough if you want to be constant
> time. (For example, integer division on Intel is variable time.)
> 
Right, but it seems to me some randomisation can help here.

> Also, internally, the library likely stores values as a series of
> words in little-endian order and is likely to be operating on
> little-endian systems, so little-endian is the more native
> representation.
> 
Agreed.

> I guess my overall point is that I don't see the concept of an
> "integer" as being a good one to put into TLS here. I think keeping a
> DH function as something that operates on bytestrings makes sense.
> Maybe they'll want to operate on binary fields, or compress the 'y'
> coordinate into one of the unused bits, or export a different
> coordinate form.
> 
If there was currently no concept of "integer" in TLS, I'd totally agree with
you here. But since there is, and they usually are represented as big-endian,
there is a tension between being consistent with existing usage and going the
arguably better way.

Manuel.

v2.23.0 | Report a Bug | By Email