Re: [TLS] Thoughts on TLS 1.3 cryptography performance
Watson Ladd <watsonbladd@gmail.com> Thu, 13 March 2014 06:12 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53ECB1A08D7 for <tls@ietfa.amsl.com>; Wed, 12 Mar 2014 23:12:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xe3_kmraw5NI for <tls@ietfa.amsl.com>; Wed, 12 Mar 2014 23:12:19 -0700 (PDT)
Received: from mail-yh0-x229.google.com (mail-yh0-x229.google.com [IPv6:2607:f8b0:4002:c01::229]) by ietfa.amsl.com (Postfix) with ESMTP id 656C01A08D6 for <tls@ietf.org>; Wed, 12 Mar 2014 23:12:19 -0700 (PDT)
Received: by mail-yh0-f41.google.com with SMTP id v1so575314yhn.28 for <tls@ietf.org>; Wed, 12 Mar 2014 23:12:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Zwyd03anNRXHmtuKOC/sziCHrY4PP8dfG31vNNUZ5hU=; b=tnQbCXLmSDty2fr2OcPrNRbgSdbI9rmpJHgCexZ0PVs/nj/UKPvf7O+4AbQR0ZjQAs Eo2labzM+Y3pSbgDNu2JeEwQYzS3kzPKdw4N3UkjGDVwrPU25m2OSTRmOQkrDLAYoH6N 1ENvgGpKKhCFatrrkWZ3SQ0BLjFkmYLkk+r+hOJTe//bEYC+i9SZU4SjPKeDyq2x+HJF 3GSd5Bk/ZqSg4EF7WwfkuWnrKzGlD/0ZsZCo18Si82fOAV/T2dPSY2Cr83EECWi2YLPY Q44rERKxM/s1gYiYwk17BG/WcFjb+hG8zvqCmYD1jnCfmp8oIU4c4EolELXTjk5F+bZw 8CDA==
MIME-Version: 1.0
X-Received: by 10.236.90.12 with SMTP id d12mr92571yhf.120.1394691132985; Wed, 12 Mar 2014 23:12:12 -0700 (PDT)
Received: by 10.170.80.214 with HTTP; Wed, 12 Mar 2014 23:12:12 -0700 (PDT)
In-Reply-To: <CAK3OfOj_+RzqPj0LJa=EyeJ5UqSy42z-_kF2tqYYZb=efFEwrQ@mail.gmail.com>
References: <CACsn0ckbrrt0rBsHM+5A_jNK6UvkaiO9mHx6=Jr+jjqy+bZ6MQ@mail.gmail.com> <CAK3OfOj_+RzqPj0LJa=EyeJ5UqSy42z-_kF2tqYYZb=efFEwrQ@mail.gmail.com>
Date: Wed, 12 Mar 2014 23:12:12 -0700
Message-ID: <CACsn0ckVq5wkjsZgV6XrsgA6tU6_6YLKOsJQMivFY59esX1Ywg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/hKLms7oG_BgJY1NvO1QsyAV6lMA
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Thoughts on TLS 1.3 cryptography performance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Mar 2014 06:12:21 -0000
On Wed, Mar 12, 2014 at 9:54 PM, Nico Williams <nico@cryptonector.com> wrote: > Isn't session resumption with session tickets faster still and > -provided the insufficiency of binding from resumed to original > session is fixed- as secure? Ah, you want PFS even on resumption, but > surely that could be added, and even then the result should still > perform even better than your proposal. The performance gain doesn't work like that. It's not from the client having seen the g^a before, but that the server doesn't need to sign a new value every time it does a handshake. The client can avoid validations if it can remember a global database of public information, but if not it is only slightly worse off then today in calculation. By contrast resumption only works if the client maintains some data that has to be kept secret, and if the server still remembers how to read the tickets that it handed out. Having resumption doesn't stop servers going to ECDHE and ECDSA for efficiency reasons. Particularly at higher security, RSA is extremely slow: my computer can only do 111 RSA 4096 signatures a second. It can do 24 times as many P521 signatures. Even if a small minority of all connections require a public key operation, that difference matters. (Signatures are equivalent to decryption, in case people were wondering about RSA handshakes sans PFS) Adding PFS to resumption requires two exponentiations client and server side: one fixed base, one variable base. At that point we've done enough work to completely redo the connection with HMQV. (well, modulo the client regenerating its key periodically, or maybe once per connection for anonymity, and I've ignored the fact that in genus 2 or on Kummer varieties you have a problem with HMQV and have to do triple DH instead) I don't see anyone paying that penalty anytime soon. But don't take my word for it: from Cloudflare: "Because ECDSA is so much more efficient for our servers, supporting these certificates is an essential step for enabling SSL for free in 2014." CPU matters. Sincerely, Watson Ladd > > Nico > -- -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [TLS] Thoughts on TLS 1.3 cryptography performance Watson Ladd
- [TLS] Version negotiation (was: Thoughts on TLS 1… Michael D'Errico
- Re: [TLS] Version negotiation (was: Thoughts on T… Eric Rescorla
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Santosh Chokhani
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Watson Ladd
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Nico Williams
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Watson Ladd
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Nico Williams
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Trevor Perrin
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Nico Williams
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Eric Rescorla
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Nico Williams
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Trevor Perrin
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Watson Ladd
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Trevor Perrin
- Re: [TLS] Thoughts on TLS 1.3 cryptography perfor… Eric Rescorla