IETF Logo Mail Archive

Re: [TLS] Curve25519 in TLS and Additional Curves in TLS

Manuel Pégourié-Gonnard <mpg@polarssl.org> Fri, 24 January 2014 18:49 UTC

Return-Path: <mpg@polarssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F8A61A0028 for <tls@ietfa.amsl.com>; Fri, 24 Jan 2014 10:49:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.394
X-Spam-Level:
X-Spam-Status: No, score=0.394 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N0nP2HVTtGCR for <tls@ietfa.amsl.com>; Fri, 24 Jan 2014 10:49:48 -0800 (PST)
Received: from vps2.brainspark.nl (vps2.brainspark.nl [141.138.204.106]) by ietfa.amsl.com (Postfix) with ESMTP id B533A1A0015 for <tls@ietf.org>; Fri, 24 Jan 2014 10:49:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=polarssl.org; s=exim; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To:References:CC:To:MIME-Version:From:Date:Message-ID; bh=S7vtABMMf7tII60+6KKobRbqZc+5/3q+TKjQbWhQ6ws=; b=N9MERGZduaZXK4lzYdcGivQsSEESosvNGrqlIQdVaJVsmNNgLGtYy181x1rWzXODo/nA6ZFkEpfGSU1We1bOebgxIBy04H/Qmps55209sg1NeKg+GCSkhC+CL+17PehOupU2yCt7XcN2Kq0mhfi9olUjPRhD1xPD4Ep/GsCRtBA=;
Received: from thue.elzevir.fr ([88.165.216.11] helo=[192.168.0.124]) by vps2.brainspark.nl with esmtpsa (TLS1.0:DHE_RSA_CAMELLIA_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <mpg@polarssl.org>) id 1W6liB-0005mF-4H; Fri, 24 Jan 2014 19:42:39 +0100
Message-ID: <52E2B5C7.5040600@polarssl.org>
Date: Fri, 24 Jan 2014 19:49:43 +0100
From: Manuel Pégourié-Gonnard <mpg@polarssl.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.1.1
MIME-Version: 1.0
To: Robert Ransom <rransom.8774@gmail.com>
References: <87ob3456s1.fsf@latte.josefsson.org> <CABqy+spt7BYqjsqLAkZssGp3aY9M+iLqV+pmyr7ZN-TXmJJpVg@mail.gmail.com> <52E060D0.9030801@polarssl.org> <CABqy+spJoswrPovxf18QS1SGdk6K=mfny6joJm3X24Vh65oagQ@mail.gmail.com> <52E0E241.40406@polarssl.org> <CABqy+sqs31ATDWJSum55m1o5pRvw8Wq5GtB-mF-hgP2emB5eFQ@mail.gmail.com>
In-Reply-To: <CABqy+sqs31ATDWJSum55m1o5pRvw8Wq5GtB-mF-hgP2emB5eFQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-SA-Exim-Connect-IP: 88.165.216.11
X-SA-Exim-Mail-From: mpg@polarssl.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.brainspark.nl)
Cc: tls@ietf.org
Subject: Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2014 18:49:49 -0000

On 23/01/2014 20:45, Robert Ransom wrote:
> So, the only implementation I know of that does not ignore the MSB is
> a horribly slow one that should never be used in production -- I would
> not be surprised if it's slower than a typical implementation of the
> BND curves.
> 
Good to know. It really pleads for recommending to ignore the MSB even if we
don't need it later.

> I still think that avoiding implementation fingerprinting would
> justify “implementations SHOULD mask off the high bit”.
> 
I agree.

> Remember that what Dr. Bernstein refers to as ‘public key validation’
> in the Curve25519 paper is considerably more expensive than one
> bitwise AND:
> [...]

Sure.. Another point I thought about in the meantime is that the security
consequences of not doing that check are minimal for Curve25519 (implementation
fingerprinting) as opposed to short Weierstrass curves with (x, y) coordinate
(small subgroup attack).

> If you add a leading byte as an extension hook *and* specify an
> ECPointFormat value for the current ‘Montgomery-form x’ point format,
> current implementations can refuse to receive point formats which they
> won't understand.

Haha, I think I finally understood. You're referring to this paragraph of the
draft, right?

   Since only one point format can be used with Curve25519, which is
   distinct from the formats used by short Weierstrass curves, the
   contents of the "Supported Point Formats" extension is irrelevant for
   this curve.

Yes, if we add a leading byte, and we want to be able to use other formats
(hence other leading bytes) with Curve25519 in TLS in the future, then this
phrase should be removed and a new ECPointFormat value requested from IANA.

> If you don't add a leading byte, I think the ECPoint length byte can
> still be used as an adequate extension mechanism for future non-ECDH
> protocols.
> 
As long as there is no more than one future format mapping to the same length.
Eg, is for some reason some people want to send

> I agree, but future implementations should be allowed to send an
> uncompressed second coordinate without breaking compatibility with
> implementations of this protocol.  What I'm suggesting is that (a)
> current implementations send 32-byte points; (b) current
> implementations accept both 32-byte and 64-byte point objects, and
> ignore the second half of a 64-byte point.
> 
That's an option too, but compared to a leading byte, it doesn't allow to define
two different 64-byte point formats in the future, right? So maybe the leading
byte (with ECPointFormat negociation) is the most future-proof way.

Manuel.

v2.23.0 | Report a Bug | By Email