Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
Andy Lutomirski <luto@amacapital.net> Thu, 23 January 2014 18:40 UTC
Return-Path: <luto@amacapital.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D18F91A001B for <tls@ietfa.amsl.com>; Thu, 23 Jan 2014 10:40:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.601
X-Spam-Level:
X-Spam-Status: No, score=-1.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jSwtX_EMA5Id for <tls@ietfa.amsl.com>; Thu, 23 Jan 2014 10:40:35 -0800 (PST)
Received: from mail-pd0-f175.google.com (mail-pd0-f175.google.com [209.85.192.175]) by ietfa.amsl.com (Postfix) with ESMTP id A5E771A01E6 for <tls@ietf.org>; Thu, 23 Jan 2014 10:40:19 -0800 (PST)
Received: by mail-pd0-f175.google.com with SMTP id w10so2096173pde.6 for <tls@ietf.org>; Thu, 23 Jan 2014 10:40:18 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=rgeRnBqsNOLkBv5N69pv39/7MZpJlfdIFwEtSA+RYJ0=; b=YZa4cmXtzmeEeQFDvSiKpNO0Csio0w9Atmzdoqu1gXD185vJB/Vc95UyeYGpYN1NYr eXGzpF5Q09Mx3SOBWdi4ehH3ES2G/vuVeKLZAM8VoM/1MN10CA0Nhs+s9v+vN0F/iltT OPIBuRXCWxtWOh2WYe6Qc/0I/UhohWSa16Q0I+rDHvllupcb8Zak/eOjrR6CHFrUhmAE HccjPbPlpUNUvHS9zt/nS+rSw6qbO+nNKSUFDYiPlBf7UCuLkhpZTAwtVnKMsJPYJL4n tQjsIBtMFaIwI8ojV3yx0TjcS5AyDgW4N/0jfBXev/aOJgwESDrYqQ19ZbGj7/Op3vzl UfPg==
X-Gm-Message-State: ALoCoQl4Y13eFWlU0AKccBxK2uU4uunjWzqg3nz8jveFxRm8BrLq80xYCQlBSBxaUBSuHWDcRF2a
X-Received: by 10.66.232.7 with SMTP id tk7mr9607362pac.94.1390502418752; Thu, 23 Jan 2014 10:40:18 -0800 (PST)
Received: from amaluto.corp.amacapital.net (50-76-60-73-ip-static.hfc.comcastbusiness.net. [50.76.60.73]) by mx.google.com with ESMTPSA id lh13sm64707907pab.4.2014.01.23.10.40.17 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 23 Jan 2014 10:40:18 -0800 (PST)
Message-ID: <52E16210.1000405@mit.edu>
Date: Thu, 23 Jan 2014 10:40:16 -0800
From: Andy Lutomirski <luto@amacapital.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Robert Ransom <rransom.8774@gmail.com>, Manuel Pégouri é-Gonnard <mpg@polarssl.org>
References: <87ob3456s1.fsf@latte.josefsson.org> <CABqy+spt7BYqjsqLAkZssGp3aY9M+iLqV+pmyr7ZN-TXmJJpVg@mail.gmail.com> <52E060D0.9030801@polarssl.org> <CABqy+spJoswrPovxf18QS1SGdk6K=mfny6joJm3X24Vh65oagQ@mail.gmail.com>
In-Reply-To: <CABqy+spJoswrPovxf18QS1SGdk6K=mfny6joJm3X24Vh65oagQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Cc: tls@ietf.org
Subject: Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2014 18:40:40 -0000
On 01/22/2014 05:17 PM, Robert Ransom wrote: > On 1/22/14, Manuel Pégourié-Gonnard <mpg@polarssl.org> wrote: >> On 22/01/2014 22:16, Robert Ransom wrote: > >>> * The draft should specify that implementations MUST discard (i.e. set >>> to zero) the most significant bit of a received public key, for two >>> reasons: (a) Existing Curve25519 scalarmult implementations differ in >>> their handling of inputs with that bit set, and could be distinguished >>> by an active attacker using that difference. >> >> I wasn't aware that some implementations ignored the most significant bit. >> Out >> of curiosity, could you cite examples? > > curve25519-donna and -donna-c64 ignore the MSB. > > Nick Mathewson (Tor lead developer) tested whether Dr. Bernstein's > floating-point implementation for IA-32 in NaCl ignores the MSB; he > reported that it does. > > The ‘ref’ implementation in NaCl does not ignore the MSB. > > I have no idea what Dr. Bernstein's original floating-point Curve25519 > implementation for IA-32 does with the MSB, but the web page > documenting it hints that it treats the MSB as part of the x > coordinate. > >> One of the "selling points" of Curve25519 is that no public key validation >> is >> needed, so I find it quite unfortunate that after all there is something to >> do >> when receiving public keys. > > Fingerprinting of implementations wasn't one of the security concerns > that Dr. Bernstein had in mind at the time, and it still isn't widely > considered to be a security risk. It's certainly minor compared to > the numerous ways that NSA-curve ECDH implementations can leak their > keys. > > But the bigger reason to mask off the high bit is extensibility. > >>> (b) Future specifications >>> may wish to include the sign bit of an Edwards-form x coordinate in a >>> Curve25519 point format for use with other protocols (e.g. Schnorr >>> signature, Ace) without breaking backwards compatibility with use in >>> ECDH. >>> >> This is a serious concern indeed. By the way, there was another issue under >> discussion that is related: should the point format be just the 32 bytes, or >> should we use a leading byte to follow the existing practice from X9.62, as >> Salz >> Rich suggested? If we use a leading byte, maybe it's better to have two >> formats, >> one for "x coordinate only", one for "y + bit sign of x"? > > * You appear to be confusing Montgomery form with Edwards form. The > Curve25519 paper specifies ‘Montgomery-form x coordinate only’; the > other format you are suggesting seems to be ‘Edwards-form y coordinate > with sign bit of Edwards-form x coordinate’. (Remember that the > Edwards-form y coordinate is analogous to the Montgomery-form x > coordinate.) > > * There is no reason to ever transmit an Edwards-form y coordinate for > use in ECDH. The formats that would be useful here are > ‘Montgomery-form x coordinate only’ and ‘Montgomery-form x coordinate > with sign bit of Edwards-form x coordinate’. > > * If you do not add a leading point-format byte, there is no reason to > specify the meaning of the high bit in this document. If you do add a > leading byte, you will have to choose in this document whether the > sign bit is for the Edwards-form x coordinate or the Montgomery-form y > coordinate. > > * Some future applications may wish to transmit an uncompressed > Edwards-form x coordinate or Montgomery-form y coordinate, not just > the sign bit. If you add a leading byte, you'll have to choose which > coordinate to use now. Alternatively, you could specify that > implementations of this document accept 64-byte points and ignore the > second half of the point structure. (Note that this means > implementations of this protocol MUST ignore the second half, even if > they know how to use it in some other protocol, or they will be > distinguishable from other ECDH implementations. I don't think that > restriction will ever be a problem for ECDH implementations.) > > * Some future (non-ECDH) applications may wish to transmit an > Edwards-form y coordinate instead of a Montgomery-form x coordinate > (e.g. so that they can distinguish the point of order 2 from the > identity). If you do not add a leading point-format byte now, those > applications will have to use a different NamedCurve in order to > indicate that they are incompatible with the point formats used for > ECDH. (I'm not sure that this is a problem, or that any such > applications will ever exist.) Can someone remind me why any of the above is better than using ECPointFormat to specify the point format? --Andy
- [TLS] Curve25519 in TLS and Additional Curves in … Simon Josefsson
- Re: [TLS] Curve25519 in TLS and Additional Curves… Rob Stradling
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Rob Stradling
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andy Lutomirski
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andy Lutomirski
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… James Cloos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Bill Frantz
- Re: [TLS] Curve25519 in TLS and Additional Curves… Kurt Roeckx
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Simon Josefsson
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Daniel Kahn Gillmor
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Yoav Nir
- Re: [TLS] Curve25519 in TLS and Additional Curves… Fabrice
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard