Re: [TLS] Should we require compressed points
Watson Ladd <watsonbladd@gmail.com> Wed, 22 October 2014 18:52 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 658211ACF08 for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 11:52:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.399
X-Spam-Level:
X-Spam-Status: No, score=-0.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, J_CHICKENPOX_46=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cTeEKkXx3b7f for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 11:52:49 -0700 (PDT)
Received: from mail-yh0-x22a.google.com (mail-yh0-x22a.google.com [IPv6:2607:f8b0:4002:c01::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A1581ACFE2 for <tls@ietf.org>; Wed, 22 Oct 2014 11:52:49 -0700 (PDT)
Received: by mail-yh0-f42.google.com with SMTP id t59so4047201yho.29 for <tls@ietf.org>; Wed, 22 Oct 2014 11:52:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=UsOMh5Dp5Z1NeaX1yKJPDnxw0yQsXuHPuTKnydADc/E=; b=OPJ02rB9VnngLGUW0RC7X8WzNqd1zW7VLvoY4wYwF311+q8r/LL6Jc2ewJG81SsKXU B/Plnr2cs4pdfJ2xO1qyVmQoOH/6mn2MySdoMwFPvLiGDhpU1Iu4NRFoTa5jzabTCXw4 Rczc/tk88wOqaE/1OUY2dV2dEw4RnGBOwrG3neM0KU3Ic6TbwTVstJXfWgrncXwK/UEd eifFNZqyf+z+KGM5FORbtBoMp6DX+BBAoXQRD/YDT5n4jovlCy+l6D8V02yGUFAruIIc uz084dw34lE3pWLBi/cus0AhproCaIkEPnlGrAr+vhlIPrbUhcPi7sqFuyU4m4voZxkX Qk9g==
MIME-Version: 1.0
X-Received: by 10.236.103.170 with SMTP id f30mr143358yhg.4.1414003968675; Wed, 22 Oct 2014 11:52:48 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Wed, 22 Oct 2014 11:52:48 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Wed, 22 Oct 2014 11:52:48 -0700 (PDT)
In-Reply-To: <5447E307.3010104@gmail.com>
References: <CABcZeBMqdwWTFxGAqaC9PqhzbgZM5yOf2TTq7pVCjyw_X+3Zkg@mail.gmail.com> <544677AE.4000005@nthpermutation.com> <CACsn0cnbgHbkdpcoUYfrkzCWkB-XS6ZFD7F96bWHsU+tiLRCGg@mail.gmail.com> <5447E307.3010104@gmail.com>
Date: Wed, 22 Oct 2014 11:52:48 -0700
Message-ID: <CACsn0c=xkw24PJjEw+GZaQPAT-mRT24FkndfPU=jzHkkyrOnwA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Rene Struik <rstruik.ext@gmail.com>
Content-Type: multipart/alternative; boundary="001a113321ae4396d00506077432"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/l0zc7ad-0tIX6sFtMBlGE4SOW_w
Cc: tls@ietf.org
Subject: Re: [TLS] Should we require compressed points
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 18:52:52 -0000
On Oct 22, 2014 10:02 AM, "Rene Struik" <rstruik.ext@gmail.com> wrote: > > Hi Watson: > > I do not understand your statement below: the cost of "decompressing" points may be not that insignificant and, depending on application, one might rather send uncompressed points instead. > > For simplicity, let us assume a short-Weierstrass curve E with defining equation y^2 = x^3 + a x + b (mod p). (A similar argument holds for other curves, of course.) > > If one receives an uncompressed alleged point R:=(x,y), one has to check whether this is indeed on the curve E. This comes roughly at cost 2S+1M (where S=squaring; M=multiply). > If one receives a compressed point R':=(x,y') and requires the corresponding uncompressed point R, one has to compute a solution y to the equation y^2=alpha, where alpha:=x^3+ax+b (mod p) and (if there is a solution) pick y or p-y, depending on the binary value y'. This comes at roughly cost 1S + 1M+1SQRT (where SQRT=square root). > > The trade-off here is that point compression slightly saves on communication bandwidth, whereas it does increase computational cost of scalar multiplies. > {Rough ballpark for 256-bit curve: 64 octet uncompressed point vs. 32 octet compressed point; curve check uncompressed point roughly <0.2% cost scalar multiply vs. ~10% cost scalar multiply (based on figures I have seen floating around on the cfrg mailing list).} > > Your suggested "security concern" seems to be that implementers will somehow not perform the curve check (why?) and that, by using point compression, you simply enforce it indirectly (since recomputing the uncompressed point from the compressed one includes checking whether the x-value is indeed the x-coordinate of a possible curve point). For implementers that *do* perform the curve check and do care more about performance than about the 32-octet communication savings, this would present a disadvantage. Ask Bouncycastle, Apple, and Go why they don't do this check. (Bouncycastle fixed it). The fact is implementations are exploitable as a result of taking shortcuts not revealed in ordinary testing. Furthermore, x coordinate only is adequate for ECDH and was suggested in the original ECC paper. > > The only case where the latter does not incur such a large performance hit seems to be in cases where scalar multiplication does not use the y-coordinate at all (since then one does not care about y' and simply sees whether alpha is a quadratic residue). This does however restrict implementation freedom. Brier - Joyce is also slower then table based fixed window methods. Furthermore, not all curves in TLS are twist secure. > > If one were to be concerned about implementation attacks, why not have people compute a compressed point R':=(x,y') from a received uncompressed point R:=(x,y) {this simply requires taking y':=y (mod 2), i.e., determining the parity of y} and then do as you suggested. They could validate the received point instead. Why decompress when you don't have to? > > Using uncompressed points gives people two mechanisms for preventing invalid point attacks (via curve check or point decompression), at slightly higher communication cost (32 octets) that seems easy to accept in most TLS applications. Allowing freedom to choose either format gives people choice, also on communication cost side, at trivial cost of having a single octet indicator. > > This leads us back to the representation formats we currently have. > > Best regards, Rene > > == > > Yes, but uncompressed points are not a security concern in X509, but they are in ECDH. Furthermore, the cost of adding compression support is very small: it's a square root, a check, and potentially flipping the sign. The benefit is that invalid point attacks are much harder to carry out. > > On 10/22/2014 12:11 PM, Watson Ladd wrote: >> >> On Tue, Oct 21, 2014 at 8:11 AM, Michael StJohns <msj@nthpermutation.com> wrote: >> > On 10/21/2014 10:52 AM, Eric Rescorla wrote: >> > >> > https://github.com/tlswg/tls13-spec/issues/80 >> > >> > Today we discussed the possibility of requiring support for compressed >> > points >> > in TLS 1.3 now that the IPR has expired. >> > >> > Specifically, I propose that for TLS 1.3, we: >> > >> > - Use only compressed points for the existing curves (and presumably >> > whatever superior format is defined for the CFRG-recommended >> > curves, as appropriate). >> > >> > - Deprecate the Supported Point Formats extension for TLS 1.3 >> > >> > >> > I'm pretty much opposed to the former and I guess by extension the latter. >> > >> > There's a very large body of code that doesn't support anything except type >> > 0x04(uncompressed) X9.63 point encodings. If you want to add support for >> > compressed points (or hybrid compressed), I don't think that's necessarily a >> > bad idea, but not at the expense of removing support for uncompressed >> > points. If you wanted to remove the supported point format extension, I >> > guess you could mandate support for both compressed and uncompressed (and >> > hybrid?). >> >> There is a large body of code that doesn't support TLS 1.3 as well. >> > >> > As a second item, I would estimate the chance we're going to see compressed >> > points in X509 certificates as a regular thing prior to about 10 years from >> > now as very small, meaning that any general transition to EC based suites is >> > going to require uncompressed point support. >> >> Yes, but uncompressed points are not a security concern in X509, but they are in ECDH. Furthermore, the cost of adding compression support is very small: it's a square root, a check, and potentially flipping the sign. The benefit is that invalid point attacks are much harder to carry out. >> >> > >> > Lastly, while the base IPR for point compression seems to be no longer of >> > concern, I've still been told to avoid it for a few more years due to >> > implementation patents related to compression. I'm not sure how worrisome >> > that is, but its one of the reasons that binary curves aren't in broader use >> > still. >> > >> > Just my $.02 >> > >> > Mike >> > >> > >> > >> > For RFC 4492-bis, we might also consider requiring support for compressed >> > points as well as uncompressed (already required) but this seems like a >> > separable issue, since it's mostly in service of optimization rather than >> > simplicity. >> > >> > What do people think? >> > -Ekr >> > >> > >> > >> > >> > >> > >> > >> > _______________________________________________ >> > TLS mailing list >> > TLS@ietf.org >> > https://www.ietf.org/mailman/listinfo/tls >> > >> > >> > >> > _______________________________________________ >> > TLS mailing list >> > TLS@ietf.org >> > https://www.ietf.org/mailman/listinfo/tls >> > >> >> -- >> "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." >> -- Benjamin Franklin >> >> >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls > > > > -- > email: rstruik.ext@gmail.com | Skype: rstruik > cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
- [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Hubert Kario
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Yoav Nir
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Dan Harkins
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Rene Struik
- Re: [TLS] Should we require compressed points Andrei Popov
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Andrei Popov
- Re: [TLS] Should we require compressed points Rene Struik
- Re: [TLS] Should we require compressed points Jeffrey Walton
- Re: [TLS] Should we require compressed points Peter Gutmann
- Re: [TLS] Should we require compressed points Peter Gutmann
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Martin Thomson
- Re: [TLS] Should we require compressed points Watson Ladd
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Bodo Moeller
- Re: [TLS] Should we require compressed points Viktor Dukhovni
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Ilari Liusvaara
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Eric Rescorla
- Re: [TLS] Should we require compressed points Michael StJohns
- Re: [TLS] Should we require compressed points Manuel Pégourié-Gonnard
- Re: [TLS] Should we require compressed points Michael StJohns