Re: [TLS] Curve25519 in TLS

mrex@sap.com (Martin Rex) Thu, 17 October 2013 18:30 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 216B911E82A9 for <tls@ietfa.amsl.com>; Thu, 17 Oct 2013 11:30:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.038
X-Spam-Level:
X-Spam-Status: No, score=-10.038 tagged_above=-999 required=5 tests=[AWL=0.211, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ze7fSNWqdrhz for <tls@ietfa.amsl.com>; Thu, 17 Oct 2013 11:30:28 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 88F8F11E81A2 for <tls@ietf.org>; Thu, 17 Oct 2013 11:30:18 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r9HIUF8l017742 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 17 Oct 2013 20:30:15 +0200 (MEST)
In-Reply-To: <20131016221640.0452568e@latte.josefsson.org>
To: Simon Josefsson <simon@josefsson.org>
Date: Thu, 17 Oct 2013 20:30:15 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20131017183015.47A401AA07@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: Manuel Pégourié-Gonnard <mpg@elzevir.fr>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Curve25519 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Oct 2013 18:30:34 -0000

Simon Josefsson wrote:
> You wrote:
> 
> > Thinking about it, I'm inclined to say we don't need to define a new
> > ECPointFormat entry, the I-D should just mandate that support for
> > (resp. use of) curve25519 implies support for (resp. use of) the
> > associated (unamed) point format. This avoids possible consistency
> > issues like a client advertising support for the curve but not for
> > the associated point format.
> > 
> > Similarly, the usual point formats have a leading byte indicating the
> > format used, that should IMO be dropped for curve25519.
> > 
> > So this would lead to the definition that, for this curve, instead of
> > containing "the byte string representation of a field element
> > following the conversion routine in Section 4.3.3 of ANSI X9.62", the
> > point member of the ECPoint structure contains an opaque[32]
> > representing the x-coordinate of the point.

This should probably be a variable length vector so that the
format can be reused beyond curve25519 for similar curves with
longer keys (is curve3617 such a thing?)

> 
> This sounds like a feasible approach to me.  Maybe we need to put this
> solution in writing, and maybe put some of the other options in writing
> as well, to allow people to make an informed decision of where to go.  I
> think this thread has been quite informative, and I'm hoping we can
> reach some early consensus and update the draft with that.


Extending plus subsetting rfc4492, so that PDUs and code points
for ECDH cipher suites can be shared between curve25519 and other
ECC curves, seems appropriate and acceptable.

But I would highly appreciate if the generic bloat, brittleness and
timing-sensitive ECC math of regular rfc4492 can be avoided as much
as possible.  So a new, simplified/specialized ECPoint format that
is mandatory for use with curve25519 and relatives, would help a lot.

-Martin