Re: [TLS] Curve25519 in TLS
mrex@sap.com (Martin Rex) Thu, 17 October 2013 18:30 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 216B911E82A9 for <tls@ietfa.amsl.com>; Thu, 17 Oct 2013 11:30:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.038
X-Spam-Level:
X-Spam-Status: No, score=-10.038 tagged_above=-999 required=5 tests=[AWL=0.211, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ze7fSNWqdrhz for <tls@ietfa.amsl.com>; Thu, 17 Oct 2013 11:30:28 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 88F8F11E81A2 for <tls@ietf.org>; Thu, 17 Oct 2013 11:30:18 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r9HIUF8l017742 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 17 Oct 2013 20:30:15 +0200 (MEST)
In-Reply-To: <20131016221640.0452568e@latte.josefsson.org>
To: Simon Josefsson <simon@josefsson.org>
Date: Thu, 17 Oct 2013 20:30:15 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20131017183015.47A401AA07@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: Manuel Pégourié-Gonnard <mpg@elzevir.fr>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Curve25519 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Oct 2013 18:30:34 -0000
Simon Josefsson wrote: > You wrote: > > > Thinking about it, I'm inclined to say we don't need to define a new > > ECPointFormat entry, the I-D should just mandate that support for > > (resp. use of) curve25519 implies support for (resp. use of) the > > associated (unamed) point format. This avoids possible consistency > > issues like a client advertising support for the curve but not for > > the associated point format. > > > > Similarly, the usual point formats have a leading byte indicating the > > format used, that should IMO be dropped for curve25519. > > > > So this would lead to the definition that, for this curve, instead of > > containing "the byte string representation of a field element > > following the conversion routine in Section 4.3.3 of ANSI X9.62", the > > point member of the ECPoint structure contains an opaque[32] > > representing the x-coordinate of the point. This should probably be a variable length vector so that the format can be reused beyond curve25519 for similar curves with longer keys (is curve3617 such a thing?) > > This sounds like a feasible approach to me. Maybe we need to put this > solution in writing, and maybe put some of the other options in writing > as well, to allow people to make an informed decision of where to go. I > think this thread has been quite informative, and I'm hoping we can > reach some early consensus and update the draft with that. Extending plus subsetting rfc4492, so that PDUs and code points for ECDH cipher suites can be shared between curve25519 and other ECC curves, seems appropriate and acceptable. But I would highly appreciate if the generic bloat, brittleness and timing-sensitive ECC math of regular rfc4492 can be avoided as much as possible. So a new, simplified/specialized ECPoint format that is mandatory for use with curve25519 and relatives, would help a lot. -Martin
- [TLS] Testing consensus for adding curve25519 to … Adam Langley
- Re: [TLS] Testing consensus for adding curve25519… Russ Housley
- Re: [TLS] Testing consensus for adding curve25519… Rob P Williams
- Re: [TLS] Testing consensus for adding curve25519… Patrick Pelletier
- Re: [TLS] Testing consensus for adding curve25519… Douglas Stebila
- Re: [TLS] Testing consensus for adding curve25519… Douglas Stebila
- Re: [TLS] Testing consensus for adding curve25519… Nick Mathewson
- [TLS] Curve25519 in TLS Simon Josefsson
- Re: [TLS] Testing consensus for adding curve25519… Nico Williams
- Re: [TLS] Testing consensus for adding curve25519… Douglas Stebila
- Re: [TLS] Testing consensus for adding curve25519… Dan Brown
- Re: [TLS] Curve25519 in TLS Rob Stradling
- Re: [TLS] Testing consensus for adding curve25519… Nick Mathewson
- Re: [TLS] Testing consensus for adding curve25519… Dan Brown
- Re: [TLS] Curve25519 in TLS Simon Josefsson
- Re: [TLS] Testing consensus for adding curve25519… Douglas Stebila
- Re: [TLS] Curve25519 in TLS Kyle Hamilton
- Re: [TLS] Curve25519 in TLS Rob Stradling
- Re: [TLS] Curve25519 in TLS Yoav Nir
- Re: [TLS] Curve25519 in TLS Dan Brown
- Re: [TLS] Curve25519 in TLS Bodo Moeller
- [TLS] Koblitz curves [was RE: Curve25519 in TLS] Dan Brown
- Re: [TLS] Curve25519 in TLS Rob Stradling
- Re: [TLS] Curve25519 in TLS Simon Josefsson
- Re: [TLS] Curve25519 in TLS Rob Stradling
- Re: [TLS] Curve25519 in TLS Nico Williams
- Re: [TLS] Curve25519 in TLS Rob Stradling
- Re: [TLS] Curve25519 in TLS Paul Bakker
- Re: [TLS] Curve25519 in TLS Yoav Nir
- Re: [TLS] Curve25519 in TLS Rob Stradling
- [TLS] Curve25519 in TLS Simon Josefsson
- [TLS] Ed25519 for PKIX Simon Josefsson
- Re: [TLS] Ed25519 for PKIX Adam Langley
- Re: [TLS] Ed25519 for PKIX Simon Josefsson
- Re: [TLS] Curve25519 in TLS Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS Martin Rex
- Re: [TLS] Curve25519 in TLS Juho Vähä-Herttua
- Re: [TLS] Curve25519 in TLS Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS Watson Ladd
- Re: [TLS] Curve25519 in TLS Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS Simon Josefsson
- Re: [TLS] Curve25519 in TLS Martin Rex
- Re: [TLS] Curve25519 in TLS Nico Williams