Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
Robert Ransom <rransom.8774@gmail.com> Wed, 22 January 2014 21:16 UTC
Return-Path: <rransom.8774@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64D0B1A048F for <tls@ietfa.amsl.com>; Wed, 22 Jan 2014 13:16:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IaxAHy98qZby for <tls@ietfa.amsl.com>; Wed, 22 Jan 2014 13:16:21 -0800 (PST)
Received: from mail-qa0-x22d.google.com (mail-qa0-x22d.google.com [IPv6:2607:f8b0:400d:c00::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 8A3421A0480 for <tls@ietf.org>; Wed, 22 Jan 2014 13:16:21 -0800 (PST)
Received: by mail-qa0-f45.google.com with SMTP id ii20so1143766qab.4 for <tls@ietf.org>; Wed, 22 Jan 2014 13:16:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=bI5QAK64rBHwR6qm+RI4RW0LaXQhCcOUPT1aJmzf14s=; b=ZGV7aurnDVmL5YkcDiQuGZjQROmHW13oGAhdMtCg1JKt9rsxVh7NePHkkMUaZuQ+3x 7xgqpx+XbPFVOnqfsfJILabSXdIS3tTYxTbBlMXg2kXsmz0q65Tb9inDpGCpiuW9rBOA Juqn1l71SGHu+kPJBNdwwLepXNtPpj5vm9dLUwrgPoIPsX2hXyA6Yapq+sfTi6ymKB8m 4iOR7ksG5eqhtOnDN+8mJ9E8thKXTvlCO8NX3DObdiB2T/PwZ4Lo4hEH8VGB8sZ2if2L vQArLCPobcNZObH5Bsw07kiEFiDnwQUQP44OWDg/dBeDyrwDyXTNfOPPUdXtkwdX4+jv oN1Q==
MIME-Version: 1.0
X-Received: by 10.140.51.170 with SMTP id u39mr5781391qga.69.1390425380737; Wed, 22 Jan 2014 13:16:20 -0800 (PST)
Received: by 10.229.181.132 with HTTP; Wed, 22 Jan 2014 13:16:20 -0800 (PST)
In-Reply-To: <87ob3456s1.fsf@latte.josefsson.org>
References: <87ob3456s1.fsf@latte.josefsson.org>
Date: Wed, 22 Jan 2014 13:16:20 -0800
Message-ID: <CABqy+spt7BYqjsqLAkZssGp3aY9M+iLqV+pmyr7ZN-TXmJJpVg@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Simon Josefsson <simon@josefsson.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2014 21:16:23 -0000
On 1/22/14, Simon Josefsson <simon@josefsson.org> wrote: > All, > > I have updated the Curve25519 draft. I believe people are implementing > Curve25519 for TLS. My idea of adding the "additional" curves to the > same draft seems like a mistake, or at least the timing of doing it was > a mistake. Merging all curves into one draft makes it harder to > evaluate consensus and maturity around the Curve25519 part, which I > hope/believe we are approching. Thus, I have split the draft into two > drafts: > > 1) Curve25519 for TLS. This was the original scope of the draft. The > URL is: <http://tools.ietf.org/html/draft-josefsson-tls-curve25519>. As > far as I know, there are no outstanding issues, and it is possible to > implement and deploy Curve25519 in TLS following the draft. Please > prove me wrong with comments or preferrably patches to the draft. * The draft still specifies a big-endian point format. What is the technical benefit of requiring every TLS implementation which uses one of the existing efficient, secure implementations of Curve25519 Montgomery-form scalar multiplication to reverse the byte order of its input and output? (Note that people want to use Curve25519 in TLS because of those existing implementations, so deliberately breaking compatibility with them seems especially unwise.) * The draft should specify that implementations MUST discard (i.e. set to zero) the most significant bit of a received public key, for two reasons: (a) Existing Curve25519 scalarmult implementations differ in their handling of inputs with that bit set, and could be distinguished by an active attacker using that difference. (b) Future specifications may wish to include the sign bit of an Edwards-form x coordinate in a Curve25519 point format for use with other protocols (e.g. Schnorr signature, Ace) without breaking backwards compatibility with use in ECDH. * The draft does not specify the curve equation of Curve25519 or the basepoint for use in ECDH. * The ‘Security Considerations’ section suggests that Curve25519 can be implemented securely using bignum libraries which leak information about the numbers they operate on to a side-channel attacker, as long as the internal projective representation of each point is randomized. Has this proposed side-channel countermeasure been evaluated? If so, which types of information leakage does the countermeasure render harmless? * The draft claims that every curve listed in RFC 4492 whose name ends in “k1” is defined over a binary (characteristic 2) field. This is false: RFC4492 defines several GLV curves over prime fields (e.g. ‘secp256k1’), and their names also end in “k1”. Robert Ransom
- [TLS] Curve25519 in TLS and Additional Curves in … Simon Josefsson
- Re: [TLS] Curve25519 in TLS and Additional Curves… Rob Stradling
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Rob Stradling
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andy Lutomirski
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andy Lutomirski
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… James Cloos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Bill Frantz
- Re: [TLS] Curve25519 in TLS and Additional Curves… Kurt Roeckx
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Simon Josefsson
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Daniel Kahn Gillmor
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Yoav Nir
- Re: [TLS] Curve25519 in TLS and Additional Curves… Fabrice
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard