IETF Logo Mail Archive

Re: [TLS] Curve25519 in TLS and Additional Curves in TLS

Robert Ransom <rransom.8774@gmail.com> Wed, 22 January 2014 21:16 UTC

Return-Path: <rransom.8774@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64D0B1A048F for <tls@ietfa.amsl.com>; Wed, 22 Jan 2014 13:16:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IaxAHy98qZby for <tls@ietfa.amsl.com>; Wed, 22 Jan 2014 13:16:21 -0800 (PST)
Received: from mail-qa0-x22d.google.com (mail-qa0-x22d.google.com [IPv6:2607:f8b0:400d:c00::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 8A3421A0480 for <tls@ietf.org>; Wed, 22 Jan 2014 13:16:21 -0800 (PST)
Received: by mail-qa0-f45.google.com with SMTP id ii20so1143766qab.4 for <tls@ietf.org>; Wed, 22 Jan 2014 13:16:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=bI5QAK64rBHwR6qm+RI4RW0LaXQhCcOUPT1aJmzf14s=; b=ZGV7aurnDVmL5YkcDiQuGZjQROmHW13oGAhdMtCg1JKt9rsxVh7NePHkkMUaZuQ+3x 7xgqpx+XbPFVOnqfsfJILabSXdIS3tTYxTbBlMXg2kXsmz0q65Tb9inDpGCpiuW9rBOA Juqn1l71SGHu+kPJBNdwwLepXNtPpj5vm9dLUwrgPoIPsX2hXyA6Yapq+sfTi6ymKB8m 4iOR7ksG5eqhtOnDN+8mJ9E8thKXTvlCO8NX3DObdiB2T/PwZ4Lo4hEH8VGB8sZ2if2L vQArLCPobcNZObH5Bsw07kiEFiDnwQUQP44OWDg/dBeDyrwDyXTNfOPPUdXtkwdX4+jv oN1Q==
MIME-Version: 1.0
X-Received: by 10.140.51.170 with SMTP id u39mr5781391qga.69.1390425380737; Wed, 22 Jan 2014 13:16:20 -0800 (PST)
Received: by 10.229.181.132 with HTTP; Wed, 22 Jan 2014 13:16:20 -0800 (PST)
In-Reply-To: <87ob3456s1.fsf@latte.josefsson.org>
References: <87ob3456s1.fsf@latte.josefsson.org>
Date: Wed, 22 Jan 2014 13:16:20 -0800
Message-ID: <CABqy+spt7BYqjsqLAkZssGp3aY9M+iLqV+pmyr7ZN-TXmJJpVg@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Simon Josefsson <simon@josefsson.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2014 21:16:23 -0000

On 1/22/14, Simon Josefsson <simon@josefsson.org> wrote:
> All,
>
> I have updated the Curve25519 draft.  I believe people are implementing
> Curve25519 for TLS.  My idea of adding the "additional" curves to the
> same draft seems like a mistake, or at least the timing of doing it was
> a mistake.  Merging all curves into one draft makes it harder to
> evaluate consensus and maturity around the Curve25519 part, which I
> hope/believe we are approching.  Thus, I have split the draft into two
> drafts:
>
> 1) Curve25519 for TLS.  This was the original scope of the draft.  The
> URL is: <http://tools.ietf.org/html/draft-josefsson-tls-curve25519>.  As
> far as I know, there are no outstanding issues, and it is possible to
> implement and deploy Curve25519 in TLS following the draft.  Please
> prove me wrong with comments or preferrably patches to the draft.

* The draft still specifies a big-endian point format.  What is the
technical benefit of requiring every TLS implementation which uses one
of the existing efficient, secure implementations of Curve25519
Montgomery-form scalar multiplication to reverse the byte order of its
input and output?  (Note that people want to use Curve25519 in TLS
because of those existing implementations, so deliberately breaking
compatibility with them seems especially unwise.)

* The draft should specify that implementations MUST discard (i.e. set
to zero) the most significant bit of a received public key, for two
reasons: (a) Existing Curve25519 scalarmult implementations differ in
their handling of inputs with that bit set, and could be distinguished
by an active attacker using that difference. (b) Future specifications
may wish to include the sign bit of an Edwards-form x coordinate in a
Curve25519 point format for use with other protocols (e.g. Schnorr
signature, Ace) without breaking backwards compatibility with use in
ECDH.

* The draft does not specify the curve equation of Curve25519 or the
basepoint for use in ECDH.

* The ‘Security Considerations’ section suggests that Curve25519 can
be implemented securely using bignum libraries which leak information
about the numbers they operate on to a side-channel attacker, as long
as the internal projective representation of each point is randomized.
 Has this proposed side-channel countermeasure been evaluated?  If so,
which types of information leakage does the countermeasure render
harmless?

* The draft claims that every curve listed in RFC 4492 whose name ends
in “k1” is defined over a binary (characteristic 2) field.  This is
false: RFC4492 defines several GLV curves over prime fields (e.g.
‘secp256k1’), and their names also end in “k1”.


Robert Ransom

v2.23.0 | Report a Bug | By Email