Re: [TLS] Thoughts on TLS 1.3 cryptography performance

Watson Ladd <watsonbladd@gmail.com> Thu, 13 March 2014 17:29 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 885391A0A19 for <tls@ietfa.amsl.com>; Thu, 13 Mar 2014 10:29:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FXpw93wlqmuF for <tls@ietfa.amsl.com>; Thu, 13 Mar 2014 10:29:14 -0700 (PDT)
Received: from mail-yh0-x233.google.com (mail-yh0-x233.google.com [IPv6:2607:f8b0:4002:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id 2B9441A0492 for <tls@ietf.org>; Thu, 13 Mar 2014 10:29:14 -0700 (PDT)
Received: by mail-yh0-f51.google.com with SMTP id f10so1358937yha.38 for <tls@ietf.org>; Thu, 13 Mar 2014 10:29:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=q4JomVBoWMnjb+H7vYdZq7sYI01JK494lntv1OQpCaw=; b=KELkxJ9KSaII2qQPjaqEDAjtR/1pefsIalWRNRY/2n9/6/He+RoX5qJFFS0Ol/JsV7 AM5ba2Ll8AgKlcO+/3z76VgUe3e6qB3C7ykpkw+oGCNVZjh3Lhy1+Q0ZG15Sc//b6XOd /AVO4I1Ysmti6eeT02BM0WnwxXlOxJr6WTg0Gfjftg1vDGVHwfOgnttWJuE5Qapol7lr oifz0bn208eU9t2jIc6g3aoWGmUo5ql8w+oT+mRw0A9EVC55dFLELony4KJTcYxc/NK8 PdnJfVSVpPskpbYd3dOgYGuW+IIwT8OtpvBInX3tVRTR8JhntZtSp7mkZo4jov0hGP76 eevQ==
MIME-Version: 1.0
X-Received: by 10.236.90.12 with SMTP id d12mr3941234yhf.120.1394731747574; Thu, 13 Mar 2014 10:29:07 -0700 (PDT)
Received: by 10.170.80.214 with HTTP; Thu, 13 Mar 2014 10:29:07 -0700 (PDT)
In-Reply-To: <CAK3OfOiX9TJxt_4HhiJrE_S8x9v7y=5+75Bbg9y+_PQPuvNoGA@mail.gmail.com>
References: <CACsn0ckbrrt0rBsHM+5A_jNK6UvkaiO9mHx6=Jr+jjqy+bZ6MQ@mail.gmail.com> <CAK3OfOj_+RzqPj0LJa=EyeJ5UqSy42z-_kF2tqYYZb=efFEwrQ@mail.gmail.com> <CACsn0ckVq5wkjsZgV6XrsgA6tU6_6YLKOsJQMivFY59esX1Ywg@mail.gmail.com> <CAK3OfOhzD+D2Tf=1JwzCfPf_m5uWhBj3sVd=UQw8b4fthGt-Bw@mail.gmail.com> <CAGZ8ZG3JXiJiCRUUBGGuaVTabn11yZ2u+Nv9cWHO8yagoxr+yw@mail.gmail.com> <CAK3OfOiGCidqTPDcnrMY+prbxYzS76v4JiDo51=z5n3296x8Dw@mail.gmail.com> <CABcZeBMwUHjdSdXyYPzb3NBxEF4vT87r6qOWWM=g18LuBUXNLQ@mail.gmail.com> <CAK3OfOiX9TJxt_4HhiJrE_S8x9v7y=5+75Bbg9y+_PQPuvNoGA@mail.gmail.com>
Date: Thu, 13 Mar 2014 10:29:07 -0700
Message-ID: <CACsn0c=XA3fvLobQ07bkKoZF+X5hfGat30BRfn1J+5iEYsCAmg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/tkl2Yb_7nVP02niHSWpcIfN_cUs
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Thoughts on TLS 1.3 cryptography performance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Mar 2014 17:29:15 -0000

On Thu, Mar 13, 2014 at 9:52 AM, Nico Williams <nico@cryptonector.com> wrote:
> On Thu, Mar 13, 2014 at 11:48 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>> On Thu, Mar 13, 2014 at 9:34 AM, Nico Williams <nico@cryptonector.com>
>> wrote:
>>>
>>>  But I am concerned about the need for PFS on
>>> resumption in order to limit the extent of resumption ticket cache
>>> compromise; if you're going to lose the 0-RTT resumption for it, might
>>> as well pick the best "fast reauthentication" protocol possible, and
>>> that might be Watson's.
>>
>>
>> WRT this specific point, I wanted to observe that computational cost
>> (within reason) is less important than round trip delay, for a number of
>> reasons:
>
> My concern is in the sense of "this needs to be a security
> consideration, and Watson's protocol is worth considering at least as
> an option" (modulo IPR, if any).

Triple DH is unpatented AFAIK. MQV patent expires soon, but I don't
like it. With Triple DH we can use genus 2 for even more speed, and
when Kim Laine finishes his PhD, genus 3. Genus 3 is amazing because
the arithmetic is modulo a 64 bit prime. We can't do higher genus
stuff+MQV because of the lack of an addition formula on the compact
forms.

Sincerely,
Watson Ladd
>
> Nico
> --
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin