Re: [TLS] OPTLS: Signature-less TLS 1.3

Hugo Krawczyk <hugo@ee.technion.ac.il> Tue, 04 November 2014 08:47 UTC

MIME-Version: 1.0
Sender: hugokraw@gmail.com
In-Reply-To: <CAK3OfOgW5VNFoUy9h=ZSEQ6hDtYeVu5+UjEOiCbaOd54X+p69A@mail.gmail.com>
References: <CADi0yUObKsTvF6bP=SxAwYA05odyWdzR1-sWutrDLUeu+VJ1KQ@mail.gmail.com> <CABcZeBNQBC1XXFR5sGo=V8WmxmL5thaBpeHSasy3SordbqNRTQ@mail.gmail.com> <CABcZeBMEmoR18O0-NjuEeoPGTTVuOrwa_WM8YBiS=yd5-NWMbA@mail.gmail.com> <CACsn0cmmtUY17gMk537p8EiXuR3sNMb+rHY2b2nfK3S7-TE+1Q@mail.gmail.com> <CADi0yUNCGAVvqFF9t1X+gRf36iHsxZOFOVacA=PfrV9-JcArqQ@mail.gmail.com> <CAK3OfOgW5VNFoUy9h=ZSEQ6hDtYeVu5+UjEOiCbaOd54X+p69A@mail.gmail.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Tue, 04 Nov 2014 10:47:06 +0200
Message-ID: <CADi0yUNd1fv8A=pcfUE8XTsmMGKTWLHLwGYTGoCgbEde3peRdw@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: multipart/alternative; boundary="001a11c34ee0d9e66205070483de"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/uHBWgNzuHIZL3aAGvl2CaAWPKeg
Cc: "tls@ietf.org" <tls@ietf.org>, Hoeteck Wee <hoeteck@alum.mit.edu>
Subject: Re: [TLS] OPTLS: Signature-less TLS 1.3
Precedence: list

On Mon, Nov 3, 2014 at 6:47 PM, Nico Williams <nico@cryptonector.com> wrote:

> On Sun, Nov 2, 2014 at 4:24 PM, Hugo Krawczyk <hugo@ee.technion.ac.il>
> wrote:
> > Don't forget that 0-RTT cannot be supported with a signature-based
> protocol
> > so in that sense going to static DH is a win-win.
>
> That was DJB's point a while back, and, really, this goes back to the
> old AUTH_DH concept back in 1986.  It goes back further, actually,
> IIUC, all the way back to DH's invention.
>
> If you know the peer's public DH key a priori (from DNSSEC, from
> /etc/publickey [who remembers that?]) then you can send one security
> context establishment message and immediately start sending encrypted
> and authenticated data.  You need a response message to get key
> confirmation, and you can't get PFS until after consuming that
> message.
>
> (The GSS-API deals with this, incidentally.  A security context can be
> partially established but ready to encrypt application data with
> security caveats.  This is called "prot_ready".)
>
> A proper static-static DH + PFS exchange would take the usual 1.5
> round trips, but would be "prot_ready" in 0 round trips.
>
> There's a lot to be said for this.  But note that RSA key transport
> also lends itself to being prot_ready in 0 rt, so we still need to
> quantify the total cost of static-static DH + PFS, and RSA key
> transport + PFS for a proper comparison.
>

The costs for the 0-RTT option in addition to the cost of an ephemeral DH
are as
follows.
DH+PFS: a single variable-base exponentiation for client and server.
RSA+PFS: for server an RSA decryption, for client an RSA encryption.
So the computational advantage of DH+PFS is very significant for the server.
For client RSA-PFS has some advantage as RSA encryption is faster than a DH
exponentiation but the difference is less dramatic than for the server, in
particular considering that the client is already doing two DH
exponentiations.
In addition, RSA encryption requires added protocol operations (and
implementation care) to prevent Bleichenbacher attack (e.g., you'll need to
dummy-decrypt ClientData even if the received ciphertext is illegal).
And aren't we in the process of phasing out RSA wherever possible?

Hugo

> Nico
> --
>

Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Rene Struik
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
[TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nikos Mavrogiannopoulos
Re: [TLS] OPTLS: Signature-less TLS 1.3 Ilari Liusvaara
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Manuel Pégourié-Gonnard
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hanno Böck
Re: [TLS] OPTLS: Signature-less TLS 1.3 Peter Gutmann
Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Andy Lutomirski
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
Re: [TLS] OPTLS: Signature-less TLS 1.3 Martin Thomson
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Eric Rescorla
Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Daniel Kahn Gillmor
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Yoav Nir
Re: [TLS] OPTLS: Signature-less TLS 1.3 Nico Williams
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
Re: [TLS] OPTLS: Signature-less TLS 1.3 Blumenthal, Uri - 0558 - MITLL
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk
Re: [TLS] OPTLS: Signature-less TLS 1.3 Watson Ladd
Re: [TLS] OPTLS: Signature-less TLS 1.3 Salz, Rich
Re: [TLS] OPTLS: Signature-less TLS 1.3 Dan Brown
Re: [TLS] OPTLS: Signature-less TLS 1.3 Hugo Krawczyk