Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
Robert Ransom <rransom.8774@gmail.com> Thu, 23 January 2014 19:45 UTC
Return-Path: <rransom.8774@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 397231A001D for <tls@ietfa.amsl.com>; Thu, 23 Jan 2014 11:45:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.45
X-Spam-Level:
X-Spam-Status: No, score=-1.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tNUc5JiRDhNp for <tls@ietfa.amsl.com>; Thu, 23 Jan 2014 11:45:38 -0800 (PST)
Received: from mail-qc0-x22d.google.com (mail-qc0-x22d.google.com [IPv6:2607:f8b0:400d:c01::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 610141A007C for <tls@ietf.org>; Thu, 23 Jan 2014 11:45:38 -0800 (PST)
Received: by mail-qc0-f173.google.com with SMTP id i8so3114300qcq.18 for <tls@ietf.org>; Thu, 23 Jan 2014 11:45:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=e/oK62t0XEms/KS+wBBk8HY8PX4sLn8S11jCl3rsiNI=; b=UuCAJoxqqXwTXB8lDopkeykCZhuUduVBo5Hc9Ll/BsZVEiR918HKcBhmMNJThcYg1R Sbxc0cmcfXtA/c7MgIeiCr1FMwMQogEy1yXUSz8o+jOhwOOkJQ4S9Wu4iBlnr1XfafdG +Dx6U+hDZiUKsaD0B/buEa89/zE5Jo3HcaRQV+aLo7LcSsYTUogs79jHHJpQR4HDiiww soEJ/rUxPg5S6jTxL0/EjT7XhpyQidCJeof/cAuwDiq+RzDK30v5kK6hwVsHezsCArAC LQwUvk3PR57f7dqr7I4/4+l2xEyGVQhzg8KM4m5C9kc/ShT2Q9OfMqUtgv0PODGopSl2 qspw==
MIME-Version: 1.0
X-Received: by 10.229.102.4 with SMTP id e4mr14620264qco.2.1390506337275; Thu, 23 Jan 2014 11:45:37 -0800 (PST)
Received: by 10.229.181.132 with HTTP; Thu, 23 Jan 2014 11:45:37 -0800 (PST)
In-Reply-To: <52E0E241.40406@polarssl.org>
References: <87ob3456s1.fsf@latte.josefsson.org> <CABqy+spt7BYqjsqLAkZssGp3aY9M+iLqV+pmyr7ZN-TXmJJpVg@mail.gmail.com> <52E060D0.9030801@polarssl.org> <CABqy+spJoswrPovxf18QS1SGdk6K=mfny6joJm3X24Vh65oagQ@mail.gmail.com> <52E0E241.40406@polarssl.org>
Date: Thu, 23 Jan 2014 11:45:37 -0800
Message-ID: <CABqy+sqs31ATDWJSum55m1o5pRvw8Wq5GtB-mF-hgP2emB5eFQ@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Manuel Pégourié-Gonnard <mpg@polarssl.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] Curve25519 in TLS and Additional Curves in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2014 19:45:40 -0000
On 1/23/14, Manuel Pégourié-Gonnard <mpg@polarssl.org> wrote: > On 23/01/2014 02:17, Robert Ransom wrote: >> On 1/22/14, Manuel Pégourié-Gonnard <mpg@polarssl.org> wrote: >>> On 22/01/2014 22:16, Robert Ransom wrote: >> >>>> * The draft should specify that implementations MUST discard (i.e. set >>>> to zero) the most significant bit of a received public key, for two >>>> reasons: (a) Existing Curve25519 scalarmult implementations differ in >>>> their handling of inputs with that bit set, and could be distinguished >>>> by an active attacker using that difference. >>> >>> I wasn't aware that some implementations ignored the most significant >>> bit. >>> Out >>> of curiosity, could you cite examples? >> >> curve25519-donna and -donna-c64 ignore the MSB. >> [...] >> The ‘ref’ implementation in NaCl does not ignore the MSB. >> [...] > > Ok, thanks for the information. Samuel Neves reports that Dr. Bernstein's original Curve25519 implementation for IA-32 does ignore the high bit. So, the only implementation I know of that does not ignore the MSB is a horribly slow one that should never be used in production -- I would not be surprised if it's slower than a typical implementation of the BND curves. >> Fingerprinting of implementations wasn't one of the security concerns >> that Dr. Bernstein had in mind at the time, and it still isn't widely >> considered to be a security risk. It's certainly minor compared to >> the numerous ways that NSA-curve ECDH implementations can leak their >> keys. >> >> But the bigger reason to mask off the high bit is extensibility. >> > I fully agree it's the bigger reason. As discussed below, there is probably > some > other ways to achieve extensibility, so if extensibility wasn't a concern, > would > you think that avoiding implementation fingerprinting is more valuable than > being able to accept any string as a public key without no validation or > masking? I still think that avoiding implementation fingerprinting would justify “implementations SHOULD mask off the high bit”. Remember that what Dr. Bernstein refers to as ‘public key validation’ in the Curve25519 paper is considerably more expensive than one bitwise AND: * With typical (non-twist-secure) curves in x-coordinate-only form, the recipient must compute the Legendre/Jacobi symbol of x^3 + c*x^2 + a*x + b in order to avoid operating on the twist. With Curve25519, the twist is as secure as the curve which contains the basepoint, so operating on the twist does not expose the secret key to any useful attacks. * The standard advice for handling curves with cofactor >1 is to check that it is a member of the prime-order subgroup before using it; this effectively performs the scalar multiplication operation twice. Curve25519 avoids this by (a) masking secret keys to be divisible by the cofactor, so the output will be in a subgroup of large-prime order regardless of the input; and (b) ignoring the widespread recommendation to reject ECDH keys which have small order. >> * If you do not add a leading point-format byte, there is no reason to >> specify the meaning of the high bit in this document. If you do add a >> leading byte, you will have to choose in this document whether the >> sign bit is for the Edwards-form x coordinate or the Montgomery-form y >> coordinate. >> > Or we could add a leading byte now and say that the meaning of the msb is > not > defined yet an reserved for future use (which is what you suggest anyway, > IIUC). > Then a future document could update the meaning of this leading byte. I think that's easiest (provided that current implementations also accept 64-byte points and discard the second half; see below). >> * Some future applications may wish to transmit an uncompressed >> Edwards-form x coordinate or Montgomery-form y coordinate, not just >> the sign bit. If you add a leading byte, you'll have to choose which >> coordinate to use now. Alternatively, you could specify that >> implementations of this document accept 64-byte points and ignore the >> second half of the point structure. (Note that this means >> implementations of this protocol MUST ignore the second half, even if >> they know how to use it in some other protocol, or they will be >> distinguishable from other ECDH implementations. I don't think that >> restriction will ever be a problem for ECDH implementations.) >> > I'm afraid I didn't get your point. Why would we have to choose which > coordinate > to use now? If we add a leading byte meaning "the 32 bytes of the x > coordinate > (Montgomery form) follow"[1], and if people later want to be able to > transmit > two full coordinates, then they will pick a new leading byte and they will > have > to choose which coordinates to use with it, not us. > > [1] With some clarification about the msb as discussed above. If a future protocol wants to be compatible with implementations of this protocol, this protocol must specify some form of extension hook. If you choose a leading byte as the only extension hook, you must reserve a few alternate leading bytes now, along with enough information about the formats they will eventually describe that current implementations will be able to dig a Montgomery-form x coordinate out of the ECPoint blob. If you add a leading byte as an extension hook *and* specify an ECPointFormat value for the current ‘Montgomery-form x’ point format, current implementations can refuse to receive point formats which they won't understand. (This has the slight theoretical disadvantage that if a future protocol specifies time-based authentication of servers' ECDH public keys (to avoid the overhead of one signing for each client connection), implementations of that future protocol may have to sign more than one type of Curve25519 key per time period. I don't think this will be a real problem.) If you don't add a leading byte, I think the ECPoint length byte can still be used as an adequate extension mechanism for future non-ECDH protocols. >> * Some future (non-ECDH) applications may wish to transmit an >> Edwards-form y coordinate instead of a Montgomery-form x coordinate >> (e.g. so that they can distinguish the point of order 2 from the >> identity). If you do not add a leading point-format byte now, those >> applications will have to use a different NamedCurve in order to >> indicate that they are incompatible with the point formats used for >> ECDH. (I'm not sure that this is a problem, or that any such >> applications will ever exist.) >> > My humble opinion is that those applications should use a different > NamedCurve > indeed. OK. (Like I said, I'm not sure that anyone will ever want to do that.) >> I'm currently leaning towards ‘just reserve the high bit and tell >> implementations to accept and ignore the second half of a 64-byte >> point structure’, but there may be good enough arguments for using a >> magic byte to justify the minor downsides. >> > Transmitting 64 bytes when 33 (32 + leading byte allowing future extensions) > are > enough will probably be seen as a waste by many people. I agree, but future implementations should be allowed to send an uncompressed second coordinate without breaking compatibility with implementations of this protocol. What I'm suggesting is that (a) current implementations send 32-byte points; (b) current implementations accept both 32-byte and 64-byte point objects, and ignore the second half of a 64-byte point. Robert Ransom
- [TLS] Curve25519 in TLS and Additional Curves in … Simon Josefsson
- Re: [TLS] Curve25519 in TLS and Additional Curves… Rob Stradling
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Rob Stradling
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andy Lutomirski
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andy Lutomirski
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… James Cloos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Robert Ransom
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Bill Frantz
- Re: [TLS] Curve25519 in TLS and Additional Curves… Kurt Roeckx
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard
- Re: [TLS] Curve25519 in TLS and Additional Curves… Simon Josefsson
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Daniel Kahn Gillmor
- Re: [TLS] Curve25519 in TLS and Additional Curves… Salz, Rich
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Andrey Jivsov
- Re: [TLS] Curve25519 in TLS and Additional Curves… Yoav Nir
- Re: [TLS] Curve25519 in TLS and Additional Curves… Fabrice
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Watson Ladd
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Nikos Mavrogiannopoulos
- Re: [TLS] Curve25519 in TLS and Additional Curves… Alyssa Rowan
- Re: [TLS] Curve25519 in TLS and Additional Curves… Manuel Pégourié-Gonnard