Re: [TLS] Point validation in 1.3

Yoav Nir <> Tue, 15 November 2016 08:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A29A4129A25 for <>; Tue, 15 Nov 2016 00:02:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 225skYDJ-npz for <>; Tue, 15 Nov 2016 00:02:31 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400e:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 091FC129631 for <>; Tue, 15 Nov 2016 00:02:31 -0800 (PST)
Received: by with SMTP id p66so64104190pga.2 for <>; Tue, 15 Nov 2016 00:02:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=vaf7RfAnoN0zJe3tQHsRFgDeJdKvSc5wYaWxp8w+ukM=; b=hJR3zU4HrKoRqAqDG+ScjitJJ4dZ8NEmVx7iXYN/Q7Y/yNoJytlqYU7Psx0Xu0yEBt J286wDKKGbwurBnZPmlFyuwr2QVuYTEssDbD3ATTGlNBJ0X87MUilIPDKXlUMxN5jR7e +UNWp1rOkjuIIOdBpxfXNh19jUe9v8PkS7g34WfGT9imp0UU27accZ/eEStN5aaOaDyf 9o6AT/49PvK+kuUlUHg6MNDYGnVk5FFMJTEZx5PiJo81jTc7tq7dRAkfhrFRLfXGC7CM vKb3F6domEwc3TJqUB/xHpSWgEWqmeRSObv6S40+9nHAzpbulzyNV9EYTsHzcGhrJM5C F6AA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=vaf7RfAnoN0zJe3tQHsRFgDeJdKvSc5wYaWxp8w+ukM=; b=PfPkUyKE48+82I8JxyXEOA5Q3bF21trdyoEuX/Mv0rCAETHYxocHqs2ZMvFw54Fkk/ CaChFIf4Enu3PUcUbqOve5aMc34IZ/fma34kloU6sMHQUdC9vV2Ae78oMHvdWQ/zWS/Q WmD80ePaDOnYuhjSAiMZfvx/sJX4ad2Ja5sauiWe73QNWsTgB2wQ/zDdrM+ijawR0fgi JLiJpagvSWKUt89RrsFLfKlnFTlMe5sZPGE5Z6Ume+aJi4K1s4ZsF3Oo0hlkTbgI6+DZ OZuCteqbOM2r8AzpPt/D9njGyuFUAOB8nfY92UupWTKxSgIvOTnkZtMnQLRFY3lHTObo yCow==
X-Gm-Message-State: ABUngvdl7t6Gi2Za+VtJIovrAlsEw0DrERmLR76QThCmZpXmHRRzugMIPI8mDqZ1DDSFGA==
X-Received: by with SMTP id l13mr7383172pgc.7.1479196950616; Tue, 15 Nov 2016 00:02:30 -0800 (PST)
Received: from ([2001:67c:370:128:c9d5:4d1e:6851:41e0]) by with ESMTPSA id tk5sm8369876pab.21.2016. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 15 Nov 2016 00:02:30 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.1 \(3251\))
From: Yoav Nir <>
In-Reply-To: <>
Date: Tue, 15 Nov 2016 17:02:24 +0900
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Watson Ladd <>
X-Mailer: Apple Mail (2.3251)
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Point validation in 1.3
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Nov 2016 08:02:33 -0000

I think the performance enhancement (in terms of handshakes per second) that you get by reusing ephemeral keys is so great, that we have to assume people will do it.  You don’t have to keep the keys indefinitely. It’s fine to generate a new key every second or ten seconds or so.

Which makes running the point validation all the more important.


> On 15 Nov 2016, at 16:16, Watson Ladd <> wrote:
> Hello,
> There has been a lot of chatter on Gitub about point validation. I think it's important to note that in TLS 1.3 the Triple Handshake variants enabled by small subgroup attacks are no longer a threat: the issue is reuse of ephemeral Diffie-Hellman exponents, resulting in compromise of what is effectively a long-term key.
> I would want a belt and suspenders approach: no use of ephemeral exponents, and validation that points are on the curve. Order validation is unnecessary as the cofactor is small: in cases where it is not the curve probably shouldn't be used without a good reason, and I can't think of any.
> I know one implementation does keep ephemeral exponents indefinitely. This implementation also validates orders, which equals the expense of not regenerating ephemeral exponents. 
> Sincerely,
> Watson
> _______________________________________________
> TLS mailing list