IETF Logo Mail Archive

[TLS] Why Edwards? (was Re: TLS process thread)

Watson Ladd <watsonbladd@gmail.com> Mon, 14 April 2014 14:32 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A627F1A047E for <tls@ietfa.amsl.com>; Mon, 14 Apr 2014 07:32:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yDz1MJ0Hy3Hx for <tls@ietfa.amsl.com>; Mon, 14 Apr 2014 07:32:49 -0700 (PDT)
Received: from mail-yh0-x22b.google.com (mail-yh0-x22b.google.com [IPv6:2607:f8b0:4002:c01::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 6319D1A0476 for <tls@ietf.org>; Mon, 14 Apr 2014 07:32:49 -0700 (PDT)
Received: by mail-yh0-f43.google.com with SMTP id b6so8107571yha.30 for <tls@ietf.org>; Mon, 14 Apr 2014 07:32:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=nJvfcU7U6cAF1VnP+1DBYYGEGd3LnOnw3DOV9vQXymw=; b=u5pGlYDimgS3CtPgICRws5lMSja1MIQO85sAOPenDN8KzAwu1s78LNY6uwHhz0yRXV njHRgsLcfbazbGNEgS6m027zd8vCdi8iFfwoUowGwaDTHL1EmGfTcnAOb3mBszlUCNVm /ucytYa0yo8/6ue6sCMJAexuXosT+po9HHil7v5M3IWKE+Q1qEwPYAi79NUsAnY8sulE FFBxZYiKNExe8r3CPT4F0lhTxCQBe3m7uaG+Nvgi1ho7r9yzf0HBrY91yXo4aqkwW7+M wxeZDFqXQ5k8crmpLJhR6CCjbxLANf9sQk4HVu2qMtXxFdOBaHvGpmoKUv1Qv76Bk3uB eSXA==
MIME-Version: 1.0
X-Received: by 10.236.134.71 with SMTP id r47mr13479648yhi.83.1397485966692; Mon, 14 Apr 2014 07:32:46 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Mon, 14 Apr 2014 07:32:46 -0700 (PDT)
Date: Mon, 14 Apr 2014 07:32:46 -0700
Message-ID: <CACsn0cn1EBhtvtq4X3J0h1TUq5nGvRyP818oY4rhqfqJA4aELg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/yEwpybx0IVRy7ei4euSCfBmpWWY
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: [TLS] Why Edwards? (was Re: TLS process thread)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Apr 2014 14:32:54 -0000

On Sun, Apr 13, 2014 at 11:24 PM, Dan Harkins <dharkins@lounge.org> wrote:
>
> On Sun, April 13, 2014 10:44 pm, Watson Ladd wrote:
>> That's going to be a pretty big change from RFC 5246. Trying to keep
>> the textual changes minimal probably a lost cause at this point, and
>> will hurt, rather than help clarity. This is before we try to reduce
>> round-trips, eliminate unused ciphersuites, introduce the Edwards
>> curves (necessary for security because people do not write perfect
>> code, even when they should), and ensure that what we write matches
>> what we prove (because as I'm sure you know from my opposition to
>> Dragonfly, I do not support mechanisms that are not shown to be secure
>> from well picked assumptions)
>
>   Really? And Edwards curves will necessarily result in perfect code?
> Certainly not as a result of draft-ladd-safecurves! So what assures
> perfection in Edwards curves implementations then?

Nothing: you can always do something stupid that leaks information.
But on a Weierstrass curve, to add two points you have to
0: Be assured they are on the curve
1: Check that both are not the identity
2: Check they are not the same (and if so double them instead)
3: Check they are not inverses of each other
4: Add them

Doing this without branching is hard. Furthermore, to avoid leaking
information about the top bit of your exponent, you need to either
massage the exponent representation or do dummy calculations, along
with tracking when to start doing the real calculations.

I've written constant time P256 code. It wasn't easy, and there is one
particular exponent that will not get handled correctly (namely the
group order, which is fine because I'm doing ECDH with random secret
keys, and signature verification runs in not constant time). RFC 6090
gets this completely wrong.

By contrast on Edwards curves, there are no cases to consider: there
is only a formula that holds true for all cases. There can be no curve
checks: via compression we ensure that all considered points are on
the curve. There are no side channels at this level if you use a
masked table load, as there are no branches. It's significantly easier
to write the code and reason about it: naive double and add will work.

The same holds true for Montgomery curves, which is why the Curve25519
has attracted a lot of interest.

Of course, you could always suggest text to be added to
draft-ladd-safecurves or write one yourself on implementation of these
curves if you are dissatisfied with it. You could always write your
own draft if you had an alternative approach to presenting them.

Sincerely,
Watson Ladd

>
>   Dan.
>
>
>



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email