Re: [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement
Robert Ransom <rransom.8774@gmail.com> Sat, 11 January 2014 17:40 UTC
Return-Path: <rransom.8774@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FFBA1AE0D7 for <tls@ietfa.amsl.com>; Sat, 11 Jan 2014 09:40:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id syv6spcG2su9 for <tls@ietfa.amsl.com>; Sat, 11 Jan 2014 09:40:31 -0800 (PST)
Received: from mail-qe0-x229.google.com (mail-qe0-x229.google.com [IPv6:2607:f8b0:400d:c02::229]) by ietfa.amsl.com (Postfix) with ESMTP id 2FC3A1AE0B7 for <tls@ietf.org>; Sat, 11 Jan 2014 09:40:31 -0800 (PST)
Received: by mail-qe0-f41.google.com with SMTP id gh4so5828378qeb.14 for <tls@ietf.org>; Sat, 11 Jan 2014 09:40:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=k+QXYP60xlkin14cuKVZjQnj7LQ+fKJta4bF64oSo4c=; b=ER5hpDHKGf+FHkJ3t7I/qQ4NFOjLZvrF2cuUIekmeXdEjTr59ps+YT5XBZxkLGIG/e qQkIWF48lnDkv0J8/Mvp49TCYyV3Wls+rOt5Wu+GLKw+hjb6Lx8uBLh8UvUfgV3TM59s Y6sCkRRxxfZEwbNjAoQTzs+jOrFGXIm+9ZIQHc0v8WoZLg7Ql/90/aOt+eeATYWIGZZ6 pfPrRAW+BItSTpxK/lieAMv6+ghK33FnmciJkxmYagrGKBIegEJP9uZ8QovdIFRkt62p CsVErwmbdMeIenGqhOPan1jMQw79WxdAqBNVZlSdDL8PX83GGA/4NSA0ZnHXdLAU3fPS FTRA==
MIME-Version: 1.0
X-Received: by 10.229.195.195 with SMTP id ed3mr20840815qcb.3.1389462020677; Sat, 11 Jan 2014 09:40:20 -0800 (PST)
Received: by 10.229.181.132 with HTTP; Sat, 11 Jan 2014 09:40:20 -0800 (PST)
In-Reply-To: <52D17F30.1090008@drh-consultancy.co.uk>
References: <87eh4e7a2y.fsf@latte.josefsson.org> <52D17F30.1090008@drh-consultancy.co.uk>
Date: Sat, 11 Jan 2014 09:40:20 -0800
Message-ID: <CABqy+spAeJE9UcJccQ96s3stRkUvU8sHTzXgWp9pg99mKLkXiA@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Dr Stephen Henson <lists@drh-consultancy.co.uk>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: Simon Josefsson <simon@josefsson.org>, tls@ietf.org
Subject: Re: [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jan 2014 17:40:32 -0000
On 1/11/14, Dr Stephen Henson <lists@drh-consultancy.co.uk> wrote: > On 11/01/2014 16:32, Simon Josefsson wrote: >> >> 2) Does description of private/public key representation and computation >> of shared secret belong in draft-josefsson-tls-curve25519? It has to >> be somewhere, I believ, but possibly this could go into >> draft-ladd-safecurves, or some other generic document, unless there >> are TLS-specific aspects. Insight into this would be appreciated. >> > > A comment on the following paragraph: > > This document only describes usage of additional curves for ephemeral > key exchange (ECDHE), not for use with long-term keys embedded in > PKIX certificates (ECDH_ECDSA and ECDH_ECDSA). This is because > Curve25519 is not directly suitable for authentication with ECDSA, > and thus not applicable for signing of e.g. PKIX certificates. See > draft-josefsson-eddsa-ed25519 for a parallel effort. > > Although the curves are not directly suitable for authentication this > doesn't > actually matter because the certificate doesn't have to be signed using the > same > curve or indeed the same algorithm. Montgomery and Edwards curves can easily be used for signature schemes (remember that “authentication” can refer to protocols other than signatures). The problem with using them in ECDSA is that ECDSA is specified in terms of curves in short-Weierstrass form, and having to map these curves to short-Weierstrass form would be ugly. Dr. Bernstein's EdDSA is even worse: it prohibits every curve that Dr. Bernstein himself has specified since Curve25519. It would be easy for a competent author to specify a signature scheme which doesn't constrain the point formats that it uses. Feng Hao's I-D specifying Schnorr proofs of knowledge could be used as a starting point for this. Robert Ransom
- [TLS] Additional Elliptic Curves (Curve25519 etc)… Simon Josefsson
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Dr Stephen Henson
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Watson Ladd
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Dr Stephen Henson
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Robert Ransom
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Alyssa Rowan
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Dr Stephen Henson
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Robert Ransom
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Alyssa Rowan
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Adam Langley
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Kurt Roeckx
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Adam Langley
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Matt Caswell
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Stephen Farrell
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Eric Rescorla
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Matt Caswell
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Eric Rescorla
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Salz, Rich
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Matt Caswell
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Peter Gutmann
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Ilari Liusvaara
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Peter Gutmann
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Ilari Liusvaara
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Robert Ransom
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Robert Ransom
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Ilari Liusvaara
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Robert Ransom
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Alex Elsayed
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Watson Ladd
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Kurt Roeckx
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Dr Stephen Henson
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Robert Ransom
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Salz, Rich
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Dr Stephen Henson
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Watson Ladd
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Sean Turner
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Sean Turner
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Adam Langley
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Jim Schaad
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Salz, Rich
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Adam Langley
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Salz, Rich
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Manuel Pégourié-Gonnard
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Watson Ladd
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Watson Ladd
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Salz, Rich
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Yoav Nir
- Re: [TLS] Additional Elliptic Curves (Curve25519 … Watson Ladd