[curves] Simple EC-based transport protocols (was Simple Peer-to-Peer Security (SPTPS))

Trevor Perrin trevp at trevp.net
Wed Apr 30 09:27:59 PDT 2014 

On 4/29/14, 9:46 PM, Tony Arcieri wrote:
> This is a minimalist transport encryption protocol with forward secrecy,
> based on Curve25519 and ChaCha20+Poly1305
> 
> http://tinc-vpn.org/git/browse?p=tinc;a=blob;f=doc/SPTPS;hb=refs/heads/1.1

Seems vulnerable to the usual "identity misbinding" aka "unknown key
share" issue where the attacker signs a victim's KEX to take credit for
data sent by the victim.

It also assumes "peers have each other's credentials beforehand", so
doesn't support Trust-On-First-Use or certificate trust models.

But the idea of a minimalist, EC-based transport protocol is a good one.
 CurveCP is one candidate [1].  I have a hobby project here ("Noise"
[2]).  These protocols use ECDH instead of signatures, which makes
implementation simpler and messages smaller.

---

For a minimalist protocol, you might also want a single ciphersuite (or
a single "mandatory-to-implement" ciphersuite).  Also, for a
mutually-authenticated ECDH protocol like CurveCP, Noise, or MQV, both
parties need keys on the same curve.  So choosing the "best" curve
becomes important here.

I think you could argue this in several directions:

 (1) Curve25519 should be chosen, since it's fast enough to work in a
wide range of use-cases.

 (2) An "extra-strength" curve should be chosen (eg Goldilocks or
Curve41417) to provide long-term security margin against EC
cryptanalysis, despite the speed hit (Goldilocks appears ~3.5x slower
than Curve25519 [3]).

 (3) Separate DH and signature curves should be chosen, with an
extra-strength DH for long-term confidentiality and Ed25519 signatures
for authentication.

 (4) A non-EC, post-quantum key agreement should be chosen to provide
long-term security margin again quantum cryptanalysis.

In Noise I voted (2) for a general-purpose protocol, since I like the
security and simplicity of building everything around a single
high-security ECDH.

But these are all reasonable, IMO, so I'm curious how other people lean.


Trevor


[1] http://curvecp.org/
[2] https://github.com/trevp/noise/wiki
[3] https://moderncrypto.org/mail-archive/curves/2014/000122.html

More information about the Curves mailing list