Much of the world seems to have switched to Schnorr-signature inspired ECC signature schemes such as ECDSA-P256 and Ed25519. These schemes are very fast, but require two point multiplications to do a Schnorr-style verification. A simpler proof-of-possession can be verified with only one point multiplication.
The server authentication scheme used in QUIC is for the server to prove possession of the static key when it encrypts the new ephemeral key share. The trick is to take advantage of the key shares that have already been computed. The client has already computed its ephemeral keyshare, and the server just uses its static keyshare from the server config. The CertificateVerify message could be generated by the server computing the ECDHE shared secret between its static secret and the client's ephemeral keyshare, and then encrypt of the client random as it's proof. The client verifies the proof by decrypting the nonce. As with Schnorr signatures, creating the proof takes only one multiply: in this case the server multiplies the client's keyshare by it's static keyshare secret. Instead of having to do two scalar point multiplications, the client only has to multiply the server's static keyshare by its ephemeral keyshare secret. The proof is also smaller: 32 bytes vs 72 for ECDSA-P256. This proof-of-possession is not a digital signature, since it can only be used to prove to the client that the server possesses the static private key. However, I don't see any reason to create a full digital signature. Is there any? I just don't like seeing something as fast as QUIC degraded when we switch to TLS 1.3. I guestimate this will cost every connection ~1/8th of a millisecond when using ECDSA-P256. Running "openssl speed ecdsap256", I get: Doing 256 bit sign ecdsa's for 10s: 90092 256 bit ECDSA signs in 9.99s Doing 256 bit verify ecdsa's for 10s: 37154 256 bit ECDSA verify in 9.99s This is about 0.27ms per verification, and on most client machines, this will probably be slower. I think we can nearly double this speed. In TLS, microseconds count. This seems like low hanging fruit to me. Thanks, Bill
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
