Re: [Cfrg] using hash2curve in a protocol

Mathy Vanhoef <vanhoefm@gmail.com> Sat, 10 August 2019 15:57 UTC

Return-Path: <vanhoefm@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 852231200CC for <cfrg@ietfa.amsl.com>; Sat, 10 Aug 2019 08:57:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 97mEVj7R0L9l for <cfrg@ietfa.amsl.com>; Sat, 10 Aug 2019 08:57:26 -0700 (PDT)
Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86123120089 for <cfrg@irtf.org>; Sat, 10 Aug 2019 08:57:26 -0700 (PDT)
Received: by mail-ot1-x32b.google.com with SMTP id d17so144400620oth.5 for <cfrg@irtf.org>; Sat, 10 Aug 2019 08:57:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=extxORvjebyNHUPspUnfVJuMuFZZ8Ymt5SsSXLmS6b4=; b=bRf8eZZqmxDVxN3DPLqOOhc1T22qokxkpA0iaEvnFReX4u6fBsd5WAQUPSLETnXDQ2 p1nVq7sHS5sl9i0Sl03N0yiEYiISyGwFVZiD8AaWk96Kh6tfCcUjGLvy86TVqLHdNZ1D M2hr5oEBiuGzaIPkvyoS2svqPuFGtBZEd+c4Mc14BqvV+yZglhOSHRmsBq3rLALR2DFK apD0VMggdEAV9+PovUY8tlFsGzlNO6xlFyQYR15q7VZp1MlNhK1iWbrtiYRo8/j5ilRR ViqKdgBkafs6PvSfRAvCGrbs5GKYyRks+ucNTbOJ2BAGPVQosTp/CemIgZS6nBHzl/3j 3/9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=extxORvjebyNHUPspUnfVJuMuFZZ8Ymt5SsSXLmS6b4=; b=gq66jpbsMVK1w0GddpizttyfKgIY9fA4NV9FAO/4UHunsr6ZypnU92Zj7HB0Q66VO+ oARRpjiMdwmNCwhQZ+Vbc3F/1atxvxVdaqjST/NA9gwSqKixc5K6EwL4ipY2viE2VA2q zwo2BobhWnhm21CkAoNSvZLou1dH0708zpvMYmmnmWjaj5mHKJK2rzEzAknCuq//S0uY adYsqVRoJKaZ0naShFUcIcjg2hBqkfJy1ZXOE7J/X7+kC9w9/HDlaRrcs7i7zB4y+oFF a19ynK/I9E/iDp/R39+WqKfVMFsk1gDeXZJZX510g0zl3CiyFvHA404txzU1YtIz0lW7 9iuA==
X-Gm-Message-State: APjAAAV/XSdSDM2Vqva23kE4NYycf01eOF7Pf0UqjM5Yxgjp0vpJehSY sgxoSrV/5Ylns3YFeXshlRwAm8J7O/2/aKYTsqQ=
X-Google-Smtp-Source: APXvYqwx3eapeAyX2h8QFb4QM2E/mZ76PhzJueZzFRlMO9Ra0lHX/TKCcoS0mUBh1z9DjP9VBKSNXPIJJ3ix89CcPaw=
X-Received: by 2002:a9d:6856:: with SMTP id c22mr4298811oto.307.1565452645890; Sat, 10 Aug 2019 08:57:25 -0700 (PDT)
MIME-Version: 1.0
References: <8f8cb405-b534-c0ff-d351-3951fef62725@lounge.org> <CACsn0c=jOStaHXpREY9fJM3K88JAdQdY4UKdtzmEOoK65osCCw@mail.gmail.com>
In-Reply-To: <CACsn0c=jOStaHXpREY9fJM3K88JAdQdY4UKdtzmEOoK65osCCw@mail.gmail.com>
From: Mathy Vanhoef <vanhoefm@gmail.com>
Date: Sat, 10 Aug 2019 08:57:16 -0700
Message-ID: <CAFXAJYwem=yiMB0Jd+AKaLkQfGLqiVoNm9cqrD3wfrw3qkjeGw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Cc: Dan Harkins <dharkins@lounge.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/23ZaFuNUmwpK_UMhQpKQv-8QDMg>
Subject: Re: [Cfrg] using hash2curve in a protocol
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Aug 2019 15:57:28 -0000

I echo the advice that using an existing PAKE is likely the most
secure option, since these are more well-studied,

Because similar changes are also being proposed in an update to the
Wi-Fi standard, one remark is that in the simplified_swu and
hash_to_ffc routine you can use PBKDF2 or similar instead of HKDF.
This will make possible brute-force attacks (e.g. due to
implementation issues or other side-channels) more costly. Since these
routines only have to be executed when configuring the password, and
not in every run of the handshake, the added overhead should be
manageable.

Best,
Mathy

On Thu, Jul 25, 2019 at 3:20 PM Watson Ladd <watsonbladd@gmail.com> wrote:
>
> On Wed, Jul 24, 2019 at 11:05 AM Dan Harkins <dharkins@lounge.org> wrote:
> >
> >
> >    Hello,
> >
> >    The hash-to-curve draft is still a work in progress but I want to
> > use it to fix a broken protocol. The protocol in question is EAP-pwd
> > defined in RFC 5931. It does a "hunting and pecking loop" method
> > of hashing to a curve that is similar, but worse, than the technique
> > described in RFC 7664. (The method of obtaining a secret element in
> > a MODP group is similarly broken). It is susceptible to side channel
> > attack and I want to use the hash-to-curve draft to fix it.
>
> Why not use a PAKE that comes out of the competition? And are you sure
> the result of your chosen modification is actually secure?
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg