Re: [Cfrg] Security proofs v DH backdoors

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 25 October 2016 13:30 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB0DC129431 for <cfrg@ietfa.amsl.com>; Tue, 25 Oct 2016 06:30:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.331
X-Spam-Level:
X-Spam-Status: No, score=-2.331 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.431] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wXBfWu992zga for <cfrg@ietfa.amsl.com>; Tue, 25 Oct 2016 06:30:21 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) by ietfa.amsl.com (Postfix) with ESMTP id E411D129424 for <cfrg@irtf.org>; Tue, 25 Oct 2016 06:30:20 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id EAEA819199; Tue, 25 Oct 2016 16:30:18 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id goV0CSaJ0XoW; Tue, 25 Oct 2016 16:30:18 +0300 (EEST)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id AA9A72310; Tue, 25 Oct 2016 16:30:18 +0300 (EEST)
Date: Tue, 25 Oct 2016 16:30:17 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Dan Brown <danibrown@blackberry.com>
Message-ID: <20161025133016.GA9081@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20161025131014.5709905.2866.6563@blackberry.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20161025131014.5709905.2866.6563@blackberry.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/3OFq1kyZ9UYATC-PC5gTXzqNzP0>
Cc: CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] Security proofs v DH backdoors
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Oct 2016 13:30:23 -0000

On Tue, Oct 25, 2016 at 01:10:16PM +0000, Dan Brown wrote:
> How do the 3 recent IACR eprints on FFDH backdoors‎ reconcile with
> past security proofs for TLS, SSH, etc?
> 
> Some guesses: (1) the attacks are outside the security definitions
> (=> attacks not so important?), (2) the proofs assume strong FFDH
> groups plus validation, etc.

I guess the proofs assume strong FFDH groups, such that dlog and
dh attacks are infeasible.

I think there was one TLS implementation that tries to verify the
groups sent (of course, not all can be verified, even if those
aren't maliscously constructed).

And the backdoors in one of the papers was about constructing
prime such that one can use faster special case for dlogs. That
can't be easily discovered, even if one somehow can obtain the
group order. So one can't validate against it.


-Ilari