Re: [Cfrg] Security proofs v DH backdoors

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 25 October 2016 13:30 UTC

Date: Tue, 25 Oct 2016 16:30:17 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Dan Brown <danibrown@blackberry.com>
Message-ID: <20161025133016.GA9081@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20161025131014.5709905.2866.6563@blackberry.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20161025131014.5709905.2866.6563@blackberry.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/3OFq1kyZ9UYATC-PC5gTXzqNzP0>
Cc: CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] Security proofs v DH backdoors
Precedence: list

On Tue, Oct 25, 2016 at 01:10:16PM +0000, Dan Brown wrote:
> How do the 3 recent IACR eprints on FFDH backdoors‎ reconcile with
> past security proofs for TLS, SSH, etc?
> 
> Some guesses: (1) the attacks are outside the security definitions
> (=> attacks not so important?), (2) the proofs assume strong FFDH
> groups plus validation, etc.

I guess the proofs assume strong FFDH groups, such that dlog and
dh attacks are infeasible.

I think there was one TLS implementation that tries to verify the
groups sent (of course, not all can be verified, even if those
aren't maliscously constructed).

And the backdoors in one of the papers was about constructing
prime such that one can use faster special case for dlogs. That
can't be easily discovered, even if one somehow can obtain the
group order. So one can't validate against it.

-Ilari

[Cfrg] Security proofs v DH backdoors Dan Brown
Re: [Cfrg] Security proofs v DH backdoors Ilari Liusvaara
Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
Re: [Cfrg] Security proofs v DH backdoors Mark D. Baushke
Re: [Cfrg] Security proofs v DH backdoors Dan Brown
Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
Re: [Cfrg] Security proofs v DH backdoors Daniel Bleichenbacher
Re: [Cfrg] Security proofs v DH backdoors John Mattsson
Re: [Cfrg] Security proofs v DH backdoors Dan Brown
Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
Re: [Cfrg] Security proofs v DH backdoors Michael Scott
Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
Re: [Cfrg] Security proofs v DH backdoors Ilari Liusvaara
Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
Re: [Cfrg] Security proofs v DH backdoors Ilari Liusvaara
Re: [Cfrg] Security proofs v DH backdoors Ilari Liusvaara
Re: [Cfrg] Security proofs v DH backdoors Salz, Rich
Re: [Cfrg] Security proofs v DH backdoors Michael Scott
Re: [Cfrg] Security proofs v DH backdoors Tony Arcieri
Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
Re: [Cfrg] Security proofs v DH backdoors Tony Arcieri
Re: [Cfrg] Security proofs v DH backdoors David Adrian
Re: [Cfrg] Security proofs v DH backdoors Watson Ladd
Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
Re: [Cfrg] Security proofs v DH backdoors Antonio Sanso
Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
Re: [Cfrg] Security proofs v DH backdoors Tony Arcieri
Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
Re: [Cfrg] Security proofs v DH backdoors Tony Arcieri
Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
Re: [Cfrg] Security proofs v DH backdoors Watson Ladd
Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
Re: [Cfrg] Security proofs v DH backdoors Paterson, Kenny
Re: [Cfrg] Security proofs v DH backdoors Paterson, Kenny