Re: [Cfrg] On the use of Montgomery form curves for key agreement

"Jim Schaad" <ietf@augustcellars.com> Wed, 03 September 2014 23:23 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B5161A06B8 for <cfrg@ietfa.amsl.com>; Wed, 3 Sep 2014 16:23:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nzeFl-Wf36Uc for <cfrg@ietfa.amsl.com>; Wed, 3 Sep 2014 16:23:01 -0700 (PDT)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36F331A6F4D for <cfrg@irtf.org>; Wed, 3 Sep 2014 16:23:01 -0700 (PDT)
Received: from Philemon (71-95-113-152.dhcp.mdfd.or.charter.com [71.95.113.152]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id 30D6A2CA36; Wed, 3 Sep 2014 16:23:00 -0700 (PDT)
From: "Jim Schaad" <ietf@augustcellars.com>
To: "'Paterson, Kenny'" <Kenny.Paterson@rhul.ac.uk>, "'Tanja Lange'" <tanja@hyperelliptic.org>, "'Brian LaMacchia'" <bal@microsoft.com>
References: <e16ac4926a934565a65456058e50b68e@BL2PR03MB242.namprd03.prod.outlook.com> <20140902165340.17284.qmail@cr.yp.to> <d4322ec172d74aab83a1d17cf4dcf786@BL2PR03MB242.namprd03.prod.outlook.com> <20140903052704.GM8540@cph.win.tue.nl> <D02D245C.2C3CE%kenny.paterson@rhul.ac.uk>
In-Reply-To: <D02D245C.2C3CE%kenny.paterson@rhul.ac.uk>
Date: Wed, 3 Sep 2014 16:20:33 -0700
Message-ID: <041501cfc7cd$acefbf10$06cf3d30$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Content-Language: en-us
Thread-Index: AQG+mca7qKXwOMveQunQ/NPG1Q02DAHuAUSVAmcj9VoCDu1vXQIRIdM7m8691fA=
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/4-cTR1ikA9PZUymZNDpO117CFIo
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] On the use of Montgomery form curves for key agreement
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2014 23:23:03 -0000


-----Original Message-----
From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Paterson, Kenny
Sent: Wednesday, September 03, 2014 12:13 PM
To: Tanja Lange; Brian LaMacchia
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] On the use of Montgomery form curves for key agreement

Hi,

On 03/09/2014 06:27, "Tanja Lange" <tanja@hyperelliptic.org>; wrote:

>Dear Brian,
>> Regarding the specific issue you raised concerning Microsoft¹s TLS 
>>implementation, as you will recall Tanja first mentioned this issue to 
>>me during dinner i
>>
>I actually made this statement in public in the Q&A after my talk when 
>David McGrew asked about the ephemeral key case.

This is indeed true as the minutes should show. But it was a topic of some
passionate discussion at the dinner later, IIRC.

>> As for your suggestion regarding a blanket prohibition on reuse of 
>>any ephemeral cryptographic keys across all IETF protocols, given the 
>>current environment that does indeed seem like a good idea to me.  I 
>>guess what we¹d really want to do is have CFRG issue a BCP on this 
>>point, if that¹s something the IRTF is allowed to do (I don¹t know the 
>>answer to that process question).  Perhaps CFRG can take that issue up 
>>once the curve selection process has concluded.
>>
>What exactly do you think the security implications of key reuse are?
> 
>Defining ephemeral in a time-based manner ist quite normal; the 
>important thing to guarantee PFS is to delete the key afterwards, not 
>whether it is used for 1 connection or 10 seconds (with potentially 0
connections).

For what it's worth, ephemeral reuse invalidates all the formal security
analyses (in the provable security tradition) for key exchange protocols
that I know of. It certainly invalidates those proofs that I understand for
the TLS Handshake. Would be interesting if the miTLS guys could say what it
means for their TLS proofs from Crypto'14.

[JLS] I would hope that it does not invalidate all of the proofs or the
static-ephemeral and static-static key exchange protocols that are used by
S/MIME and other off-line protocols have a real problem.

Jim


My feeling is that this can be got around in the random oracle model for
protocols that hash the DH shared value and various other components by
using a suitable gap assumption or strong DH assumption. However, some care
would be needed in the analysis. Coming up with a standard model proof for
some specific protocol seems much harder because of the obvious
"correlation" between shared DH values that different parties would end up
with. Hashing with a random oracle of course destroys such relations.

There's probably a nice research paper in this for someone - if it's not
already been done (indeed writing such a paper has been on my to do list for
some time - since long before this thread got started).

Cheers

Kenny 

>
>All the best
>	Tanja
>
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>http://www.irtf.org/mailman/listinfo/cfrg

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
http://www.irtf.org/mailman/listinfo/cfrg