IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - curve form and coordinate systems

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 16 March 2015 13:56 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A1B11A8758 for <cfrg@ietfa.amsl.com>; Mon, 16 Mar 2015 06:56:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cnXdjmtKkK31 for <cfrg@ietfa.amsl.com>; Mon, 16 Mar 2015 06:56:21 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D79181A8756 for <cfrg@irtf.org>; Mon, 16 Mar 2015 06:56:21 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 88AD2283012; Mon, 16 Mar 2015 13:56:20 +0000 (UTC)
Date: Mon, 16 Mar 2015 13:56:20 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: cfrg@irtf.org
Message-ID: <20150316135620.GC27479@mournblade.imrryr.org>
References: <5501E6A5.5040608@brainhub.org> <A6F30412-8E0A-4D8D-9F26-580307B46874@shiftleft.org> <20150316002255.28855.qmail@cr.yp.to> <20150316044906.GA27479@mournblade.imrryr.org> <5506D5BB.3090700@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5506D5BB.3090700@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/5rIonQ4G-04RWwEVjqKyiKE5wgQ>
Subject: Re: [Cfrg] Elliptic Curves - curve form and coordinate systems
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: cfrg@irtf.org
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2015 13:56:23 -0000

On Mon, Mar 16, 2015 at 09:08:11AM -0400, Rene Struik wrote:

> You are correct: I have no idea where Dan Bernstein got that from. I *did*
> comment on the DH function, which, with Montgomery-style specification as
> in the "Curve25519" draft, is completely insecure, if one does not check
> the output to be nonzero. This is a form of the small subgroup attack and
> has been known for over 15 years.

But in this case the "attack" does not leak any secret key bits
from either party.  So depending on the higher level protocol there
may not be any issues, provided such an agreement between M and B
does not enable M to impersonate B in a communication between A
and B.

I gather then that this is the issue, and that such higher level
protocols should reject the zero public key (or avoid the problem
by ensuring that predictable ECDH output cannot lead to MiTM issues
on other traffic).

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email