[Cfrg] malicious DH base points [was Re: should the CFRG really strive for consensus?]

Dan Brown <dbrown@certicom.com> Wed, 31 December 2014 15:07 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 93A451A902E for <cfrg@ietfa.amsl.com>; Wed, 31 Dec 2014 07:07:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.801
X-Spam-Status: No, score=0.801 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id HoG1wTL4wPWD for <cfrg@ietfa.amsl.com>; Wed, 31 Dec 2014 07:07:41 -0800 (PST)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com []) by ietfa.amsl.com (Postfix) with ESMTP id 254501A9030 for <cfrg@irtf.org>; Wed, 31 Dec 2014 07:07:34 -0800 (PST)
Received: from xct107cnc.rim.net ([]) by mhs214cnc.rim.net with ESMTP/TLS/AES128-SHA; 31 Dec 2014 10:07:23 -0500
Received: from XCT111CNC.rim.net ( by XCT107CNC.rim.net ( with Microsoft SMTP Server (TLS) id; Wed, 31 Dec 2014 10:07:22 -0500
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT111CNC.rim.net ([::1]) with mapi id 14.03.0210.002; Wed, 31 Dec 2014 10:07:21 -0500
From: Dan Brown <dbrown@certicom.com>
To: Adam Langley <agl@imperialviolet.org>, Christoph Anton Mitterer <calestyo@scientia.net>
Thread-Topic: malicious DH base points [was Re: [Cfrg] should the CFRG really strive for consensus?]
Thread-Index: AdAlC3ncj0vH2sKEQBKKNUfeAAj9hw==
Date: Wed, 31 Dec 2014 15:07:21 +0000
Message-ID: <20141231150719.6639764.27338.24398@certicom.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="===============1664686652=="
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/6GBWqF28hvM8LpxOHuVh_EC4cx8
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: [Cfrg] malicious DH base points [was Re: should the CFRG really strive for consensus?]
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Dec 2014 15:07:47 -0000

‎The paper talks about the possibility of malicious base points for DH:

Boaz Tsaban: Fast generators for the Diffie-Hellman key agreement protocol and malicious standards. IACR Cryptology ePrint Archive 2005: 231 (2005)

It may be far-fetched, but the paper seems to show that the independence of DH from the base point is ‎not quite a mathematical certainty, unless the paper has been refuted in further research. 

Best regards, 

-- Dan
From: Adam Langley
Sent: Wednesday, December 31, 2014 9:45 AM
To: Christoph Anton Mitterer
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] should the CFRG really strive for consensus?

On Dec 31, 2014 1:50 PM, "Christoph Anton Mitterer" <calestyo@scientia.net> wrote:
> I think it's really a bad idea for the CFRG to strive so much for
> consensus.

If you believe in the security of curve25519 then you also believe in the security of Microsoft's current position at ~128 bits. They have the same structure and thus strictly the same strength.

There's /no/ possibility of weakening anything, mathematically, with a different base point (in the correct subgroup) or by using an isogeny.

IRTF groups do not, technically, have to reach consensus. However, everyone does have to function on the same Internet at the end of the day.