Re: [Cfrg] Response to the Attacks on key agreement in SM2
Watson Ladd <watsonbladd@gmail.com> Thu, 06 March 2014 03:52 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18D961A0099 for <cfrg@ietfa.amsl.com>; Wed, 5 Mar 2014 19:52:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ih2dC9-8ZUyR for <cfrg@ietfa.amsl.com>; Wed, 5 Mar 2014 19:52:56 -0800 (PST)
Received: from mail-qg0-x22d.google.com (mail-qg0-x22d.google.com [IPv6:2607:f8b0:400d:c04::22d]) by ietfa.amsl.com (Postfix) with ESMTP id DA1031A0085 for <cfrg@irtf.org>; Wed, 5 Mar 2014 19:52:55 -0800 (PST)
Received: by mail-qg0-f45.google.com with SMTP id j5so5629015qga.4 for <cfrg@irtf.org>; Wed, 05 Mar 2014 19:52:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=owAedyQYAYtloVr2Ogkb+FwULAKTJ7ufWC9YElF/oos=; b=obrbxSmEY9Th9073Trf5yiq5qkBFYvwAthsGNIAwvfXkFOKCYAjg7AcAjYLsPpTAa2 Oz6FIArJd/czp5WMohQygesam5PZEM8smuAz7UhxtCYopVaXs80of6cdJ/oYwd/cLs7t GqpWHVzkTPdcyMG5uIZa3sMPLv8EvrRguWlT2A5IFzZHRuFjRjqqO9qzbz+u7fbk6XRv fo1XUyS2n6lt64D+rncmwH15PK47V/wqCnkOQlKr4xbjJd7xi82uY4XZQN87svAZ8Hua YYcXsecqNd8xfYEUn5DDqnCnD4IQ+CY1kXGIlJLoDCvYqExqVIiVDxX0TlBktt+NacLx 13bQ==
MIME-Version: 1.0
X-Received: by 10.229.56.200 with SMTP id z8mr4949340qcg.1.1394077971869; Wed, 05 Mar 2014 19:52:51 -0800 (PST)
Received: by 10.140.97.134 with HTTP; Wed, 5 Mar 2014 19:52:51 -0800 (PST)
In-Reply-To: <5317EBDE.70004@sbcglobal.net>
References: <045f01cf32c3$ae3d2cd0$0ab78670$@is.ac.cn> <CACsn0cnB6wJPkvEkdudr5YW13xai5rY_u2y7Sxf0=hUi2+txgg@mail.gmail.com> <014501cf3845$03f747b0$0be5d710$@is.ac.cn> <CACsn0ck0_mVRsj-2iMrVG236HzKxo9vmG9DMb=Qx5+abAWSMSA@mail.gmail.com> <5317EBDE.70004@sbcglobal.net>
Date: Wed, 05 Mar 2014 19:52:51 -0800
Message-ID: <CACsn0cmbt2oYb9ZZt+Un6W0vC+SSF=ojx1TXkYZNP6wPqKU6jw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: David Jacobson <dmjacobson@sbcglobal.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/7PhdH1HGOoFx-AScttFMaphhedI
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Response to the Attacks on key agreement in SM2
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 03:52:59 -0000
On Wed, Mar 5, 2014 at 7:30 PM, David Jacobson <dmjacobson@sbcglobal.net> wrote: > You said that picking a random number in [1, n-1] is in constant time is > hard. Here is a solution that doesn't run in constant time. > > let w be the minimum number of bits to represent n-2. > do { > candidate = generate_random_bits(w); // generate w random bits (in > practice you generate a block and mask to w bits) > } until interpret_as_integer(candidate) <= n-2. > > return interpret_as_integer(candidate) + 1; > > > Sure, it doesn't run in constant time. But, assuming that n is not a secret, > this is harmless. The probability of success is at least 1/2, so the > typical running time is at most 2 rounds. > > The reason it is safe is that the running time only tells the attacker the > number of times the random bit generator generated a value > n-2. Even if > on every iteration that failed, the algorithm revealed the entire candidate, > it would be okay, since one security property of an a cryptographic quality > RBG is that knowing some bits gives an attacker no advantage at guessing > bits he hasn't seen. Yes, the above is true. However, a standard trick for removing randomness is to use a second key K and compute H(k || M). Randomness At this point one does have secret data being used, so you do need to watch out. But maybe an interation isn't so bad... I just prefer not to do that kind of leak analysis, and write constant-time code. Sincerely, Watson Ladd > > --David Jacobson > > > > On 3/5/14 6:49 PM, Watson Ladd wrote: >> >> On Tue, Mar 4, 2014 at 11:32 PM, Limin LIU <lmliu@is.ac.cn> wrote: >>> >>> Hi Watson, >>> In my previous email, I addressed that the attack you mentioned is not >>> feasible since it is based on an unpractical assumption. >>> As for the security model of SM2 key exchange, it's another problem. The >>> key exchange protocol in SM2 is based on MQV, a widely standardized (ANSI, >>> ISO/IEC, IEEE) and recommended (NIST, NSA suite B) EC-DH-based key agreement >>> protocol. The security proof of MQV was given by Kunz-Jacques in paper " >>> About the Security of MTI/C0 and MQV" in 2006, which you might have already >>> read. >> >> Actually the situation is a bit better: it looks to me like the paper >> by Kunz-Jacques covers SM2: one needs to adjust the function f, and >> then everything works. However, this is not a standard assumption, and >> the paper takes place in weaker models then CK, something I would like >> to see in the security considerations. Note that MQV is no longer in >> suite B. >> >> Minor nits I found: >> The encryption scheme has a major issue: t=0 is disallowed, leaking >> information about M. In particular encrypting single bits is trivially >> insecure. I would recommend that short lengths be avoided if it is >> impossible to change the standard/this isn't a translation issue. >> >> It also uses a hash as a MAC, which is not the right thing. (x2,y2) is >> distinguishable from random bits, making an analysis of H(x1 || M || >> y1) hard. Encrypt and MAC is insecure because the MAC can always leak >> information about the message and remain a good MAC. For a hash >> function in the standard model I don't know why H(x1 || M || y1) has >> to be a MAC. Maybe the construction mentioned is secure: it's >> difficult to say. Certainly I would feel much happier with C3=HMAC(k2, >> C2) with k1 || k2=KDF(p, keylength). >> >> Pick a random number in [1, n-1] is difficult to do in constant time >> and with zero bias. In particular the naive modular reduction approach >> will leak enough bits to reconstruct the secret key. Maybe this is >> handled by the random number generator, but this has bitten people >> (including me) in the past. NIST actually had to edit ECDSA standards >> to fix this issue. >> >> I can't make head or tail of the message expansion in SM3. >> >> Sincerely, >> Watson Ladd >>> >>> Best, >>> Limin >>> -----Original Message----- >>> From: Watson Ladd [mailto:watsonbladd@gmail.com] >>> Sent: Thursday, February 27, 2014 12:15 AM >>> To: liulimin >>> Cc: cfrg@irtf.org >>> Subject: Re: Response to the Attacks on key agreement in SM2 >>> >>> On Tue, Feb 25, 2014 at 11:23 PM, Limin LIU <lmliu@is.ac.cn> wrote: >>>> >>>> Dear Watson, >>>> >>>> This is Limin from the team of SM2 patent holder, Data Assurance >>>> and Communication Security Center in Chinese Academy of Sciences. >>>> Following is the response to your concern about the attacks on SM2. >>>> (Attacks on key agreement in SM2. >>>> http://www.ietf.org/mail-archive/web/cfrg/current/msg04297.html ) >>>> >>>> In Xu's (CANS 2011) paper, the attack towards SM2 key exchange >>>> protocol is launched in Canetti-Krawczyk model, where adversary could >>>> reveal private session state. To make the attack successful, the >>>> adversary should have the ability to reveal the state variable >>>> (x_v,y_v). (x_v,y_v) is the result of a computation from B's private >>>> key d_B, B's private random number r_B, along with other public >>>> parameters. The question here is, d_B and r_B are not easy to be >>>> obtained in real world. What's more, if the adversary has such kind of >>>> knowledge, he could already obtain the session key K_B by K_B = >>>> KDF(x_v||y_v||z_A||z_B,klen), it seems unnecessary to launch other attacks. >>>> Overall, this attack is academic crypto analysis based on strong >>>> assumptions. It's not a practical threaten to the algorithm. >>>> >>>> Hope this could address your concerns. Any further comments will be >>>> greatly appreciated. >>> >>> It doesn't. Instead of an analysis showing that in some reasonable threat >>> model SM2 security reduces to some reasonable assumptions, you present an >>> argument that the one attack I found in the literature doesn't matter in >>> practical applications. There is a large literature and well-understood >>> theory of key negotiation protocols, and I have yet to see any demonstration >>> that SM2 was designed with that in mind. >>> >>> Sincerely, >>> Watson Ladd >>>> >>>> Best, >>>> Limin >>>> >>> >>> >>> -- >>> "Those who would give up Essential Liberty to purchase a little Temporary >>> Safety deserve neither Liberty nor Safety." >>> -- Benjamin Franklin >>> >> >> > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- Re: [Cfrg] Response to the Attacks on key agreeme… Watson Ladd
- Re: [Cfrg] Response to the Attacks on key agreeme… Watson Ladd
- Re: [Cfrg] Response to the Attacks on key agreeme… David Jacobson
- Re: [Cfrg] Response to the Attacks on key agreeme… Watson Ladd