IETF Logo Mail Archive

Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-03.txt

Watson Ladd <watsonbladd@gmail.com> Tue, 04 February 2014 20:11 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 131601A0035 for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 12:11:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jmFmZF2U3iU3 for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 12:11:40 -0800 (PST)
Received: from mail-qc0-x22c.google.com (mail-qc0-x22c.google.com [IPv6:2607:f8b0:400d:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id B02AA1A01E4 for <cfrg@irtf.org>; Tue, 4 Feb 2014 12:11:32 -0800 (PST)
Received: by mail-qc0-f172.google.com with SMTP id c9so14447255qcz.17 for <cfrg@irtf.org>; Tue, 04 Feb 2014 12:11:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=P9ozlHjGaJu1LRUO4sLBypJpwL1pXjLW7zsyfhtuiEQ=; b=E1FJD2sEU8MEPNlbCUGexB1fdO8sHwi+WK0UxXBboSRnzcka79LlxlmlrzkFDM05i3 Fudp2C5JxoH8OEfWJ6L8OjALh2yRYpyTJmrjgZvrDSHySyD+KiwVBiERMJvfs4tfcjod tTvfkR1y21BhnvuZ4telNlgabm9qrZR/ELKq2N0kbJ7IWDSrHEOnEaAARdlgC/Sztjsn 1le6H+xqR9sM6ro4IuYXRwx12MmH2s4LrQDwdqcALYM2kFl+46XTxqW/crJgZXK+LDKH bDmmvts5+4l9uehXgKdtxK2DVfRNNWTyojMk0QdOFthJIx8hehGFXStkW4E2p0BpdCgj JmRw==
MIME-Version: 1.0
X-Received: by 10.236.191.67 with SMTP id f43mr12667357yhn.60.1391544691989; Tue, 04 Feb 2014 12:11:31 -0800 (PST)
Received: by 10.170.126.76 with HTTP; Tue, 4 Feb 2014 12:11:31 -0800 (PST)
Received: by 10.170.126.76 with HTTP; Tue, 4 Feb 2014 12:11:31 -0800 (PST)
In-Reply-To: <CABqy+sr7ZKrACj4Ga2_75d9Kea0aKbrp2P5fWWu4YZP53zijxw@mail.gmail.com>
References: <20140203192451.6268.76511.idtracker@ietfa.amsl.com> <7af2f9df96e5867d493c614806235363.squirrel@www.trepanning.net> <CACsn0cm1f-P95je5AbEbZ02Ut3+HM7Hx28P6j46TqE-=06eZDg@mail.gmail.com> <52F00EF3.3040505@cisco.com> <CACsn0c=zS5GKex3eF_hKgTsL1kH=TiBi3iAP9oMrJ9hDQcT4Gw@mail.gmail.com> <7BAC95F5A7E67643AAFB2C31BEE662D018B81B7DE5@SC-VEXCH2.marvell.com> <CACsn0cn0TaHsDkyN2ewOorxxBzXivCg=QGR-ZnBiC3nJhvhpRg@mail.gmail.com> <14AB44E0-4C90-4E4C-A656-885A31CF4C02@checkpoint.com> <CACsn0cmDT-FAN8uMZ0w8TX6GKPAZjnrexLeFQd7QhRfoY6AGFQ@mail.gmail.com> <75e1e853dc391b418062ee5e51adeb2f.squirrel@www.trepanning.net> <CABqy+sr7ZKrACj4Ga2_75d9Kea0aKbrp2P5fWWu4YZP53zijxw@mail.gmail.com>
Date: Tue, 04 Feb 2014 12:11:31 -0800
Message-ID: <CACsn0cmS152wYQWHiX8ykzaMM=6b=r=fwVuLfPj_u0wmoq0jKw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "rransom. 8774" <rransom.8774@gmail.com>, cfrg@irtf.org
Content-Type: multipart/alternative; boundary="20cf3040e42e0e21b104f19a3fa6"
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 20:11:45 -0000

On Feb 4, 2014 11:41 AM, "Robert Ransom" <rransom.8774@gmail.com> wrote:
>
> On 2/4/14, Dan Harkins <dharkins@lounge.org> wrote:
>
> >   This is mentioned in section 6.3 of RFC 5931 (dragonfly as an EAP
> > method), knowledge of r where PE = r * G can enable a dictionary
> > attack. But knowledge of r requires doing a discrete logarithm. A
discrete
> > logarithm is assumed to be "computationally infeasible" and you're
talking
> > about doing 2^40 of them!?!
>
> <http://cr.yp.to/papers.html#nonuniform> is relevant here.  It
> discusses several other ‘attacks’ of this general type, and explains
> why they should not be taken seriously.

Bernstein actually argues that one should define complexity measures to
exclude such attacks. This is clear in the paper. Unfortunately time memory
product for the weak password variation is only 2^40.

The problem with foundations of hashing usually isn't a real problem: one
can sign r,H (r, m) with r random to bypass it.

This attack is interesting because of the limits it puts on reductions,
which are the main tool for doing cryptography. If dragonfly could be shown
to have no other weaknesses this would be fine, but no such proof is
forthcoming.

Such a proof would be in the ROM, but as the IETF 88 slides show it would
be tricky.
>
>
> Robert Ransom

v2.23.0 | Report a Bug | By Email