Re: [Cfrg] Requesting removal of CFRG co-chair

David McGrew <mcgrew@cisco.com> Mon, 06 January 2014 01:05 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50FF71ADE72 for <cfrg@ietfa.amsl.com>; Sun, 5 Jan 2014 17:05:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.038
X-Spam-Level:
X-Spam-Status: No, score=-10.038 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3rMamYHRywIC for <cfrg@ietfa.amsl.com>; Sun, 5 Jan 2014 17:05:13 -0800 (PST)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) by ietfa.amsl.com (Postfix) with ESMTP id 1C76F1ADE71 for <cfrg@irtf.org>; Sun, 5 Jan 2014 17:05:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15334; q=dns/txt; s=iport; t=1388970305; x=1390179905; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to; bh=ZR+pB4qsb1wbQP2Jop8cNjac4oEUzxmmx7+HO5FGuxA=; b=fi2zHS76VZM+4EPFVgR129b+1uLIJU3BAB6s0gV6fLwRuXc9V6sMtb90 xF44Ym95WmFm5yxNhNX/JSiX1Oi0H69rbsofbOQh99ZZ02hOCgQWtV9rQ t9z7hFES0tn/2wsHAIsN/cQZHWGc3Kt7K4lhpTgRxV7ouhnwphxUBntHU E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhgFAPEAylKtJV2Y/2dsb2JhbABYgws4ugWBDRZ0giUBAQECAQEdSwYKARALDgoJFg8JAwIBAgFFBg0BBQICBQuHaAgNwy0XjiILEAIBTweENwSJQ45UgTCFFYtQg0se
X-IronPort-AV: E=Sophos; i="4.95,609,1384300800"; d="scan'208,217"; a="10680864"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-5.cisco.com with ESMTP; 06 Jan 2014 01:05:03 +0000
Received: from [10.0.2.15] (rtp-mcgrew-8913.cisco.com [10.117.10.228]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id s061527x013766; Mon, 6 Jan 2014 01:05:02 GMT
Message-ID: <52CA013E.2080305@cisco.com>
Date: Sun, 05 Jan 2014 20:05:02 -0500
From: David McGrew <mcgrew@cisco.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130922 Icedove/17.0.9
MIME-Version: 1.0
To: Trevor Perrin <trevp@trevp.net>
References: <CAGZ8ZG2f9QHX40RcB8aajWvEfG0Gh_uewu2Rq7bQGHYNx6cOmw@mail.gmail.com> <52B91820.9090706@cisco.com> <CAGZ8ZG02+o=Qm0gUQiVF9H_=wfn+wQt8ahY1ntLHNsELXbvtVg@mail.gmail.com> <52B9CB13.9020500@cisco.com> <CAGZ8ZG07QGL4mD1+XpDgm-5GHuhZEg2WRUvF20zRM_ZPNFLOUQ@mail.gmail.com> <52C5D1E6.7040002@cisco.com> <CAGZ8ZG2C=NH-NOsVteinBZxpovfGd55ksm4kSxpx3yD4+UO+6Q@mail.gmail.com>
In-Reply-To: <CAGZ8ZG2C=NH-NOsVteinBZxpovfGd55ksm4kSxpx3yD4+UO+6Q@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------050100000305070802080500"
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Requesting removal of CFRG co-chair
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jan 2014 01:05:16 -0000

Hi Trevor,

On 01/03/2014 09:43 PM, Trevor Perrin wrote:
> On Thu, Jan 2, 2014 at 12:53 PM, David McGrew <mcgrew@cisco.com>; wrote:
>>>> Let me make an aside about provable security. In the crypto practice
>>>> community, it is often regarded as oversold.
>>> As a member of the "crypto practice community" I disagree.  Key
>>> agreement protocols are widely understood to be a tricky area where
>>> formal analysis is crucial.  Dragonfly's lack of such analysis was a
>>> red flag.  Jonathan Katz, a world-class cryptographer, raised the
>>> issue repeatedly.  The CFRG chairs ignored him and endorsed Dan
>>> Harkins' bluster.
>>>
>>> http://www.ietf.org/mail-archive/web/cfrg/current/msg03053.html
>>> http://www.ietf.org/mail-archive/web/cfrg/current/msg03216.html
>>>
>>> Seems like CFRG could use more outreach to the cryptography community
>>> and less to the intelligence community.
>>
>> I agree, more outreach to the theory community would be valuable. Perhaps
>> you would be interested in helping with that effort?
> Sure, my advice:  There's a wealth of knowledge in academia that CFRG
> is not tapping.  Having a CFRG co-chair who could serve as ambassador
> to that community and a translator of its knowledge would be very
> valuable.

It would be great to have an ambassador, and that person need not be a 
chair.

>
> I'd recommend talking to some of the academic cryptographers who've
> engaged with TLS and CFRG (Jonathan Katz, Kenny Paterson, Douglas
> Stebila, David Wagner, etc), and see where that leads you.
>
> Also, this would be a good discussion to pursue at Real World Crypto
> (NYC, shortly).

Agreed.  Unfortunately, I will not be able to attend due to other 
travel.  If there is someone in the RG who can attend, it would be great 
to hear a report from them on topics that they think the list should 
know about.   (An aside: I'd like to hear or read about /Provable 
security of advanced properties of TLS and SSH/, which I would guess is 
similar http://eprint.iacr.org/2013/813.pdf) Also, if there is an 
opportunity to present a plug for CFRG at the event, say during a rump 
session, I offer to help to prepare a short presentation on CFRG to 
anyone willing to give it.

I think it would be good to have an actual CFRG meeting adjunct to an 
IACR venue, such as Crypto in Santa Barbara.   Probably there are not 
many people who regularly attend both the IETF and crypto conferences, 
but I think that such a meeting would help to build a stronger online 
community, if nothing else.

thanks,

David

>
>>>>>>> He also endorsed an ineffective attempt to avoid
>>>>>>> timing attacks by adding extra iterations to one of the loops [IGOE_3,
>>>>>>> IGOE_4].
>>>>>>
>>>>>> I think that by "ineffective attempt to avoid timing attacks" you are
>>>>>> referring to your statement that "within each loop are conditional
>>>>>> branches
>>>>>> and Legendre symbol / square-root algorithms, which are hard to
>>>>>> implement
>>>>>> efficiently in constant time ([STRUIK], [ICART], [FIPS186-4])" from
>>>>>> [REVIEW]. Is this right? There is a significant difference between
>>>>>> "hard
>>>>>> to
>>>>>> implement" and "ineffective". The statement in [REVIEW] makes it sound
>>>>>> like
>>>>>> it is inconvenient for the implementer, while the statement in your
>>>>>> email
>>>>>> makes it sound as though it is impossible.
>>>>> Not sure I understand this quibble.
>>>>
>>>> The important point here is that a Research Group chair reading [REVIEW]
>>>> could get the impression that the proposed mitigation to timing attacks
>>>> is
>>>> "hard to implement" rather than "ineffective", in your opinion.
>>> I'm still not sure what you're asking.  Let's just look at a crude
>>> analysis of the "40-loops" countermeasure Kevin endorsed, comparing
>>> CFRG draft-00 vs draft-01/draft-02.
>>>
>>> Let's assume that modular square roots are calculated via modular
>>> exponentiation, and that Legendre symbol calculations take less time.
>>> Let's also ignore the variable time taken by a Legendre symbol
>>> calculation and other conditional logic, and just count the number of
>>> ops.
>>>
>>> In draft-00, the hunt-and-peck loop in 3.2.1 performs Legendre symbol
>>> calculations until it finds a square (probability ~1/2), at which
>>> point a square root is performed.  So:
>>>    - 1 modular exponentiation
>>>    - Variable number of Legendre symbol calculations
>>>      - geometric distribution with mean ~2, variance ~2
>>>
>>> In draft-01 and draft-02, the hunt-and-peck loop continues until it
>>> completes 40 loops, with a probability ~1/2 of performing a modular
>>> exponentiation on each iteration.  So:
>>>    - Variable number of modular exponentiations
>>>      - binomial distribution with mean ~20, variance ~10
>>>    - 40 Legendre symbol calculations
>>>
>>> The 40-loops algorithm was intended to reduce timing variance but
>>> instead increases it, and increases computation cost as well.  So I
>>> think "ineffective" is a fair description.  Do you agree?
>>
>> I don't have the time right now to go back to the earlier version of the
>> draft and check all of this, and I want to get back to you sooner rather
>> than later.   So let me comment here as a chair, rather than a technical
>> reviewer.  What would have been most useful is for this analysis to have
>> been presented to the CFRG mail list during the discussion of timing attacks
>> that initially took place on December 2012, or after Kevin put out a Last
>> Call for comments on Dragonfly on April 4, 2013.   For perspective: Rene
>> Struik's comments on that draft went out on Nov 29, and yous went out on Dec
>> 10, over six months after the last call for comments.
> Rene brought up the sidechannel issue again in July 2013, with no response:
>
> http://www.ietf.org/mail-archive/web/cfrg/current/msg03489.html
>
> But there's a bigger picture:  Regardless of timing attacks, Dragonfly
> is inferior to alternatives already standardized or found in the
> literature.
>
> This opinion was well-expressed on the TLS and CFRG mailing lists when
> Dragonfly was proposed.  This opinion was probably shared by many more
> people than expressed it (like me), and was never adequately
> addressed.  By Dec 2012, I assume most people had tuned-out a
> discussion about an non-useful protocol that was proceeding without
> regard to group opinion.
>
>
> Trevor
> .
>