Re: [Cfrg] RFC 6090 correctness

Watson Ladd <> Sun, 16 March 2014 01:42 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id EFC5E1A0233 for <>; Sat, 15 Mar 2014 18:42:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_22=0.6, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1nan89NSqEtl for <>; Sat, 15 Mar 2014 18:42:18 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c01::22c]) by (Postfix) with ESMTP id 840301A022A for <>; Sat, 15 Mar 2014 18:42:18 -0700 (PDT)
Received: by with SMTP id f10so4100155yha.31 for <>; Sat, 15 Mar 2014 18:42:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=8iWs2iwzeVYM4Qn3QfOaACMGT0b8xSEmkXzCMEF3NqY=; b=ZsUjVYvJltkYJnRN8JJ0as1qGAyvlP78LII+nCHP4T9MdNZZd47GkFcgzH2S/cFRtp Bf6BPhZVFMSIHJPtyE5me6OLqRhNPjmlH/FX+WDcdsMGCFqWW/6A1SUlXVW8Wdx1zTSu HaZOVjo0wigZfhvOP5Gu1/dGXZDQ/eYKie5Pvn3AbyFk0nV8DBLcFTZgQFZ/v/KMP72n Y0mIWEGIIO+lHdoorwEf1Rt7pKCRB2Vrw1a3vesguHIEDbYL+SKK7aDIFwC6zhZ4zLTa 441rUepqpEsbAc1K2hZx0SwYjg99r04nmcpKklrwgkQPthe06xpXsZSm5VrASnRwPmwJ FiHg==
MIME-Version: 1.0
X-Received: by with SMTP id k66mr3639554yha.57.1394934130956; Sat, 15 Mar 2014 18:42:10 -0700 (PDT)
Received: by with HTTP; Sat, 15 Mar 2014 18:42:10 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Sat, 15 Mar 2014 18:42:10 -0700
Message-ID: <>
From: Watson Ladd <>
To: Paul Hoffman <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "" <>
Subject: Re: [Cfrg] RFC 6090 correctness
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 16 Mar 2014 01:42:20 -0000

On Sat, Mar 15, 2014 at 5:44 PM, Paul Hoffman <> wrote:
> Please note that RFC 6090 already has a bunch of errata; see <>. Maybe Watson and Tanja can coordinate on a concise statement of the current error and turn in a new errata. It would also be grand if people on the list went through the RFC with a finer-tooth comb than they did before it was published and report anything else.
> There are enough errata that it feels like the RFC should be updated to deal with them all.

I've submitted an erratum, but there are multiple possible fixes.
Furthermore, the nature of this error is significant: it may be
possible to exploit this mistake in implementations that slavishly
adhere to the RFC. One example of this causing security problems is in
Petersen commitments: ag+bh is usually computed by taking
(a-b)g+b(h+g) and so on recursively. If g and h are crafted so that
h+g results in 2g, not h+g, the commitment doesn't bind to any value
of b. Note that this doesn't require knowing the discrete log of g to
the base h, and in fact is compatible with some "nothing up my sleeve"
means of point generation.

Watson Ladd
> --Paul Hoffman
> _______________________________________________
> Cfrg mailing list

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin