Re: [Cfrg] On the use of Montgomery form curves for key agreement

Nico Williams <nico@cryptonector.com> Mon, 08 September 2014 18:51 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE87F1A0311 for <cfrg@ietfa.amsl.com>; Mon, 8 Sep 2014 11:51:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.656
X-Spam-Level: *
X-Spam-Status: No, score=1.656 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KL6QjSRhPmVm for <cfrg@ietfa.amsl.com>; Mon, 8 Sep 2014 11:51:38 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 8D22C1A0312 for <cfrg@irtf.org>; Mon, 8 Sep 2014 11:51:37 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTP id 093AD9406D for <cfrg@irtf.org>; Mon, 8 Sep 2014 11:51:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=X1qg+vmdkZ/ezQqKzNAH aFYVG78=; b=ROYuE8ezW8ywi/nnsv4g3B7t12k6f9QGOwW2LRIn0aSX7e9TgwNT yEH5SNLO9QlxbjhKrFq4yyHOhRIwZ0shR++SUf4AQSC5bDWY/YysOBaS9rVmpmb4 DJEegIQqRm0eeBjLnBBbQ3WUYLrmCkFwgaNtwgVIhMT8NYvMd0E1Ay0=
Received: from mail-wg0-f51.google.com (mail-wg0-f51.google.com [74.125.82.51]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTPSA id AF1859405E for <cfrg@irtf.org>; Mon, 8 Sep 2014 11:51:36 -0700 (PDT)
Received: by mail-wg0-f51.google.com with SMTP id k14so1180204wgh.22 for <cfrg@irtf.org>; Mon, 08 Sep 2014 11:51:35 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.180.75.17 with SMTP id y17mr24498704wiv.3.1410202295069; Mon, 08 Sep 2014 11:51:35 -0700 (PDT)
Received: by 10.216.52.8 with HTTP; Mon, 8 Sep 2014 11:51:34 -0700 (PDT)
In-Reply-To: <20140903052704.GM8540@cph.win.tue.nl>
References: <e16ac4926a934565a65456058e50b68e@BL2PR03MB242.namprd03.prod.outlook.com> <20140902165340.17284.qmail@cr.yp.to> <d4322ec172d74aab83a1d17cf4dcf786@BL2PR03MB242.namprd03.prod.outlook.com> <20140903052704.GM8540@cph.win.tue.nl>
Date: Mon, 8 Sep 2014 13:51:34 -0500
Message-ID: <CAK3OfOjfSxHOE4fZzgVNmxEsF4ss_Bh+x7sc0rYTBRRznsbNqw@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Tanja Lange <tanja@hyperelliptic.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/Dlp3cXqZ9zU9g1lfuqt7PtKPmXw
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] On the use of Montgomery form curves for key agreement
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2014 18:51:39 -0000

On Wed, Sep 3, 2014 at 12:27 AM, Tanja Lange <tanja@hyperelliptic.org>; wrote:
> What exactly do you think the security implications of key reuse are?
>
> Defining ephemeral in a time-based manner ist quite normal; the important
> thing to guarantee PFS is to delete the key afterwards, not whether it is
> used for 1 connection or 10 seconds (with potentially 0 connections).

+1.

What matters is that the private key be destroyed some time after it's
been used.  That amount of time cannot be zero (it could, with the
right hardware, but that's another story).  It has to be some small
amount of time.  .01 seconds or 10 seconds doesn't make much
difference -- it doesn't make _any_ substantial difference.

As for key reuse (as opposed to how long after use the key is
destroyed), obviously it cannot be bad, otherwise we'd only have
ephemeral-ephemeral DH.  But we've been using DH with static keys
since DH was invented.

No plausible case has yet been made against ephemeral DH key reuse.  I
can't think of a plausible case against it.  I'm inclined to believe
there is no plausible case to be made against it within the current
published literature.

PFS depends on timely destruction of private keys, not non-reuse.

Nico
--