Re: [Cfrg] On the use of Montgomery form curves for key agreement
Nico Williams <nico@cryptonector.com> Mon, 08 September 2014 18:51 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE87F1A0311 for <cfrg@ietfa.amsl.com>; Mon, 8 Sep 2014 11:51:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.656
X-Spam-Level: *
X-Spam-Status: No, score=1.656 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KL6QjSRhPmVm for <cfrg@ietfa.amsl.com>; Mon, 8 Sep 2014 11:51:38 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 8D22C1A0312 for <cfrg@irtf.org>; Mon, 8 Sep 2014 11:51:37 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTP id 093AD9406D for <cfrg@irtf.org>; Mon, 8 Sep 2014 11:51:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=X1qg+vmdkZ/ezQqKzNAH aFYVG78=; b=ROYuE8ezW8ywi/nnsv4g3B7t12k6f9QGOwW2LRIn0aSX7e9TgwNT yEH5SNLO9QlxbjhKrFq4yyHOhRIwZ0shR++SUf4AQSC5bDWY/YysOBaS9rVmpmb4 DJEegIQqRm0eeBjLnBBbQ3WUYLrmCkFwgaNtwgVIhMT8NYvMd0E1Ay0=
Received: from mail-wg0-f51.google.com (mail-wg0-f51.google.com [74.125.82.51]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTPSA id AF1859405E for <cfrg@irtf.org>; Mon, 8 Sep 2014 11:51:36 -0700 (PDT)
Received: by mail-wg0-f51.google.com with SMTP id k14so1180204wgh.22 for <cfrg@irtf.org>; Mon, 08 Sep 2014 11:51:35 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.180.75.17 with SMTP id y17mr24498704wiv.3.1410202295069; Mon, 08 Sep 2014 11:51:35 -0700 (PDT)
Received: by 10.216.52.8 with HTTP; Mon, 8 Sep 2014 11:51:34 -0700 (PDT)
In-Reply-To: <20140903052704.GM8540@cph.win.tue.nl>
References: <e16ac4926a934565a65456058e50b68e@BL2PR03MB242.namprd03.prod.outlook.com> <20140902165340.17284.qmail@cr.yp.to> <d4322ec172d74aab83a1d17cf4dcf786@BL2PR03MB242.namprd03.prod.outlook.com> <20140903052704.GM8540@cph.win.tue.nl>
Date: Mon, 08 Sep 2014 13:51:34 -0500
Message-ID: <CAK3OfOjfSxHOE4fZzgVNmxEsF4ss_Bh+x7sc0rYTBRRznsbNqw@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Tanja Lange <tanja@hyperelliptic.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/Dlp3cXqZ9zU9g1lfuqt7PtKPmXw
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] On the use of Montgomery form curves for key agreement
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2014 18:51:39 -0000
On Wed, Sep 3, 2014 at 12:27 AM, Tanja Lange <tanja@hyperelliptic.org> wrote: > What exactly do you think the security implications of key reuse are? > > Defining ephemeral in a time-based manner ist quite normal; the important > thing to guarantee PFS is to delete the key afterwards, not whether it is > used for 1 connection or 10 seconds (with potentially 0 connections). +1. What matters is that the private key be destroyed some time after it's been used. That amount of time cannot be zero (it could, with the right hardware, but that's another story). It has to be some small amount of time. .01 seconds or 10 seconds doesn't make much difference -- it doesn't make _any_ substantial difference. As for key reuse (as opposed to how long after use the key is destroyed), obviously it cannot be bad, otherwise we'd only have ephemeral-ephemeral DH. But we've been using DH with static keys since DH was invented. No plausible case has yet been made against ephemeral DH key reuse. I can't think of a plausible case against it. I'm inclined to believe there is no plausible case to be made against it within the current published literature. PFS depends on timely destruction of private keys, not non-reuse. Nico --
- [Cfrg] On the use of Montgomery form curves for k… Brian LaMacchia
- Re: [Cfrg] On the use of Montgomery form curves f… Andy Lutomirski
- Re: [Cfrg] On the use of Montgomery form curves f… Brian LaMacchia
- Re: [Cfrg] On the use of Montgomery form curves f… Tony Arcieri
- Re: [Cfrg] On the use of Montgomery form curves f… Watson Ladd
- Re: [Cfrg] On the use of Montgomery form curves f… Benjamin Black
- Re: [Cfrg] On the use of Montgomery form curves f… Watson Ladd
- Re: [Cfrg] On the use of Montgomery form curves f… Benjamin Black
- Re: [Cfrg] On the use of Montgomery form curves f… Robert Ransom
- Re: [Cfrg] On the use of Montgomery form curves f… Brian LaMacchia
- Re: [Cfrg] On the use of Montgomery form curves f… Stephen Farrell
- Re: [Cfrg] On the use of Montgomery form curves f… Robert Ransom
- Re: [Cfrg] On the use of Montgomery form curves f… Watson Ladd
- Re: [Cfrg] On the use of Montgomery form curves f… Stephen Farrell
- Re: [Cfrg] On the use of Montgomery form curves f… Watson Ladd
- Re: [Cfrg] On the use of Montgomery form curves f… Stephen Farrell
- Re: [Cfrg] On the use of Montgomery form curves f… Nico Williams
- Re: [Cfrg] On the use of Montgomery form curves f… Tanja Lange
- Re: [Cfrg] On the use of Montgomery form curves f… D. J. Bernstein
- Re: [Cfrg] On the use of Montgomery form curves f… Benjamin Black
- Re: [Cfrg] On the use of Montgomery form curves f… Andrey Jivsov
- Re: [Cfrg] On the use of Montgomery form curves f… Benjamin Black
- Re: [Cfrg] On the use of Montgomery form curves f… Stephen Farrell
- Re: [Cfrg] On the use of Montgomery form curves f… Benjamin Black
- Re: [Cfrg] On the use of Montgomery form curves f… Stephen Farrell
- Re: [Cfrg] On the use of Montgomery form curves f… Andrey Jivsov
- Re: [Cfrg] On the use of Montgomery form curves f… Nico Williams
- Re: [Cfrg] On the use of Montgomery form curves f… Andrey Jivsov
- Re: [Cfrg] On the use of Montgomery form curves f… Michael Hamburg
- Re: [Cfrg] On the use of Montgomery form curves f… Brian LaMacchia
- Re: [Cfrg] On the use of Montgomery form curves f… Tanja Lange
- Re: [Cfrg] On the use of Montgomery form curves f… Paterson, Kenny
- Re: [Cfrg] On the use of Montgomery form curves f… Jim Schaad
- Re: [Cfrg] On the use of Montgomery form curves f… Markulf Kohlweiss
- Re: [Cfrg] On the use of Montgomery form curves f… Paterson, Kenny
- Re: [Cfrg] On the use of Montgomery form curves f… Nico Williams
- Re: [Cfrg] On the use of Montgomery form curves f… Andy Lutomirski
- Re: [Cfrg] On the use of Montgomery form curves f… Manuel Pégourié-Gonnard
- Re: [Cfrg] On the use of Montgomery form curves f… Andy Lutomirski
- Re: [Cfrg] On the use of Montgomery form curves f… Nico Williams
- Re: [Cfrg] On the use of Montgomery form curves f… Andrey Jivsov