IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - curve form and coordinate systems

Rene Struik <rstruik.ext@gmail.com> Mon, 16 March 2015 13:08 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 668701A8734 for <cfrg@ietfa.amsl.com>; Mon, 16 Mar 2015 06:08:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0liXsnBJROGA for <cfrg@ietfa.amsl.com>; Mon, 16 Mar 2015 06:08:23 -0700 (PDT)
Received: from mail-ie0-x22f.google.com (mail-ie0-x22f.google.com [IPv6:2607:f8b0:4001:c03::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 987461A871A for <cfrg@irtf.org>; Mon, 16 Mar 2015 06:08:23 -0700 (PDT)
Received: by iecvj10 with SMTP id vj10so165619294iec.0 for <cfrg@irtf.org>; Mon, 16 Mar 2015 06:08:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=vCaFhBXaQKXPqX4SJi5iVowNenGpkYub3n3mE+8XeYg=; b=jkO9s+b/Zk2LqU1PaKWw9i5Nmw0Klgpn7t7UrzVgNa0wNUUDLwf81yQHr7KhvSYOEZ BmfPGwkZjwTavleqY96SIH4otwSOk/kR91nX1+MnakUOSwI2dRlbEriApwmYbrl1T3DV 3nUwdlpkqbf5fFMH6GDigpfuHfGk0bIldDdGM1l1me+04+UVqVYLPo2dBqo+vsC7VBAu WCnGad1A6FjcDjQaNwWIP6ItPhkOoCt3V2HYCt3VyrnDzebiaJIWiea3PNt6581DaKEK Dvxj6MS5u9zP5yHGXhY+FLHtHF7EgKfOjasl6cR5/BB+hwrkIpt4NgtaiHeej3HRVyU+ b2BA==
X-Received: by 10.107.18.87 with SMTP id a84mr70231132ioj.67.1426511303004; Mon, 16 Mar 2015 06:08:23 -0700 (PDT)
Received: from [192.168.0.10] (CPE7cb21b2cb904-CM7cb21b2cb901.cpe.net.cable.rogers.com. [99.231.49.38]) by mx.google.com with ESMTPSA id t7sm6740774igz.17.2015.03.16.06.08.21 for <cfrg@irtf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 16 Mar 2015 06:08:22 -0700 (PDT)
Message-ID: <5506D5BB.3090700@gmail.com>
Date: Mon, 16 Mar 2015 09:08:11 -0400
From: Rene Struik <rstruik.ext@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: cfrg@irtf.org
References: <5501E6A5.5040608@brainhub.org> <A6F30412-8E0A-4D8D-9F26-580307B46874@shiftleft.org> <20150316002255.28855.qmail@cr.yp.to> <20150316044906.GA27479@mournblade.imrryr.org>
In-Reply-To: <20150316044906.GA27479@mournblade.imrryr.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/F4QMSLLGN2xDeLbNApzwYoO3V60>
Subject: Re: [Cfrg] Elliptic Curves - curve form and coordinate systems
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2015 13:08:26 -0000

Hi Viktor:

You are correct: I have no idea where Dan Bernstein got that from. I *did* comment on the DH function, which, with Montgomery-style specification as in the "Curve25519" draft, is completely insecure, if one does not check the output to be nonzero. This is a form of the small subgroup attack and has been known for over 15 years.

BTW - I don't think this is properly captured in draft-irtf-cfrg-curves-01 and sent an offline note to suggest remedying this by replacing the last para prior to Section 8.1 of that draft to the following:

"Note that the (co-factor) Diffie-Hellman protocol presented here results in the all-zero key if it operates on an input corresponding to a point with order dividing the co-factor h of the curve. Failure to check the output for this condition leads to a trivial (and well-known) small subgroup confinement attack. The output of this protocol SHALL therefore be checked and, if this value is found to be zero, the protocol SHALL fail."

  

===
One quick question.  I did not think that Rene was saying that the
Montgomery ladder computes multiples of 0 incorrectly.  Rather,
the concern is I believe that when one of the parties to an ECDH
agreement sends zero as their public key, the output is then zero
regardless of the public key of the other party.

On 3/16/2015 12:49 AM, Viktor Dukhovni wrote:
> On Mon, Mar 16, 2015 at 12:22:55AM -0000, D. J. Bernstein wrote:
>
>> In particular, input 0 is handled correctly without any special tests,
>> contrary to Rene's comments and earlier comments from Microsoft. See
>> https://www.ietf.org/mail-archive/web/cfrg/current/msg05004.html.
> Dan, thanks for the detailed comments.  I support the emphasis on
> implementation simplicity they represent (including potentially
> taking away choices, when such choices are more prone to mistakes
> than "the right way").  That is, I suport removing inessential
> degrees of freedom.
>
> One quick question.  I did not think that Rene was saying that the
> Montgomery ladder computes multiples of 0 incorrectly.  Rather,
> the concern is I believe that when one of the parties to an ECDH
> agreement sends zero as their public key, the output is then zero
> regardless of the public key of the other party.
>
> This may allow an attacker to force a given session key, depending
> on how the ECDH output is used to construct session keys (whether
> additional nonces are used.  Can you comment on situations (in
> higher level protocols) under which participants in ECDH might want
> to explicitly reject 0 as the peer's public key?  (I don't know
> whether any protocols in wide use that employ ECDH are potentially
> exposed to this issue, if it is an issue.)
>
> If I recall correctly, with X25519, such a key will never arise if
> both peers choose their secret keys per the specification (the
> private "exponent" is never 0, and I think it is always smaller
> than the order of the group).
>


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363

v2.23.0 | Report a Bug | By Email