Re: [Cfrg] Twist insecurity of 2y^2=x^3+x/GF(8^91+5)
Dan Brown <danibrown@blackberry.com> Mon, 21 August 2017 16:05 UTC
Return-Path: <danibrown@blackberry.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BBE713234C for <cfrg@ietfa.amsl.com>; Mon, 21 Aug 2017 09:05:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V6-w9w818YxN for <cfrg@ietfa.amsl.com>; Mon, 21 Aug 2017 09:05:16 -0700 (PDT)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FAD6132026 for <cfrg@irtf.org>; Mon, 21 Aug 2017 09:05:15 -0700 (PDT)
X-Spoof:
Received: from xct106cnc.rim.net ([10.65.161.206]) by mhs213cnc.rim.net with ESMTP/TLS/DHE-RSA-AES256-SHA; 21 Aug 2017 12:04:20 -0400
Received: from XCT111CNC.rim.net (10.65.161.211) by XCT106CNC.rim.net (10.65.161.206) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 21 Aug 2017 12:05:14 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT111CNC.rim.net ([::1]) with mapi id 14.03.0319.002; Mon, 21 Aug 2017 12:05:13 -0400
From: Dan Brown <danibrown@blackberry.com>
To: "ilariliusvaara@welho.com" <ilariliusvaara@welho.com>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Twist insecurity of 2y^2=x^3+x/GF(8^91+5)
Thread-Index: AdMYYsJG2Is69L22T1eqnhv8dyO27QAvzZcAAFzk0KA=
Date: Mon, 21 Aug 2017 16:05:13 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF501B92EC7@XMB116CNC.rim.net>
References: <810C31990B57ED40B2062BA10D43FBF501B9284D@XMB116CNC.rim.net> <20170819153302.pymmplx2wvfl3h7p@LK-Perkele-VII>
In-Reply-To: <20170819153302.pymmplx2wvfl3h7p@LK-Perkele-VII>
Accept-Language: en-US, en-CA
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.249]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/GnbORnlTlGrCIeuXv3GZZG82rvE>
Subject: Re: [Cfrg] Twist insecurity of 2y^2=x^3+x/GF(8^91+5)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Aug 2017 16:05:18 -0000
-----Original Message----- From: ilariliusvaara@welho.com On Fri, Aug 18, 2017 at 09:20:01PM +0000, Dan Brown wrote: > > If the static DH key in the Montgomery ladder implementation above is > used in a higher-level protocol that requires key confirmation from > the other side before using the shared key in encryption, then it > seems the previous attacker's chances either are drastically reduced, > or the attacker requires billions of (failed) interactions (instead of > 5). Is this right? If so, in such a protocol, would a good remedy be > to place a limit (e.g. 1000/month) on the number of failed key > confirmation attempts? It depends on protocol. As example of how things can go wrong, take TLS 1.3. If the server keeps fixed DH key, one can send a few handshakes, and from the resposes (the server does key confirmation first!) do offline ~2^65 operation attack to find the fixed DH key. And TLS 1.3 breaks _really_ badly if the server static DH key is compromised. <DB> Thanks. I reviewed TLS 1.3 based on your comments, and I agree with your conclusion. I noticed that the client in TLS 1.3 should normally receive a protected {Finish} from the server before releasing information derived the shared secret. So, the client receives key confirmation. If the client is re-using the same static DH key, using a Montgomery without point validation, then by verifying key confirmation, the client is partially protected from small-subgroup attacks. (I don't know if this is a known countermeasure.) Or, am I missing something? So, anyway, any initial I-D I write will likely put a MUST on point validation of static DH keys... </DB>
- [Cfrg] Twist insecurity of 2y^2=x^3+x/GF(8^91+5) Dan Brown
- Re: [Cfrg] Twist insecurity of 2y^2=x^3+x/GF(8^91… Ilari Liusvaara
- Re: [Cfrg] Twist insecurity of 2y^2=x^3+x/GF(8^91… Dan Brown