Re: [Cfrg] malicious DH base points [was Re: should the CFRG really strive for consensus?]

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Wed, 31 December 2014 16:08 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DCC51A9114 for <cfrg@ietfa.amsl.com>; Wed, 31 Dec 2014 08:08:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bGs2kWesq41s for <cfrg@ietfa.amsl.com>; Wed, 31 Dec 2014 08:08:01 -0800 (PST)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0620.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe00::620]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CF9C1A9105 for <cfrg@irtf.org>; Wed, 31 Dec 2014 08:08:00 -0800 (PST)
Received: from DBXPR03MB383.eurprd03.prod.outlook.com (10.141.10.15) by DBXPR03MB384.eurprd03.prod.outlook.com (10.141.10.20) with Microsoft SMTP Server (TLS) id 15.1.49.12; Wed, 31 Dec 2014 16:02:51 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) by DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) with mapi id 15.01.0049.002; Wed, 31 Dec 2014 16:02:51 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Dan Brown <dbrown@certicom.com>, "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>, Adam Langley <agl@imperialviolet.org>, "Christoph Anton Mitterer" <calestyo@scientia.net>
Thread-Topic: [Cfrg] malicious DH base points [was Re: should the CFRG really strive for consensus?]
Thread-Index: AdAlEKR+j0vH2sKEQBKKNUfeAAj9hwAApFCA
Date: Wed, 31 Dec 2014 16:02:51 +0000
Message-ID: <D0C9CE59.3B14A%kenny.paterson@rhul.ac.uk>
References: <20141231154418.6639764.33790.24403@certicom.com>
In-Reply-To: <20141231154418.6639764.33790.24403@certicom.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.7.141117
x-originating-ip: [2.96.147.218]
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk;
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:DBXPR03MB384;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:DBXPR03MB384;
x-forefront-prvs: 0442E569BC
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(377454003)(199003)(189002)(51704005)(24454002)(479174004)(20776003)(97736003)(101416001)(4396001)(87936001)(107046002)(66066001)(86362001)(64706001)(92566001)(19580395003)(105586002)(46102003)(21056001)(31966008)(15975445007)(68736005)(76176999)(77156002)(120916001)(62966003)(102836002)(2950100001)(50986999)(40100003)(19580405001)(77096005)(74482002)(36756003)(99396003)(106356001)(2900100001)(54356999)(2656002)(122556002); DIR:OUT; SFP:1101; SCL:1; SRVR:DBXPR03MB384; H:DBXPR03MB383.eurprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts)
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <C379FBBA29AE274BB46A6CB7429082F9@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Dec 2014 16:02:51.1303 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBXPR03MB384
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/MAL-aCX4DDV0Ux83TDoEm4_lnZs
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] malicious DH base points [was Re: should the CFRG really strive for consensus?]
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Dec 2014 16:08:08 -0000

Folks,

Please, let's desist from these kinds of side-track discussions. They clog
up peoples' inboxes and make it hard to see the wood from the trees in
what is already a heavily-wooded discussion.

Thanks

Kenny

On 31/12/2014 15:44, "Dan Brown" <dbrown@certicom.com>; wrote:

>
>Right, I should have said hypothetical rather possible (which can also be
>read as able).
>
>
>So, under the paper's unlikely MDH hypothesis, a fast generator could be
>weak, or worse, an unexplained random-looking generator could be weak. To
>me, the best countermeasure to this hypothetical attack would be an
>explainable randomish base point. Or, one
> can just use the fastest base point, and argue this hypothesis is too
>unlikely to fret over.
>
>
>Aside: I think X9.62-2005 added an option to have pseudorandom base
>points...
>
>
>Best regards, 
>
>-- Dan
>From: Scott Fluhrer (sfluhrer)
>Sent: Wednesday, December 31, 2014 10:30 AM
>To: Dan Brown; Adam Langley; Christoph Anton Mitterer
>Cc: cfrg@irtf.org
>Subject: RE: [Cfrg] malicious DH base points [was Re: should the CFRG
>really strive for consensus?]
>
>
>
>Actually, that paper doesn¹t actually say ³it¹s possible to pick a
>malicious generator from a prime-sized group².  Instead, it (actually,
>claim 9) says ³if
> we knew of a generator/KDF pair which made deriving the shared secret
>easy, someone setting up the group could use that to select a
>random-looking generator that, with that KDF, contains a trap door that
>he could exploit².
> 
>If anything, that paper can be construed to be an argument for a
>nonrandom-looking generator (because that doesn¹t give anyone a chance to
>build in the above
> trap door).
> 
>
> 
>From: Cfrg [mailto:cfrg-bounces@irtf.org]
>On Behalf Of Dan Brown
>Sent: Wednesday, December 31, 2014 10:07 AM
>To: Adam Langley; Christoph Anton Mitterer
>Cc: cfrg@irtf.org
>Subject: [Cfrg] malicious DH base points [was Re: should the CFRG really
>strive for consensus?]
>
>
> 
>The paper talks about the possibility of malicious base points for DH:
>
>
>
>
>
>Boaz Tsaban: Fast generators for the Diffie-Hellman
> key agreement protocol and malicious standards. IACR
> Cryptology ePrint Archive 2005
><http://www.informatik.uni-trier.de/~ley/db/journals/iacr/iacr2005.html#Ts
>aban05>: 231 (2005)
>
> 
>
>It may be far-fetched, but the paper seems to show that the independence
>of DH from the base point is not quite a mathematical certainty, unless
>the
> paper has been refuted in further research.
>
> 
>
>Best regards,
>
>
>-- Dan
>
>From:
>Adam Langley
>
>Sent:
>Wednesday, December 31, 2014 9:45 AM
>
>To:
>Christoph Anton Mitterer
>
>Cc:
>cfrg@irtf.org
>
>Subject:
>Re: [Cfrg] should the CFRG really strive for consensus?
>
>
> 
>On Dec 31, 2014 1:50 PM, "Christoph Anton Mitterer"
><calestyo@scientia.net>; wrote:
>> I think it's really a bad idea for the CFRG to strive so much for
>> consensus.
>If you believe in the security of curve25519 then you also believe in the
>security of Microsoft's current position at ~128 bits. They have the same
>structure and thus strictly the same strength.
>There's /no/ possibility of weakening anything, mathematically, with a
>different base point (in the correct subgroup) or by using an isogeny.
>IRTF groups do not, technically, have to reach consensus. However,
>everyone does have to function on the same Internet at the end of the day.
>Cheers
>AGL
>
>
>
>
>
>
>