IETF Logo Mail Archive

Re: [Cfrg] Switching the zero-check from MUST to MAY in the curves draft.

Phillip Hallam-Baker <phill@hallambaker.com> Tue, 17 November 2015 02:01 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B79E91B3265 for <cfrg@ietfa.amsl.com>; Mon, 16 Nov 2015 18:01:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qTlToQEL-bJn for <cfrg@ietfa.amsl.com>; Mon, 16 Nov 2015 18:01:54 -0800 (PST)
Received: from mail-lf0-x22c.google.com (mail-lf0-x22c.google.com [IPv6:2a00:1450:4010:c07::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A7351B3264 for <cfrg@irtf.org>; Mon, 16 Nov 2015 18:01:54 -0800 (PST)
Received: by lfaz4 with SMTP id z4so34307282lfa.0 for <cfrg@irtf.org>; Mon, 16 Nov 2015 18:01:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=+j7hOJUlXZbn18U/MEWbuxpqGJKja9JkfU0Jb/4OiBk=; b=UpS9QyWtqFH646mid8yoYQBxwbjemiNFqzkXDi01gq+IxeQGmqQz49G6BjAd5DfvFV 8NhekBkvBfNsPYlYxcoe2qwYpUHAW1iAZYhhD0c+0mgdnJAM9EBWnS/z8gV6nJ+XtzXV LBXcHIL2+JV5V4h0EpgaykLmqbMYyXqdYkmAqIvlIKfF6XQ1qQwJBK72wnfUTj4ZvPzi 4mwjLIxBmiCcCAGjcPTM7YiFYycFwUMoCHov4lm9iFetW5DAlr7xOwPfZZS8SEkVxQNY AnRrcLtNkqJWBHF3OSK/ayhQyD/yAx5NYg22ANicOs9tYhWuQLk+QjYXen7mduOJSvpf 1i2w==
MIME-Version: 1.0
X-Received: by 10.25.29.202 with SMTP id d193mr4262776lfd.55.1447725711928; Mon, 16 Nov 2015 18:01:51 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.1.227 with HTTP; Mon, 16 Nov 2015 18:01:51 -0800 (PST)
In-Reply-To: <CAMfhd9XgxrFyRxEqd=4NSX29t=ymQeyq3pT6VjpezUgrm6TyBg@mail.gmail.com>
References: <CAMfhd9XgxrFyRxEqd=4NSX29t=ymQeyq3pT6VjpezUgrm6TyBg@mail.gmail.com>
Date: Mon, 16 Nov 2015 21:01:51 -0500
X-Google-Sender-Auth: NoqFFacpjKpxGvgy6GuyLSgrbb0
Message-ID: <CAMm+LwiaKEHFRCFczQF+mUCKBLTVbaQ55P-KXNnjV3jEnnXWgA@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Adam Langley <agl@imperialviolet.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/Njav-L5yJ_b87vy5O5zXPCsbX7A>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Switching the zero-check from MUST to MAY in the curves draft.
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2015 02:01:56 -0000

What is the probability that all zeros occurs at random?

Is there a mechanism that would allow an attacker to force use of all zeros?

On Mon, Nov 16, 2015 at 6:03 PM, Adam Langley <agl@imperialviolet.org> wrote:
> At the moment, the curves draft says that implementations MUST check
> for the all-zero output and abort if it's found, at least in
> Diffie-Hellman. The all-zero output results when the input point has
> small order and this sort of thing has, in the past, broken at least
> Tor and TLS channel bindings.
>
> While reactions on the list were ambivalent to the suggestion, I had
> hoped that implementations would take this requirement as a simple
> defence-in-depth measure in keeping with the general robustness theme
> of this work.
>
> I was mistaken. It's since become clear that some disagree
> sufficiently strongly about this that we aren't going to see a
> realignment of implementations around this behaviour. While I still
> think that it's a sensible requirement, RFCs that are prescriptive
> rather than descriptive are terrible and so I currently hope to switch
> from MUST to MAY once the draft has completed the editor's queue.
> Instead, some wording would be added to the Security Considerations
> section.
>
> This change contains the accumulation of tweaks that I currently have
> saved up, including this one:
> https://github.com/agl/cfrgcurve/commit/c7749d4bb5ceabdb30f211d4aaa6df2b68d7c5e1
>
> This email is notice that I currently plan on making this change. Note
> that the question here isn't whether the zero check is a good idea or
> not. Rather it's that, given that a non-trivial number of
> implementations aren't going to implement it, what's the best thing to
> write?
>
>
> Cheers
>
> AGL
>
> --
> Adam Langley agl@imperialviolet.org https://www.imperialviolet.org
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email