Re: [Cfrg] [TLS] Curve25519 in TLS and Additional Curves in TLS

Watson Ladd <watsonbladd@gmail.com> Fri, 24 January 2014 23:15 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F4771A01F0 for <cfrg@ietfa.amsl.com>; Fri, 24 Jan 2014 15:15:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_12=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Rw6iEs-l8Id for <cfrg@ietfa.amsl.com>; Fri, 24 Jan 2014 15:15:08 -0800 (PST)
Received: from mail-we0-x22c.google.com (mail-we0-x22c.google.com [IPv6:2a00:1450:400c:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 1329C1A01F9 for <cfrg@irtf.org>; Fri, 24 Jan 2014 15:15:07 -0800 (PST)
Received: by mail-we0-f172.google.com with SMTP id q58so3354913wes.31 for <cfrg@irtf.org>; Fri, 24 Jan 2014 15:15:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=YW+F7Rls3GrFUqpWw0dTj2WN5qbo9PVFoO8Nv2QNo/I=; b=G04BPCjrgVW1Jmvjs3WQW5Hq9Z7OkTch3ID+eipoOVHTtUG1XD/C54vQd62uqEhjXx tBjB20QVGVztfBoC0xr6yZJXBK5UMUuO4qEbVlBl4pt8EZhIUBH9TPEwTSvhRuIELTzh MBUb/YuVOHnoO6wFavWaTUbSYYnp9cZav1QU4sWAPRKixUsrNZavTMbBLLMb4EHVcsNz 3U0jbwY2amfz1nSZz8YpRE/QjTxZE1VFI2wj7aXjBE2cqKICtXF0yz/m4zYxOFK9GORQ sVuSEaG5KuHMEbPlEwR0ursnb/g4eB2Ng2kiRs5YE4HNwqoae90vDUoEEa5IadA5nj6f CQOQ==
MIME-Version: 1.0
X-Received: by 10.194.175.66 with SMTP id by2mr117474wjc.59.1390605306357; Fri, 24 Jan 2014 15:15:06 -0800 (PST)
Received: by 10.194.250.101 with HTTP; Fri, 24 Jan 2014 15:15:06 -0800 (PST)
Received: by 10.194.250.101 with HTTP; Fri, 24 Jan 2014 15:15:06 -0800 (PST)
In-Reply-To: <52E2EB11.5030409@brainhub.org>
References: <87ob3456s1.fsf@latte.josefsson.org> <CABqy+spt7BYqjsqLAkZssGp3aY9M+iLqV+pmyr7ZN-TXmJJpVg@mail.gmail.com> <52E060D0.9030801@polarssl.org> <CABqy+spJoswrPovxf18QS1SGdk6K=mfny6joJm3X24Vh65oagQ@mail.gmail.com> <52E0E241.40406@polarssl.org> <CABqy+sqs31ATDWJSum55m1o5pRvw8Wq5GtB-mF-hgP2emB5eFQ@mail.gmail.com> <CABqy+sozYSOTh7pbUS2GXf=4kYV3zgztXZBa10Bx=s-N8zHHyA@mail.gmail.com> <CABqy+soSojSMfx=yU9eFhmAeuJaJ_r=4h=RDR6JtOchYZ9zsQA@mail.gmail.com> <52E1BAE0.8060809@brainhub.org> <2311ADE0-B85D-4EEA-A675-03ED3735DE1D@shiftleft.org> <52E208AD.2020100@brainhub.org> <0F98B193-910E-430B-A5DF-4F72A3D9C6EC@shiftleft.org> <52E2C6A2.1010403@brainhub.org> <98B78561-8357-4636-ADA7-1A55FE32C491@shiftleft.org> <52E2CAC9.2080100@brainhub.org> <CABqy+sp0dKL3iCimRuDOrV_k229UH3tm5n=sFQ8i3DnUjSastw@mail.gmail.com> <52E2EB11.5030409@brainhub.org>
Date: Fri, 24 Jan 2014 15:15:06 -0800
Message-ID: <CACsn0ckBXotVh4FtUVSM2tGrN-GeR_xRGHaxFre6gfQ0r1yO7Q@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Andrey Jivsov <crypto@brainhub.org>
Content-Type: multipart/alternative; boundary=089e013d19f84eec5e04f0bf87ed
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] [TLS] Curve25519 in TLS and Additional Curves in TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2014 23:15:10 -0000

On Jan 24, 2014 2:42 PM, "Andrey Jivsov" <crypto@brainhub.org> wrote:
>
> On 01/24/2014 01:04 PM, Robert Ransom wrote:
>>
>> On 1/24/14, Andrey Jivsov <crypto@brainhub.org> wrote:
>>>
>>> On 01/24/2014 12:13 PM, Michael Hamburg wrote:
>>>>
>>>> On Jan 24, 2014, at 12:01 PM, Andrey Jivsov <crypto@brainhub.org
>>>> <mailto:crypto@brainhub.org>> wrote:
>>>>>
>>>>> This should work for your suggestions to use the Elligator map,
>>>>> assuming that I get the corresponding scalar.
>>>>>
>>>>> I will need access to the private m for M=mG. I assumed it is sort of
>>>>> a user static public key.
>>>>>
>>>>> The server side adjustments are similar.
>>>>
>>>> It is critical to the security of SPAKE2 that nobody can know m.  Part
>>>> of why Elligator is nice is that it removes the possibility that
>>>> someone could somehow figure out m, thereby breaking the security of
>>>> the entire system.  It is an essential security feature of Elligator
>>>> (in this use and others) that it does not give you access to that
>>>> discrete log.
>>>>
>>>> So, in other words, you can’t do this, and changing the system so that
>>>> you can do this would break it.
>>>>
>>>> Cheers,
>>>> — Mike
>>>
>>> Given that I am trusted to keep my password, why am I not trusted to
>>> keep my m in M=m*G private?
>>
>> M and N are protocol parameters, and must be shared among all users.
>>
> I see. So the protocol allows a network of nodes where each one can be a
server or a client. Given recent discussions on this list, the trusted 3d
party that is generating the M,N and forgetting the m,n is better be really
trusted ;-).

All of this to save 32 bytes?

>
> The solution then is the "black box" one. Generate x randomly until the X
= xG + h(pass)M is a compliant point. The expected number of tries should
be 2. (sec
http://tools.ietf.org/html/draft-jivsov-ecc-compact-03#section-4.2.1 but
the criterion is for X, not xG )
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg