Re: [Cfrg] [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 12 January 2014 14:45 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74ED61ADF23 for <cfrg@ietfa.amsl.com>; Sun, 12 Jan 2014 06:45:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vz8eh5pxGm95 for <cfrg@ietfa.amsl.com>; Sun, 12 Jan 2014 06:45:55 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id B7C231AD8E1 for <cfrg@irtf.org>; Sun, 12 Jan 2014 06:45:55 -0800 (PST)
Received: from [192.168.13.102] (lair.fifthhorseman.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id 2CEB3F984; Sun, 12 Jan 2014 09:45:40 -0500 (EST)
Message-ID: <52D2AA91.8050804@fifthhorseman.net>
Date: Sun, 12 Jan 2014 09:45:37 -0500
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.1.1
MIME-Version: 1.0
To: Alyssa Rowan <akr@akr.io>, cfrg@irtf.org
References: <87eh4e7a2y.fsf@latte.josefsson.org> <52D18475.10709@akr.io> <20140112062942.GA32437@LK-Perkele-VII> <52D29153.7000301@akr.io>
In-Reply-To: <52D29153.7000301@akr.io>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="f4D30Rs87oOEXp0d63KrNUD4Mman5AwOx"
Subject: Re: [Cfrg] [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Jan 2014 14:45:57 -0000

On 01/12/2014 07:57 AM, Alyssa Rowan wrote:
>     · Fast hardware performance is a negative in a PBKDF or a Hashcash,
>       which we actually want to be slow to measure out workfactor of
>       brute-force.
>     · But it's a positive in a signature scheme, as long as the hash is
>       strong enough to resist any plausible second-preimage attack.
>     · And it [keccak] is.
>     · A collision would not suffice here.

What makes you say that a collision attack isn't relevant against a
signature scheme?  The classic collision attack against a signature
scheme is:

 * attacker generates A, B, such that H(A) = H(B)
 * attacker asks victim to sign A
 * victim signs A over digest H
 * attacker applies signature to B

This is how the hashclash/rogue-CA project did its work [0], and it's a
conceivable attack against anything from OpenPGP certifications to
document signatures to revision control [1].

Or am i misunderstanding the context in which you're saying that a
collision would not suffice?

Regards,

	--dkg

[0] http://www.win.tue.nl/hashclash/rogue-ca/
[1]
http://joeyh.name/blog/entry/size_of_the_git_sha1_collision_attack_surface/