IETF Logo Mail Archive

Re: [Cfrg] 2^40. I can't exhibit it, but it exists.

Michael Hamburg <mike@shiftleft.org> Tue, 04 February 2014 22:31 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2ECE1A0167 for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 14:31:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.557
X-Spam-Level: *
X-Spam-Status: No, score=1.557 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.982, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aarN0Xg1OLyt for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 14:31:45 -0800 (PST)
Received: from aspartame.shiftleft.org (199-116-74-157-v301.PUBLIC.monkeybrains.net [199.116.74.157]) by ietfa.amsl.com (Postfix) with ESMTP id 9E9D91A0163 for <cfrg@irtf.org>; Tue, 4 Feb 2014 14:31:45 -0800 (PST)
Received: from [10.184.148.249] (w035.z205158021.lax-ca.dsl.cnc.net [205.158.21.35]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 9F10E3AA04; Tue, 4 Feb 2014 14:28:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1391552921; bh=SsNUSJt6wyuVDC7tyVjCJMO8UrsIWpYp1BnAXj5hzGA=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=CBg3smVho9+jyAGlTKKeXKxIJhGCR6fSjNumg2aSYuKwkn++QQ2GdDi/X/jj39CQc l8DNvnuWOLh4goFXZIT6ulyXUS1qD+0lNbc1JVrqOQnRYt8Thav/lPyVtBPRaTr0Vf gHx+n8knW16avW2UlwqlSqisM8upPPgBD1ZY5PX8=
Content-Type: multipart/alternative; boundary="Apple-Mail=_DF2F9A36-178A-4A2F-A120-2C61A713065D"
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <7BAC95F5A7E67643AAFB2C31BEE662D018B81B7F7C@SC-VEXCH2.marvell.com>
Date: Tue, 04 Feb 2014 14:31:44 -0800
Message-Id: <96C4482C-A234-42CD-94D0-57376EA83BD0@shiftleft.org>
References: <20140203192451.6268.76511.idtracker@ietfa.amsl.com> <7af2f9df96e5867d493c614806235363.squirrel@www.trepanning.net> <CACsn0cm1f-P95je5AbEbZ02Ut3+HM7Hx28P6j46TqE-=06eZDg@mail.gmail.com> <52F00EF3.3040505@cisco.com> <CACsn0c=zS5GKex3eF_hKgTsL1kH=TiBi3iAP9oMrJ9hDQcT4Gw@mail.gmail.com> <7BAC95F5A7E67643AAFB2C31BEE662D018B81B7DE5@SC-VEXCH2.marvell.com> <CACsn0cn0TaHsDkyN2ewOorxxBzXivCg=QGR-ZnBiC3nJhvhpRg@mail.gmail.com> <14AB44E0-4C90-4E4C-A656-885A31CF4C02@checkpoint.com> <CACsn0cmDT-FAN8uMZ0w8TX6GKPAZjnrexLeFQd7QhRfoY6AGFQ@mail.gmail.com> <75e1e853dc391b418062ee5e51adeb2f.squirrel@www.trepanning.net> <CABqy+sr7ZKrACj4Ga2_75d9Kea0aKbrp2P5fWWu4YZP53zijxw@mail.gmail.com> <CACsn0cmS152wYQWHiX8ykzaMM=6b=r=fwVuLfPj_u0wmoq0jKw@mail.gmail.com> <7BAC95F5A7E67643AAFB2C31BEE662D018B81B7F7C@SC-VEXCH2.marvell.com>
To: Paul Lambert <paul@marvell.com>
X-Mailer: Apple Mail (2.1827)
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] 2^40. I can't exhibit it, but it exists.
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 22:31:47 -0000

On Feb 4, 2014, at 2:06 PM, Paul Lambert <paul@marvell.com> wrote:

> >From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Watson Ladd
> >Sent: Tuesday, February 04, 2014 12:12 PM
>  
> >This attack is interesting because of the limits it puts on reductions, which are 
> >the main tool for doing cryptography. If dragonfly could be shown to have no 
> >other weaknesses this would be fine, but no such proof is forthcoming.
> 
> When you say ‘no other’ you continue to imply that you have identified a realistic exploitable weakness. The difficulty in ‘reducing’ the Dragonfly proposal is not a exploitable flaw.  The changes necessary in protocol to allow a formal proof may in fact weaken the overall security of the protocol (reference below).
> 
Does that reference actually show a case where provable security makes things weaker?  It looks from the abstract as though “security loss” just means that you can’t make the proof’s bounds as tight as you’d hope, at least for standard proof strategies.

Cheers,
— Mike

v2.23.0 | Report a Bug | By Email