[Cfrg] Influences [was RE: [TLS] draft-sheffer-tls-bcp: DH recommendations]

Dan Brown <dbrown@certicom.com> Tue, 24 September 2013 17:12 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id B7D3221F9FB0 for <cfrg@ietfa.amsl.com>; Tue, 24 Sep 2013 10:12:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.297
X-Spam-Status: No, score=-3.297 tagged_above=-999 required=5 tests=[AWL=-0.698, BAYES_00=-2.599]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 4rppghemoOEZ for <cfrg@ietfa.amsl.com>; Tue, 24 Sep 2013 10:12:06 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com []) by ietfa.amsl.com (Postfix) with ESMTP id D702521F9654 for <cfrg@irtf.org>; Tue, 24 Sep 2013 10:12:03 -0700 (PDT)
Received: from xct108cnc.rim.net ([]) by mhs210cnc.rim.net with ESMTP/TLS/AES128-SHA; 24 Sep 2013 13:11:59 -0400
Received: from XCT104CNC.rim.net ( by XCT108CNC.rim.net ( with Microsoft SMTP Server (TLS) id; Tue, 24 Sep 2013 13:11:59 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT104CNC.rim.net ([::1]) with mapi id 14.03.0123.003; Tue, 24 Sep 2013 13:11:59 -0400
From: Dan Brown <dbrown@certicom.com>
To: "'pgut001@cs.auckland.ac.nz'" <pgut001@cs.auckland.ac.nz>, "'cfrg@irtf.org'" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Influences [was RE: [TLS] draft-sheffer-tls-bcp: DH recommendations]
Thread-Index: AQHOuUktG+5nB0g8YkGHYlekBPKRbA==
Date: Tue, 24 Sep 2013 17:11:56 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5BDA0EE@XMB116CNC.rim.net>
References: <9A043F3CF02CD34C8E74AC1594475C7355676085@uxcn10-6.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C7355676085@uxcn10-6.UoA.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Subject: [Cfrg] Influences [was RE: [TLS] draft-sheffer-tls-bcp: DH recommendations]
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2013 17:12:11 -0000

> -----Original Message-----
> From: Peter Gutmann
> Sent: Tuesday, September 24, 2013 12:46 AM
> To: tls@ietf.org
> ... you've got potentially NSA-influenced values
> like P256 that the NSA has been awfully keen to get everyone to use,
> and that even without NSA skullduggery make a nice single target for
> attack.  So that's an entirely different problem.

1. You seem to be saying there that P256 has security problems (unless it does not), which is something that AFAIK no other cryptographer has ever noticed.  Perhaps you could clarify the weakness for the list, and then consider publishing a conference paper on it.  It sounds like an amazing breakthrough in the cryptanalysis of P256.  [Just borrowed your own phrasing about HMAC on another TLS thread, Peter, thanks.]

2. What is the consensus on possible influences on SHA1 and SHA2, compared to P256 and other NIST curves?  These hashes do not have magic constants, but small changes in hash algorithm can cause large weaknesses (as in SHA0, SHA1 and various SHA3 candidates).  On one hand, P256 etc depend on SHA1; on the other, only a negligible fraction of curves have been compromised.  I do not have a good sense about what to say for hash functions.  Can one say that only a negligible fraction of some natural class of hash functions to which MD5, SHA0, SHA1, and SHA2 belong, has been broken?
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.