Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Sun, 11 April 2021 12:46 UTC
Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0DDE3A09BD for <cfrg@ietfa.amsl.com>; Sun, 11 Apr 2021 05:46:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5AJs89NM837w for <cfrg@ietfa.amsl.com>; Sun, 11 Apr 2021 05:45:56 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 240B93A0BD9 for <cfrg@irtf.org>; Sun, 11 Apr 2021 05:45:43 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id m3so11759926edv.5 for <cfrg@irtf.org>; Sun, 11 Apr 2021 05:45:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FJv+veK+/lhHOwtJbyOArMmUeBbhPQzqVPNv3gx6ohI=; b=c+g3o/0gJA30zsUPfrVDD5RXxDebB6/DTYuch6YOZNhhEvBoruYe83tfvcZY+C+WWQ sN1OgioPieZsycu4b11Mo9AWkLE0WUufSHgDe01Pcl77IVUI97CBop6wF7kPaKW49DUX mnOGSwh0hrMNSSWQMHIvqByasbLSdAaqBIVtScQWsQw9jZHw9jPBGVylI4Ualf0s079L 6kWRTCm0b/iIg/hfT85bbAXH0utq2CTq3HRVp0is+mqJkkNIV1qqxBR1O9GiVjWxEkgN +1NGTCqF+aWT/27XTw/X+xYJq/dTzrUVNxqzro7I18Cqj7SotkL4TBYkoIof151mB0AW Ub+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FJv+veK+/lhHOwtJbyOArMmUeBbhPQzqVPNv3gx6ohI=; b=FOvJMG9roVzorzvLVFvy2STJ5hx7VxGjRq4Lfbru5mMezAoBff1VLthMN6NatYnQ1C kto7rxDCC0ukkJJKTOwvgHkpqsGjw8yudfGb9r302JY6dbR0paFCvI80k5H3eFeruQHb as53Pwml4piks2MSWEicc06lVFQ7i/HhOPyYpm5t/67vu5YrHrJD21+4kDYUluOg1hzk XxOYnr6mMogd2wXR6wE9UNXAokwH5XH5w7b1BfakcHfscViBaWpEP/dubR1sNvrmmGFy Rj3iDIo9IHj3Lzp6s294UovnT5734fTjt5tkvxRTWqGUKhqBaBibcDTKHlYSAA78UBk1 sTHw==
X-Gm-Message-State: AOAM5338gX62BmuWTG6VgDzGZ0UVnxbIbZqV0KgO5we1QobFjCr81/0Q qVgUP79HPES2kB9n7wN0nWpJQwOkGt8BzdUK3jc=
X-Google-Smtp-Source: ABdhPJx1+qhbtjfYcVgYn5iyVgS8ZSX5Dr5iW8WXzL4cJIvYJVaD1H+6OaXzU9LELuRqm47Q44PGoBR5kwyIex/EQEI=
X-Received: by 2002:a05:6402:882:: with SMTP id e2mr25263423edy.358.1618145140711; Sun, 11 Apr 2021 05:45:40 -0700 (PDT)
MIME-Version: 1.0
References: <e270e62d-941d-0a87-7dc9-cf80f73b5aeb@jacaranda.org> <d0778523-5f5d-4327-b795-279918c1899c@www.fastmail.com> <CAMr0u6=PBX1W5zQFmpxKQ=ViUXN9QK00BREL4M0=2HOkaXaiZw@mail.gmail.com> <VI1SPR01MB03573585C37B871D200ECC23D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <trinity-f323065e-9f30-48fd-9ead-0865e8f877eb-1618002469856@3c-app-webde-bap03> <VI1SPR01MB035772443E4DA3206E4CD4D3D6739@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <7944D4F1-81F8-44FC-95D1-45D47733B385@shiftleft.org> <VI1SPR01MB03574E592790FD59C1ACEB84D6729@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <20210410151254.7ze5pt4lpvblhk3f@muon> <CADi0yUNo7o07qM2Qw8yd_eVw_-cM-9wNy3CrLw_Pif79oD_+Og@mail.gmail.com> <VI1SPR01MB0357253A9BA2C2544D6B3F51D6729@VI1SPR01MB0357.eurprd01.prod.exchangelabs.com> <CADi0yUP-Q-bjmDn-RpiVkns4c8ruK97SidFycg1cPVPJvdFB4w@mail.gmail.com> <AM6PR01MB427851BEC3094FB01902DA1DD6719@AM6PR01MB4278.eurprd01.prod.exchangelabs.com>
In-Reply-To: <AM6PR01MB427851BEC3094FB01902DA1DD6719@AM6PR01MB4278.eurprd01.prod.exchangelabs.com>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Sun, 11 Apr 2021 15:45:29 +0300
Message-ID: <CAMr0u6muVn0qNwD8Dv+N+SACS8DUefhzc1Z4CYtt30VPAP63-A@mail.gmail.com>
To: "Hao, Feng" <Feng.Hao=40warwick.ac.uk@dmarc.ietf.org>, Russ Housley <housley@vigilsec.com>
Cc: CFRG <cfrg@irtf.org>, Hugo Krawczyk <hugo@ee.technion.ac.il>
Content-Type: multipart/alternative; boundary="0000000000004ea64c05bfb1c653"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ScJFeDae9FrAO7tuAsNPQ0YHSX0>
Subject: Re: [CFRG] Small subgroup question for draft-irtf-cfrg-hash-to-curve
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Apr 2021 12:46:02 -0000
Hi all, With my chair’s hat off, I completely agree with Russ Housley: adding some comments about the issue and recommendations for implementors to the Security Considerations section seems to be a good solution here. Regards, Stanislav Вс, 11 апр. 2021 г. в 13:37, Hao, Feng <Feng.Hao= 40warwick.ac.uk@dmarc.ietf.org>: > > - I don't see any timing attack here. We are talking about a user that > chooses a password that is mapped to the identity (let's call such a > password *magic) *and is asked to choose a new one. Only non-magic > passwords are allowed. All the attacker learned is that the user > *initially* chose a magic password that was rejected and then chose > a regular non-magic password. It knows nothing about the user's accepted > password. > > > > Once the map-to-curve output falls into a small subgroup, it’s a > non-recoverable failure mode as the password is inevitably disclosed to a > passive attacker by the side-channel. Now the user has to choose a new > password. This is the same as CPace (using the hash-to-curve draft). The > new password is of course fine. But the scenario might re-cur when the user > tries to change passwords. > > > - Of course, this is a purely fictional discussion since the > probability to have a magic password in a dictionary of 2^128 passwords (as > rich as an AES-128 random key) is 2^{-128} (for curves of size 2^256). > > > > As I clarified before, I don’t claim this is a practical attack. So far > this is mostly a thought experiment, which I hope can help better > understand the PAKE system when you have the real hash-to-curve function > included. > > > > What this though experiment shows is an idiosyncrasy in the system. It > seems the small subgroup confinement issue hasn’t been considered in CPace > and OPAQUE. This is understandable given that both protocols have been > assuming hash-to-curve as an idealized function. Fortunately, for the curve > settings considered in the hash-to-curve draft, the size of the small > subgroups is so small that the practical effect is negligible. But the > effect can be dramatically different when CPace and OPAQUE are implemented > in a different group where the size of the small subgroup is not small, > e.g., DSA, Schnoor. > > > > We know that both CPace and OPAQUE have been rigorously analysed to be > provably secure in a strong universally composable model. That’s all good, > but what exactly does this mean? The proof makes assumptions, which > typically include certain hard math problems. What the above though > experiment shows that for both protocols, the assumptions also include > implementation choices, in particular, the size of the small subgroup must > be small. This constrains the protocols to specific group settings, and not > generally applicable to other group setting as one might have expected. > > > > The idiosyncrasy itself is not a problem (depending on how you view it). > In the history of PAKE development, there are lots of examples that certain > aspects of a PAKE system are idiosyncratic but can do negligible harm when > you choose very specific implementation settings. > > > > As an example, in 1996, Jaspan described an idiosyncrasy in DH-EKE [1]. > The possibility that the password-encrypted item may be decrypted to a > value > p gives an oracle for a passive attacker to exclude certain > passwords. Of course, one can argue we can mitigate the effect of this > issue by carefully choosing the group parameters: namely, choosing a safe > prime that is as close to the power of 2 as possible. Thus you can mitigate > the effect of the leakage as low as you want, say below <2^{-128}. The > theoretical leakage is still there, but the practical effect is negligible. > This is fine, but it does mean one has to very carefully choose which > specific group setting to implement the protocol, and the same protocol can > be trivially insecure in other groups. > > > > SRP is another example. In 2010, I analyzed SRP-6. I didn’t find practical > attacks, but found an idiosyncrasy in the system [2]. The mixing up of > operations in different groups including small sub-groups gives a > possibility that an online attacker may guess more than one password. This > is not any practical attack and the effect on the practical security of > SRP-6 is negligible. However, this idiosyncrasy shows that it’s simply > impossible to prove the online dictionary attack resistance for SRP-6 > (namely, limiting to one guess per execution). Indeed, no one has proved > that property for SRP-6. > > > > There are other examples, but I won’t go on here. > > > > In summary, with the current hash-to-curve functions defined in the draft, > the practical effect of a small subgroup confinement is negligible for > OPAQUE and CPace. I was hoping we could remove this effect (never mind how > small it might be) so the security claims in CPace/OPAQUE can be cleaner > and the hash-to-curve draft can be more useful, but if people think that > can’t be done or is a waste of time, that’s OK! In that case, one might > need to explicitly state the assumptions (not just math problems, but also > specific implementation choices) and be very careful in applying the > provable security claim to different group settings. > > > > [1] Jaspan, “Dual-workfactor Encrypted Key Exchange: Efficiently > Preventing Password Chaining and Dictionary Attacks”, 1996. > > > > [2] Hao, "On Small Subgroup Non-Confinement Attacks," 2010. > https://www.dcs.warwick.ac.uk/~fenghao/files/Analysis_of_SRP_final.pdf > > > > Cheers, > > Feng > > > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [CFRG] Comment on draft-irtf-cfrg-hash-to-curve-10 Daira Hopwood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Daira Hopwood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Christopher Wood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Stanislav V. Smyshlyaev
- [CFRG] Small subgroup question for draft-irtf-cfr… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Loup Vaillant-David
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Russ Housley
- Re: [CFRG] Small subgroup question for draft-irtf… Richard Outerbridge
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Small subgroup question for draft-irtf… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Small subgroup question for draft-irtf… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Scott Fluhrer (sfluhrer)
- Re: [CFRG] Small subgroup question for draft-irtf… Armando Faz
- Re: [CFRG] Small subgroup question for draft-irtf… Loup Vaillant-David
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… rsw
- Re: [CFRG] Small subgroup question for draft-irtf… Björn Haase
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… rsw
- [CFRG] please use real names (was: Re: Small subg… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Hugo Krawczyk
- Re: [CFRG] Small subgroup question for draft-irtf… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Watson Ladd
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Rene Struik
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] Small subgroup question for draft-irtf… Watson Ladd
- Re: [CFRG] Small subgroup question for draft-irtf… rsw
- Re: [CFRG] Small subgroup question for draft-irtf… Loup Vaillant-David
- Re: [CFRG] Small subgroup question for draft-irtf… Riad S. Wahby
- Re: [CFRG] please use real names (was: Re: Small … Filippo Valsorda
- Re: [CFRG] please use real names (was: Re: Small … Scott Arciszewski
- Re: [CFRG] please use real names (was: Re: Small … Daniel Franke
- Re: [CFRG] please use real names (was: Re: Small … Watson Ladd
- Re: [CFRG] please use real names (was: Re: Small … Michael StJohns
- Re: [CFRG] please use real names (was: Re: Small … Henry de Valence
- Re: [CFRG] please use real names (was: Re: Small … Dan Harkins
- Re: [CFRG] Small subgroup question for draft-irtf… Hugo Krawczyk
- Re: [CFRG] please use real names (was: Re: Small … Peter Gutmann
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] please use real names (was: Re: Small … Squeamish Ossifrage
- Re: [CFRG] please use real names (was: Re: Small … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Small subgroup question for draft-irtf… Stanislav V. Smyshlyaev
- Re: [CFRG] Small subgroup question for draft-irtf… Björn Haase
- Re: [CFRG] please use real names (was: Re: Small … Soatok Dreamseeker
- Re: [CFRG] please use real names (was: Re: Small … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] please use real names (was: Re: Small … Soatok Dreamseeker
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] please use real names (was: Re: Small … Daniel Franke
- Re: [CFRG] please use real names (was: Re: Small … Mike Hamburg
- Re: [CFRG] Small subgroup question for draft-irtf… Mike Hamburg
- Re: [CFRG] please use real names (was: Re: Small … Colin Perkins
- Re: [CFRG] please use real names (was: Re: Small … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] please use real names (was: Re: Small … Soatok Dreamseeker
- Re: [CFRG] please use real names (was: Re: Small … Mike Hamburg
- Re: [CFRG] please use real names (was: Re: Small … Michael StJohns
- Re: [CFRG] Small subgroup question for draft-irtf… Hao, Feng
- Re: [CFRG] please use real names (was: Re: Small … Michael Sierchio
- [CFRG] Closure (was Re: Small subgroup question f… Hao, Feng
- Re: [CFRG] please use real names (was: Re: Small … Phillip Hallam-Baker
- Re: [CFRG] please use real names (was: Re: Small … Peter Gutmann
- Re: [CFRG] please use real names (was: Re: Small … David Jacobson
- Re: [CFRG] please use real names (was: Re: Small … Julia Hesse
- Re: [CFRG] Closure (was Re: Small subgroup questi… Armando Faz
- Re: [CFRG] Closure (was Re: Small subgroup questi… Hao, Feng
- Re: [CFRG] Closure (was Re: Small subgroup questi… Mike Hamburg
- Re: [CFRG] thoughts on clearing the cofactor in h… Loup Vaillant-David
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Stanislav V. Smyshlyaev
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Daira Hopwood
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Riad S. Wahby
- [CFRG] (suggested language re mixing square roots… Rene Struik
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Loup Vaillant-David
- Re: [CFRG] Comment on draft-irtf-cfrg-hash-to-cur… Daira Hopwood
- Re: [CFRG] (suggested language re mixing square r… Daira Hopwood
- Re: [CFRG] (suggested language re mixing square r… Rene Struik
- Re: [CFRG] please use real names (was: Re: Small … isis agora lovecruft