Re: [Cfrg] 2^40. I can't exhibit it, but it exists. -> Re: I-D Action: draft-irtf-cfrg-dragonfly-03.txt
David McGrew <mcgrew@cisco.com> Tue, 04 February 2014 13:02 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C5331A041B for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 05:02:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.035
X-Spam-Level:
X-Spam-Status: No, score=-15.035 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QcsenIRQdTMC for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 05:02:17 -0800 (PST)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id 8ED321A0383 for <cfrg@ietf.org>; Tue, 4 Feb 2014 05:02:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9012; q=dns/txt; s=iport; t=1391518938; x=1392728538; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to; bh=eg4JFfAYL063Vf2VdMBuHTzCTUIEDya0KgqCk0b/5qg=; b=kB357XcLq1rhav3xv0C6qRxNCLLtcw1FWt9QT1fafEfKk/ALvP0DOWjw /ZQsR7pUxG8z1vlEHnGMebB2GLVRuPfdefHvWIP2g0I8i0GFT+SaqO1c7 6O3paxGv69OV6EKH2pbVcV5RDTPsAuXVg+BKAMGIUYDb3DvxP2XfxO34y U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjAFAIXk8FKtJV2Z/2dsb2JhbABPCoMOiW2xOYMHgQwWAXSDfQEBAQMBJ1EBBQsLGAkWBAsJAwIBAgFFBg0BBwKHeAjHUBeONlwHhDYBA4lDjlOGRYtPgW2BXB4
X-IronPort-AV: E=Sophos; i="4.95,779,1384300800"; d="scan'208,217"; a="298703493"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-9.cisco.com with ESMTP; 04 Feb 2014 13:02:17 +0000
Received: from [10.0.2.15] (rtp-mcgrew-8913.cisco.com [10.117.10.228]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id s14D2GEx011089; Tue, 4 Feb 2014 13:02:16 GMT
Message-ID: <52F0E4D9.1010600@cisco.com>
Date: Tue, 04 Feb 2014 08:02:17 -0500
From: David McGrew <mcgrew@cisco.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130922 Icedove/17.0.9
MIME-Version: 1.0
To: Paul Lambert <paul@marvell.com>
References: <CF15D9D2.2E696%paul@marvell.com>
In-Reply-To: <CF15D9D2.2E696%paul@marvell.com>
Content-Type: multipart/alternative; boundary="------------090800080905020500010702"
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] 2^40. I can't exhibit it, but it exists. -> Re: I-D Action: draft-irtf-cfrg-dragonfly-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 13:02:19 -0000
HI Paul and Watson, On 02/04/2014 03:05 AM, Paul Lambert wrote: > > > > A proof might be desirable but should not block the use of a proposed protocol. > > For example there is no adequate proof that integer > factorization is “secure”. > > This is not a reason to stop using RSA based algorithms. The > lack of > > a complete security proof for draft-irtf-cfrg-dragonfly-03.txt > should not > > stop it’s use (in fact it’s already in other standards that > would benefit > > from the analysis and improvements of this group). > > But there is a proof that OAEP has a reduction to RSA security. > PKCS 1.5 had no proof, and got broken a few times. RSA has been > intensively studied for decades, dragonfly hasn't. Slight variants > of RSA (Rabin-Williams) are provably reducible to factoring, an > extensively studied problem for centuries. > > You missed the point. The difficulty of factoring as a problem to > build secure systems is not provable. > . . . > Paul, you are right that the computational cost of factoring the product of two large primes is unknown, and there is no proof that it is hard. But Watson also has a point, that the factoring problem is easily understood and has been very well studied. In particular, it has been more well studied than the dragonfly security conjecture, whatever that conjecture is. (Has it been isolated?) At the end of the day, none of the crypto that we use is actually proven to be unconditionally secure. (I'm ignoring information theoretic security here, to make the discussion easier ;-) It might be proven to be secure if factoring is hard, or if AES with a random secret key is indistinguishable from a random permutation, or under some other well-understood conjecture. It is a major goal to reduce the number of conjectures that we need to rely on, and to rely on conjectures that we have more confidence in. I think we should prefer algorithms and protocols that rely only on well-understood conjectures. I will hedge this statement, though, and say that the security conjectures are just one factor in the decision making process. For instance: the Blum Blum Shub (BBS) pseudorandom number generator is secure if factoring is hard, but we use AES or HMAC based PRNGs instead, because BBS would be *slow*. Furthermore, it is quite possible that AES-CTR is more secure than BBS; it may we be that we see advances in the state of the art in factoring. > > Watson, in your technical analysis of the > > protocol in its current form (draft-irtf-cfrg-dragonfly-03.txt), > > can you identify any exploitable security flaw specific to > > the protocol? > > Yes: an algorithm exists that guesses passwords in time 2^40. I > can't exhibit it, but it exists. JPAKE doesn't have this issue. > Watson, can you quantify the claim of 2^40? David > I will take your answer as a ‘no’ - you are unable to identify any > exploitable security flaw with draft-irtf-cfrg-dragonfly-03.txt > > Making such repeated and adversarial negative pronouncements on a > technical topic without documentation or your own demonstrable > analysis would be considered by some to be unprofessional behavior. > > > Paul >
- Re: [Cfrg] 2^40. I can't exhibit it, but it exist… David McGrew
- [Cfrg] 2^40. I can't exhibit it, but it exists. -… Paul Lambert
- Re: [Cfrg] 2^40. I can't exhibit it, but it exist… Paul Lambert