IETF Logo Mail Archive

[Cfrg] (flaws with Curve25519 DH function, if one does not check the output) Re: Elliptic Curves - curve form and coordinate systems

Rene Struik <rstruik.ext@gmail.com> Mon, 16 March 2015 13:38 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0979E1A874E for <cfrg@ietfa.amsl.com>; Mon, 16 Mar 2015 06:38:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LyOb7jA7krOS for <cfrg@ietfa.amsl.com>; Mon, 16 Mar 2015 06:38:52 -0700 (PDT)
Received: from mail-ig0-x234.google.com (mail-ig0-x234.google.com [IPv6:2607:f8b0:4001:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E1F61A874D for <cfrg@irtf.org>; Mon, 16 Mar 2015 06:38:52 -0700 (PDT)
Received: by igcqo1 with SMTP id qo1so41643618igc.0 for <cfrg@irtf.org>; Mon, 16 Mar 2015 06:38:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=x71Fkr6rezRbrQj0tLYnPzxyovLzcPm4jGr4YlZUugI=; b=X/Mlc4japjgmXIY1Z/WgqVGFTcVDqEVZRpn7ejbnvdGjnQmZ0JaKoOP/udYie7Ze4G 92qxRrHeUEA3Ej4+VkfAV1y6pdxZSttXD8lmt/xNiVyoFjp0zGahbgmHAZ/0o/cNHucV WBMFJV8jkNCVet5zPA33cMAtamqPSvzecdsdwADx+7h5+1AAp9jMssHUtSFH8Y3roj9G EIRs251vGjAsCRav1wlnO8f5lNHGNaysfbXtV9kBMMy8s+dKCaXybI5RX3BKEdpE80i2 k7y/kS4gRH5LVwQ4d+ljGDOZQMD9jJXqakU2YPU4kJb7Av4PtzZlfds1Z+SenJPxMNC7 tq2w==
X-Received: by 10.107.34.210 with SMTP id i201mr109595485ioi.1.1426513132121; Mon, 16 Mar 2015 06:38:52 -0700 (PDT)
Received: from [192.168.0.10] (CPE7cb21b2cb904-CM7cb21b2cb901.cpe.net.cable.rogers.com. [99.231.49.38]) by mx.google.com with ESMTPSA id x10sm6791295igl.13.2015.03.16.06.38.51 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 16 Mar 2015 06:38:51 -0700 (PDT)
Message-ID: <5506DCE1.4030406@gmail.com>
Date: Mon, 16 Mar 2015 09:38:41 -0400
From: Rene Struik <rstruik.ext@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
References: <5501E6A5.5040608@brainhub.org> <A6F30412-8E0A-4D8D-9F26-580307B46874@shiftleft.org> <20150316002255.28855.qmail@cr.yp.to> <20150316044906.GA27479@mournblade.imrryr.org> <5506D5BB.3090700@gmail.com> <20150316133217.GA4065@LK-Perkele-VII>
In-Reply-To: <20150316133217.GA4065@LK-Perkele-VII>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/VgfhjlfVKnoCuVGamzf_-vQrB_8>
Cc: cfrg@irtf.org
Subject: [Cfrg] (flaws with Curve25519 DH function, if one does not check the output) Re: Elliptic Curves - curve form and coordinate systems
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2015 13:38:54 -0000

Hi Ilara:

I do not understand this: if one uses k=H(X,Y,K), where X is one's own 
key contribution, where Y is the received one, where K the computed DH 
key using the Curve25519 function, and where H is a hash function, then 
taking for Y a point of order dividing the co-factor h=8 of the curve 
results in key K=0 and k=H(X,Y,0), .e., it is publicly computable.

Could you explain what you meant (or send some emergency morning coffee 
supplies)?

Best regards, Rene

On 3/16/2015 9:32 AM, Ilari Liusvaara wrote:
> On Mon, Mar 16, 2015 at 09:08:11AM -0400, Rene Struik wrote:
>> Hi Viktor:
>>
>> I *did* comment on the DH function, which, with Montgomery-style
>> specification as in the "Curve25519" draft, is completely insecure,
>> if one does not check the output to be nonzero.
> Just hashing in the exchange keys is enough, and every protocol
> should do this, except some do not (*cough* TLS *cough*).
>
> SSH does hash the exchange keys and thus can't be attacked via
> small subgroups, even if implementation doesn't check.
>
> Also, It gets even worse with finite-field DH, since if arbitrary
> fields are allowed, there is no realistic way to check, and even
> if fields are fixed, there are small subgroups.
>
>
> -Ilari


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363

v2.23.0 | Report a Bug | By Email