Re: [Cfrg] Security proofs v DH backdoors
"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Wed, 02 November 2016 12:05 UTC
Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF1ED12952C for <cfrg@ietfa.amsl.com>; Wed, 2 Nov 2016 05:05:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7UM64Qh7i19m for <cfrg@ietfa.amsl.com>; Wed, 2 Nov 2016 05:05:16 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0057.outbound.protection.outlook.com [104.47.2.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FF8F1295CB for <cfrg@irtf.org>; Wed, 2 Nov 2016 05:05:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=wcIPABQBmdX0waRz53jJA6+JRvrz6rYdcVUKrfy0gkU=; b=uq580AoapnCYOVZfT22ZMGxzNU3dq88WRYSZPODZVoTbvnJiKHT9RL8sYPaOGhOnGWVCHND5Sc27FRr27BYdry6EeHsVRvdrsph2T6JKLDKi78G0g2EXX40HWrLMNpJHK0YQ9sOELaO5/uJveNTDamMN8vaaFDS2vElcmSyOpjM=
Received: from HE1PR0302MB2746.eurprd03.prod.outlook.com (10.171.95.139) by HE1PR0302MB2745.eurprd03.prod.outlook.com (10.171.95.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.693.12; Wed, 2 Nov 2016 12:05:12 +0000
Received: from HE1PR0302MB2746.eurprd03.prod.outlook.com ([10.171.95.139]) by HE1PR0302MB2746.eurprd03.prod.outlook.com ([10.171.95.139]) with mapi id 15.01.0693.009; Wed, 2 Nov 2016 12:05:12 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Ilari Liusvaara <ilariliusvaara@welho.com>, Dan Brown <danibrown@blackberry.com>
Thread-Topic: [Cfrg] Security proofs v DH backdoors
Thread-Index: AdIuwSDNwRWUIafTQyeYSwlwLZEKKQAAsvKAAY1EbYA=
Date: Wed, 02 Nov 2016 12:05:12 +0000
Message-ID: <D43F847C.79426%kenny.paterson@rhul.ac.uk>
References: <20161025131014.5709905.2866.6563@blackberry.com> <20161025133016.GA9081@LK-Perkele-V2.elisa-laajakaista.fi>
In-Reply-To: <20161025133016.GA9081@LK-Perkele-V2.elisa-laajakaista.fi>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.9.160926
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [134.219.227.30]
x-ms-office365-filtering-correlation-id: 62dda965-3fbf-4e73-33e3-08d403187fc2
x-microsoft-exchange-diagnostics: 1; HE1PR0302MB2745; 7:Xi4Lh/HRUYafUKhdw0GjwPB5Nkx7w9nqIvXFfetHkrIV7UIkw0xVxOlSOcS0etuj1llk5VT/fn/opMTibbfjOhRFBan/SkFawJwFSFKlgQGcjTd7iBbCV4Qs/yUA407U9udQDekaAewwN5c8JP7c6h0HTuEp/SmzlJWZ6T0QD1VP1mfZV7/RhVhy72yBorQ9e1kR7AiVu+QwdXsZNnws5VFkdZxiZsksFhJ4GGSehMr+m0lOu7IXYJ0q7lDQ2dXGw31BHhlKsp0kgbOrCiwrn+znfKtTTJhabj/Qk3SOIC0rSgK0hfDv2q8ZnbLW/Qy2y3ABJ8X6h+I1Pb6r9ngEU3bsTGbQ3e9A2Un4zohAtME=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:HE1PR0302MB2745;
x-microsoft-antispam-prvs: <HE1PR0302MB2745BFBA55B89E4B1368140ABCA00@HE1PR0302MB2745.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001); SRVR:HE1PR0302MB2745; BCL:0; PCL:0; RULEID:; SRVR:HE1PR0302MB2745;
x-forefront-prvs: 0114FF88F6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(189002)(199003)(24454002)(97736004)(92566002)(4326007)(2900100001)(8936002)(77096005)(105586002)(54356999)(50986999)(106356001)(15650500001)(76176999)(11100500001)(81156014)(2906002)(15975445007)(8676002)(81166006)(101416001)(68736007)(6116002)(102836003)(3846002)(19580395003)(586003)(10400500002)(7846002)(305945005)(3660700001)(19580405001)(83506001)(3280700002)(5660300001)(7736002)(5001770100001)(5002640100001)(4001350100001)(42882006)(189998001)(86362001)(36756003)(122556002)(87936001)(66066001)(2950100002)(74482002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0302MB2745; H:HE1PR0302MB2746.eurprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <0E76E93F30FB6642BA0BF977081041D1@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Nov 2016 12:05:12.1903 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0302MB2745
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/XxMvzB9ZqL5p03sk7zQZlC4PKuA>
Cc: CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] Security proofs v DH backdoors
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 12:05:18 -0000
Hi Dan, Bringing this thread back to where it started... On 25/10/2016 14:30, "Cfrg on behalf of Ilari Liusvaara" <cfrg-bounces@irtf.org on behalf of ilariliusvaara@welho.com> wrote: >On Tue, Oct 25, 2016 at 01:10:16PM +0000, Dan Brown wrote: >> How do the 3 recent IACR eprints on FFDH backdoors reconcile with >> past security proofs for TLS, SSH, etc? >> >> Some guesses: (1) the attacks are outside the security definitions >> (=> attacks not so important?), (2) the proofs assume strong FFDH >> groups plus validation, etc. > >I guess the proofs assume strong FFDH groups, such that dlog and >dh attacks are infeasible. I can confirm that this is the correct explanation, at least for TLS. For example, the security proof* for static DH ciphersuites in [1, Section 7] assumes that a certain CDH-like assumption holds (specifically, the PRF-ODH assumption, which concerns the combination of the KDF used in TLS and the DH problem). This assumption is stronger than the assumption that the DLP is hard in the specific group in which the protocol is run. The proof in [1] also assumes group membership tests are carried out (which, as has been discussed on this thread, is a problem for TLS, where the server cannot tell the client anything about the group, not even its claimed order). In the group instances under discussion, PRF-PDH is not hard for an adversary who has the trapdoor/backdoor information. Cheers, Kenny --- *Other proofs for this and other modes are available in the literature. [1] Hugo Krawczyk, Kenneth G. Paterson, Hoeteck Wee: On the Security of the TLS Protocol: A Systematic Analysis. CRYPTO (1) 2013: 429-448 > >I think there was one TLS implementation that tries to verify the >groups sent (of course, not all can be verified, even if those >aren't maliscously constructed). > >And the backdoors in one of the papers was about constructing >prime such that one can use faster special case for dlogs. That >can't be easily discovered, even if one somehow can obtain the >group order. So one can't validate against it. > > >-Ilari > > >_______________________________________________ >Cfrg mailing list >Cfrg@irtf.org >https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Security proofs v DH backdoors Dan Brown
- Re: [Cfrg] Security proofs v DH backdoors Ilari Liusvaara
- Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Mark D. Baushke
- Re: [Cfrg] Security proofs v DH backdoors Dan Brown
- Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
- Re: [Cfrg] Security proofs v DH backdoors Daniel Bleichenbacher
- Re: [Cfrg] Security proofs v DH backdoors John Mattsson
- Re: [Cfrg] Security proofs v DH backdoors Dan Brown
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
- Re: [Cfrg] Security proofs v DH backdoors Michael Scott
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
- Re: [Cfrg] Security proofs v DH backdoors Ilari Liusvaara
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Ilari Liusvaara
- Re: [Cfrg] Security proofs v DH backdoors Ilari Liusvaara
- Re: [Cfrg] Security proofs v DH backdoors Salz, Rich
- Re: [Cfrg] Security proofs v DH backdoors Michael Scott
- Re: [Cfrg] Security proofs v DH backdoors Tony Arcieri
- Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
- Re: [Cfrg] Security proofs v DH backdoors Tony Arcieri
- Re: [Cfrg] Security proofs v DH backdoors David Adrian
- Re: [Cfrg] Security proofs v DH backdoors Watson Ladd
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Antonio Sanso
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Hanno Böck
- Re: [Cfrg] Security proofs v DH backdoors Tony Arcieri
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Tony Arcieri
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Watson Ladd
- Re: [Cfrg] Security proofs v DH backdoors Peter Gutmann
- Re: [Cfrg] Security proofs v DH backdoors Paterson, Kenny
- Re: [Cfrg] Security proofs v DH backdoors Paterson, Kenny