IETF Logo Mail Archive

Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-03.txt

Mike Hamburg <mike@shiftleft.org> Tue, 04 February 2014 18:29 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EEB41A01BA for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 10:29:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.556
X-Spam-Level: *
X-Spam-Status: No, score=1.556 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bSmxcx3eGzjd for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 10:29:56 -0800 (PST)
Received: from aspartame.shiftleft.org (199-116-74-157-v301.PUBLIC.monkeybrains.net [199.116.74.157]) by ietfa.amsl.com (Postfix) with ESMTP id 913911A0100 for <cfrg@ietf.org>; Tue, 4 Feb 2014 10:29:56 -0800 (PST)
Received: from [192.168.1.147] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id A52873AA04; Tue, 4 Feb 2014 10:26:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1391538412; bh=nxigJl6RxqG4hosN702eNHzwf+3IaBBF010nV2e32ZQ=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=grOQWS43vJsGGwqjrLQPRgIHf7RT+yBZCsYeTdAtWppBMMkPXRAeKJrVZK30bxS0v 6e9KCjpkgMmKmZkezWC8luCSXya1lkmhzSCXXftof6AzjQSixId4aFaPJWLAqTFmi6 H/BG135Jk3BGFr2HYLdE+ybHRP8kd9UjvZpWQpfg=
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Mike Hamburg <mike@shiftleft.org>
In-Reply-To: <CACsn0cmDT-FAN8uMZ0w8TX6GKPAZjnrexLeFQd7QhRfoY6AGFQ@mail.gmail.com>
Date: Tue, 04 Feb 2014 10:29:53 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <ADBC341A-EABC-43B9-B19B-B66FB69B01C5@shiftleft.org>
References: <20140203192451.6268.76511.idtracker@ietfa.amsl.com> <7af2f9df96e5867d493c614806235363.squirrel@www.trepanning.net> <CACsn0cm1f-P95je5AbEbZ02Ut3+HM7Hx28P6j46TqE-=06eZDg@mail.gmail.com> <52F00EF3.3040505@cisco.com> <CACsn0c=zS5GKex3eF_hKgTsL1kH=TiBi3iAP9oMrJ9hDQcT4Gw@mail.gmail.com> <7BAC95F5A7E67643AAFB2C31BEE662D018B81B7DE5@SC-VEXCH2.marvell.com> <CACsn0cn0TaHsDkyN2ewOorxxBzXivCg=QGR-ZnBiC3nJhvhpRg@mail.gmail.com> <14AB44E0-4C90-4E4C-A656-885A31CF4C02@checkpoint.com> <CACsn0cmDT-FAN8uMZ0w8TX6GKPAZjnrexLeFQd7QhRfoY6AGFQ@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
X-Mailer: Apple Mail (2.1827)
Cc: "<cfrg@ietf.org>" <cfrg@ietf.org>, David McGrew <mcgrew@cisco.com>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 18:29:59 -0000

Hello CFRG,

Let's see if I can provide a less controversial, or at least less theoretical, defense of the notion of cryptographic proof.

If this protocol is widely deployed, and people actually use it, there will be an incentive for various organizations to break it.  For example, NSA might ask Don Coppersmith to lead a team of similarly-clever cryptographers to spend a month trying to break it.  They would have access to classified techniques and massive computing power.  I am almost certain that the NSA and their contractors would put in this kind of effort and more into a new widely-deployed symmetric or asymmetric cipher.  This is why they hire more mathematicians than anyone else.  I suspect that a new protocol would attract a similar effort unless they have a better reason than I do to believe it's secure.

Likewise, other nations would mount attacks.  Outside researchers would too, but at least in that case we'd know if they broke it and could switch to something else.

When deploying a new protocol, I want a good reason to believe that it's better than the other alternatives.  "Better" could mean that it takes less work to implement, or is faster, or has fewer IPR concerns, or is easier to use correctly, or that it takes less bandwidth, or has more features, or it enables new security systems (like a PAKE).  But "better" also means that there is less risk that the NSA or the Chinese or the French or Adi Shamir will break it a month or a year down the road.  Risk is all we can talk about here, because of course someone might build a quantum computer or solve the discrete log problem.

There are two ways to convince me that the risk is low.  One is to have teams of elite cryptographers work for months trying to attack the system.  This is what happened with AES and SHA-3, but it really isn't scalable to every new cipher and protocol.

The other way to convince me is a proof of security.  There are better and worse models for this (RO vs standard model, gap assumptions vs CDH, whatever), but in the end, a proof is much better than no proof.  It means that as long as you haven't messed up the proof and I haven't messed up checking it, the adversary will need to pass a certain very high bar of cleverness (breaking the model and/or assumptions) in order to attack the system.  The more conservative and standard and commonly-used the model and assumptions are, the higher the bar will be and the more convincing the proof will be.  This doesn't guarantee that the adversary will fail, but at least it gives good evidence in that direction.

The argument given for Dragonfly is that we've patched all the security problems which people have found already, and since then they haven't found more.  And also, it looks like it ought to be secure.  These arguments are not very convincing.  I don't know who's been looking for attacks and how long, but I suspect it hasn't been a monthlong effort with a team of elite cryptographers.

I don't have an attack against Dragonfly.  I worked on attacking it for maybe an hour, and I'm no Coppersmith.  It looks to me like it ought to be secure.  But there have historically been plenty of protocols which looked secure and turned out not to be.

What's more, there isn't a formal security definition of Dragonfly.  This increases the risk that it will be deployed incorrectly, because it makes it harder to analyze the security properties of such a deployment.

Despite these problems, Dragonfly would still be the "best" PAKE protocol out there, and even worth deploying, if there weren't other good options.  But in fact there are SPAKE2 and "SPAKE2 Elligator Edition", which are also IPR-clean, similarly fast and simple, take less bandwidth, and have formal security models and proofs.  Furthermore, they (optionally) support an augmented/asymmetric PAKE interaction, which Dragonfly does not.  This may not matter to Dan Harkins, but it will matter to some people.

The advantage that Dragonfly has over these protocols is momentum: it's written up in an RFC, and SPAKE2 EE isn't even written up in a white paper.  But I, and several other people on this list, don't find that to be enough to outweigh its disadvantages.

In sum, saying "if you don't think it's secure, where's your attack against it?" isn't productive.  I think that Dragonfly is probably secure.  But I want to be much more certain than I am now.  There's not even any point in me spending a month trying and failing to break it, since I could spend that month writing an RFC and an implementation and a paper for SPAKE2 EE instead.

Cheers,
-- Mike Hamburg

v2.23.0 | Report a Bug | By Email