Re: [Cfrg] dragonfly, was: Re: Time to recharter CFRG as a working group? Was: Re: [secdir] ISE seeks help with some crypto drafts

Peter Gutmann <> Thu, 28 March 2019 01:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 64ED612013B for <>; Wed, 27 Mar 2019 18:30:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sWmPFBuEnK69 for <>; Wed, 27 Mar 2019 18:30:36 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D4FC612012E for <>; Wed, 27 Mar 2019 18:30:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1553736636; x=1585272636; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=K2BZezpHJQVqaNZag1XPWge/ROfd65CzvaNu+tsQy24=; b=W2jqHAQyhZZ2ZXOLQ7dkMeYrbvjAw4WwGKkbnvx74g43bnpy71h5FrKr TJjF847sXMuYBv2RcP5sFZ5s5nnW/jQSV6VntcLlJFCeinY9jtEpW/RkI 8kjTb7KdxcL57Qu36G/0MWjm/OgJ/KPLR5zepRRPJ8rS5XFaicwOoMJH5 3zQPcCKfPyekn8cNshpbNjpBeWnhmhnPdj1npG8DeyGPJrTzvb4REMijF EJ9/Tu6vGfQq3skD51h6a0zYh3tQxnSHJPpoJK0jlD6SIr8iCOb4xe4FT ZaIgbsMgF65KcC0CqrE/bcVDUh/34wxXgmEa1JB6oKZNF03cEjopmTz0d A==;
X-IronPort-AV: E=Sophos;i="5.60,278,1549882800"; d="scan'208";a="53455071"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 28 Mar 2019 14:30:30 +1300
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 28 Mar 2019 14:30:30 +1300
Received: from ([]) by ([]) with mapi id 15.00.1395.000; Thu, 28 Mar 2019 14:30:30 +1300
From: Peter Gutmann <>
To: =?Windows-1252?Q?Bj=F6rn_Haase?= <>, "" <>
Thread-Topic: [Cfrg] dragonfly, was: Re: Time to recharter CFRG as a working group? Was: Re: [secdir] ISE seeks help with some crypto drafts
Thread-Index: AQHU4wkAhcZ1s4ZO/EmkY7vsYonmBKYe1tIAgAAVIYCAAVlnEA==
Date: Thu, 28 Mar 2019 01:30:30 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Cfrg] dragonfly, was: Re: Time to recharter CFRG as a working group? Was: Re: [secdir] ISE seeks help with some crypto drafts
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 28 Mar 2019 01:30:40 -0000

Björn Haase <> writes:

>Were the points I mentioned above regarding problems with dragonfly
>considered beforehand on this list? I would believe that these points are so
>obvious that getting consensus on these aspects among implemention-oriented
>cryptographers would be easy to establish.

There's also the recent "Here be Dragons: A Security Analysis of WPA3’s SAE
Handshake", with the telling comment:

  We consider it very concerning that a modern security protocol is vulnerable
  to our presented attacks. Equally troublesome is that some of our attacks
  could have been prevented, if the designers incorporated all criticisms that
  the Dragonfly handshake received while it was being standardized.

The problem with Dragonfly was that it was published via the IRTF rather than
the standard manner of publishing at an academic conference, doing an end-run
around the academic peer-review process, and that many of the issues pointed
out were simply ignored, with the consequences being as per the above comment.