Re: [Cfrg] malicious DH base points [was Re: should the CFRG really strive for consensus?]

Adam Back <> Sat, 03 January 2015 20:48 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4B6D01A024E for <>; Sat, 3 Jan 2015 12:48:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QaUk9u3M61hM for <>; Sat, 3 Jan 2015 12:48:15 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c00::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BFE751A024C for <>; Sat, 3 Jan 2015 12:48:14 -0800 (PST)
Received: by with SMTP id w8so13589069qac.5 for <>; Sat, 03 Jan 2015 12:48:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=1yn6+WeR5lN8RojFtBEbI1vXrvJl0/C8C0PNz76Zwuw=; b=p8vmxZgibh4hTylJ/AInXynSINm/xG/TJkrMnkD+I8X1gvWKLCYijrA+CSZU6t4+gA V9MSCtoofh9qT+FRwAxHrudmjVUuhjRcNVyxMufC3/LVpanNNY6Eg1h/pUm7DbBbK9J6 cPJzTKSW0ETdjCl8oZhCZaT3GJUw0HXmX4eScdcVlH5dnQeC759IQnJolJFUE5yxkRsS ejvhIUuogzMIiQJfVF/JseS+SCVgshdDwjoe8aUtR0HInBUm0XONcFnoJcWjyPsa1jWJ kF/oilIkn0T9kbGbB4y5k6CWKB7IRCmcW9hPTIw0ZVDXVv5fLglDC8Hyk8ukAi2YcGJU w3CQ==
MIME-Version: 1.0
X-Received: by with SMTP id t96mr62581803qge.9.1420318093960; Sat, 03 Jan 2015 12:48:13 -0800 (PST)
Received: by with HTTP; Sat, 3 Jan 2015 12:48:13 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <>
Date: Sat, 03 Jan 2015 21:48:13 +0100
X-Google-Sender-Auth: AJkFil6jYAdSEnlyvEboackPb4M
Message-ID: <>
From: Adam Back <>
To: "Paterson, Kenny" <>
Content-Type: text/plain; charset="UTF-8"
Cc: "" <>
Subject: Re: [Cfrg] malicious DH base points [was Re: should the CFRG really strive for consensus?]
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 03 Jan 2015 20:48:16 -0000

On 3 January 2015 at 18:28, Paterson, Kenny <> wrote:
>>On Thu, 2015-01-01 at 13:39 +0100, Adam Back wrote:
>>> Seems like on
>>> topic and to the point, not spam.
> And as Adam Langley and others have pointed out, no-one seriously
> believes that the choice of base point has any security impact (a more
> refined statement about this to which I can subscribe can be found at the
> bottom of the safecurves page here:

Nevertheless I think it should be part of the NUMS generation.

Apart from the academic paper which hypothesises a combined weakness
between the generator and the KDF for key-exchange (which again, is
NOT off-topic), there are situations where you need pairs of
generators which no one knows the discrete log of (for example like
EC_DBRG, a backdooring topic known to all; or u-prove/Brands
representation problem a DL/ECDL schnorr-extension attribute
certificate, which has multiple bases, probably there are other

If those are mixed with the main base point which is chosen using
unexplained randomness, then it maybe that even if we use G (the main
and non-NUMS base) plus H which given its intended to demonstrate lack
of knowledge wrt to H, would be generated with NUMS, that still fails
because maybe the person who generated G chose it such that it is the
discrete log of H (or vice-versa -- its the same thing).

I dont see what motive we can have for not NUMS the G parameter to for
the avoidance of doubt - its not as if there's a big cost to that.