Re: [Cfrg] malicious DH base points [was Re: should the CFRG really strive for consensus?]
Adam Back <adam@cypherspace.org> Sat, 03 January 2015 20:48 UTC
Return-Path: <adam.back@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B6D01A024E for <cfrg@ietfa.amsl.com>; Sat, 3 Jan 2015 12:48:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QaUk9u3M61hM for <cfrg@ietfa.amsl.com>; Sat, 3 Jan 2015 12:48:15 -0800 (PST)
Received: from mail-qa0-x22e.google.com (mail-qa0-x22e.google.com [IPv6:2607:f8b0:400d:c00::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFE751A024C for <cfrg@irtf.org>; Sat, 3 Jan 2015 12:48:14 -0800 (PST)
Received: by mail-qa0-f46.google.com with SMTP id w8so13589069qac.5 for <cfrg@irtf.org>; Sat, 03 Jan 2015 12:48:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=1yn6+WeR5lN8RojFtBEbI1vXrvJl0/C8C0PNz76Zwuw=; b=p8vmxZgibh4hTylJ/AInXynSINm/xG/TJkrMnkD+I8X1gvWKLCYijrA+CSZU6t4+gA V9MSCtoofh9qT+FRwAxHrudmjVUuhjRcNVyxMufC3/LVpanNNY6Eg1h/pUm7DbBbK9J6 cPJzTKSW0ETdjCl8oZhCZaT3GJUw0HXmX4eScdcVlH5dnQeC759IQnJolJFUE5yxkRsS ejvhIUuogzMIiQJfVF/JseS+SCVgshdDwjoe8aUtR0HInBUm0XONcFnoJcWjyPsa1jWJ kF/oilIkn0T9kbGbB4y5k6CWKB7IRCmcW9hPTIw0ZVDXVv5fLglDC8Hyk8ukAi2YcGJU w3CQ==
MIME-Version: 1.0
X-Received: by 10.140.101.105 with SMTP id t96mr62581803qge.9.1420318093960; Sat, 03 Jan 2015 12:48:13 -0800 (PST)
Sender: adam.back@gmail.com
Received: by 10.96.189.10 with HTTP; Sat, 3 Jan 2015 12:48:13 -0800 (PST)
In-Reply-To: <D0CDD192.3B6AB%kenny.paterson@rhul.ac.uk>
References: <20141231154418.6639764.33790.24403@certicom.com> <D0C9CE59.3B14A%kenny.paterson@rhul.ac.uk> <CALqxMTHaBg-XRWpQiLN5zo11=b24q8OgE6g0X_7F2nbtS+6FnA@mail.gmail.com> <1420132477.4562.6.camel@scientia.net> <D0CDD192.3B6AB%kenny.paterson@rhul.ac.uk>
Date: Sat, 03 Jan 2015 21:48:13 +0100
X-Google-Sender-Auth: AJkFil6jYAdSEnlyvEboackPb4M
Message-ID: <CALqxMTG86KinerYYDABeKy=OwDqPOXyxmZ7tvP-evgz0Qd55Mg@mail.gmail.com>
From: Adam Back <adam@cypherspace.org>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/Zk3yfrniGjAIi67Jc-4dBNTZoCI
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] malicious DH base points [was Re: should the CFRG really strive for consensus?]
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Jan 2015 20:48:16 -0000
On 3 January 2015 at 18:28, Paterson, Kenny <Kenny.Paterson@rhul.ac.uk> wrote: >>On Thu, 2015-01-01 at 13:39 +0100, Adam Back wrote: >>> Seems like on >>> topic and to the point, not spam. > > And as Adam Langley and others have pointed out, no-one seriously > believes that the choice of base point has any security impact (a more > refined statement about this to which I can subscribe can be found at the > bottom of the safecurves page here: Nevertheless I think it should be part of the NUMS generation. Apart from the academic paper which hypothesises a combined weakness between the generator and the KDF for key-exchange (which again, is NOT off-topic), there are situations where you need pairs of generators which no one knows the discrete log of (for example like EC_DBRG, a backdooring topic known to all; or u-prove/Brands representation problem a DL/ECDL schnorr-extension attribute certificate, which has multiple bases, probably there are other examples) If those are mixed with the main base point which is chosen using unexplained randomness, then it maybe that even if we use G (the main and non-NUMS base) plus H which given its intended to demonstrate lack of knowledge wrt to H, would be generated with NUMS, that still fails because maybe the person who generated G chose it such that it is the discrete log of H (or vice-versa -- its the same thing). I dont see what motive we can have for not NUMS the G parameter to for the avoidance of doubt - its not as if there's a big cost to that. Adam
- [Cfrg] malicious DH base points [was Re: should t… Dan Brown
- Re: [Cfrg] malicious DH base points [was Re: shou… Scott Fluhrer (sfluhrer)
- Re: [Cfrg] malicious DH base points [was Re: shou… Dan Brown
- Re: [Cfrg] malicious DH base points [was Re: shou… Paterson, Kenny
- Re: [Cfrg] malicious DH base points [was Re: shou… Christoph Anton Mitterer
- Re: [Cfrg] malicious DH base points [was Re: shou… Stephen Farrell
- Re: [Cfrg] malicious DH base points [was Re: shou… D. J. Bernstein
- Re: [Cfrg] malicious DH base points [was Re: shou… Paterson, Kenny
- Re: [Cfrg] malicious DH base points [was Re: shou… Adam Back
- Re: [Cfrg] malicious DH base points [was Re: shou… Watson Ladd
- Re: [Cfrg] malicious DH base points [was Re: shou… Adam Back