[Cfrg] ECDH subgroup attack question

Robert Moskowitz <rgm-sec@htt-consult.com> Tue, 28 January 2020 21:46 UTC

Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A388B1200EC for <cfrg@ietfa.amsl.com>; Tue, 28 Jan 2020 13:46:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WsQKNIEKZ-mQ for <cfrg@ietfa.amsl.com>; Tue, 28 Jan 2020 13:46:13 -0800 (PST)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A73E8120018 for <cfrg@irtf.org>; Tue, 28 Jan 2020 13:46:13 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 7CC9562162 for <cfrg@irtf.org>; Tue, 28 Jan 2020 16:46:12 -0500 (EST)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id SgDYsBQu3Cwf for <cfrg@irtf.org>; Tue, 28 Jan 2020 16:46:09 -0500 (EST)
Received: from lx140e.htt-consult.com (unknown [192.168.160.12]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id F191C62135 for <cfrg@irtf.org>; Tue, 28 Jan 2020 16:46:08 -0500 (EST)
To: IRTF CFRG <cfrg@irtf.org>
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Message-ID: <93a5af6f-e40b-a3aa-ef1e-17ac1feb9ace@htt-consult.com>
Date: Tue, 28 Jan 2020 16:46:08 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/bonTIWo4mEiuS1jIbUasOUKH4Yk>
Subject: [Cfrg] ECDH subgroup attack question
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2020 21:46:17 -0000

In TLS 1.3, RFC 8446 sec 4.2.8.1 the testing range for Y is:

1 < Y < p-1

In RFC 2785 sec 3.1, that references 2631, the range for Y is:

"within the interval [2, p-1]"

TLS 1.3 is more liberal, it seems to me, than 2785.

What is 'right' / 'safe'.

Further 2785 has a second check:

Compute y^q mod p. If the result == 1, the key is valid.

Is this test still advised?

thank you