IETF Logo Mail Archive

Re: [Cfrg] Switching the zero-check from MUST to MAY in the curves draft.

Taylor R Campbell <campbell+cfrg@mumble.net> Tue, 17 November 2015 14:16 UTC

Return-Path: <campbell@mumble.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51DE11B32B4 for <cfrg@ietfa.amsl.com>; Tue, 17 Nov 2015 06:16:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.185
X-Spam-Level:
X-Spam-Status: No, score=-3.185 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.585] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iBH8Fp1I-YaI for <cfrg@ietfa.amsl.com>; Tue, 17 Nov 2015 06:16:15 -0800 (PST)
Received: from jupiter.mumble.net (jupiter.mumble.net [74.50.56.165]) by ietfa.amsl.com (Postfix) with ESMTP id C07F31B32B3 for <cfrg@irtf.org>; Tue, 17 Nov 2015 06:16:15 -0800 (PST)
Received: by jupiter.mumble.net (Postfix, from userid 1014) id DB40B60356; Tue, 17 Nov 2015 14:15:54 +0000 (UTC)
From: Taylor R Campbell <campbell+cfrg@mumble.net>
To: Mike Hamburg <mike@shiftleft.org>
In-reply-to: <19090157-473E-4F19-BECE-0CB9955233C9@shiftleft.org> (mike@shiftleft.org)
Date: Tue, 17 Nov 2015 14:16:14 +0000
Sender: Taylor R Campbell <campbell@mumble.net>
User-Agent: IMAIL/1.21; Edwin/3.116; MIT-Scheme/9.1.99
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20151117141554.DB40B60356@jupiter.mumble.net>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/cI_o1_LIp67f8Vv9P0uFAL-0lYM>
Cc: Adam Langley <agl@imperialviolet.org>, cfrg@irtf.org
Subject: Re: [Cfrg] Switching the zero-check from MUST to MAY in the curves draft.
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2015 14:16:18 -0000

   Date: Mon, 16 Nov 2015 18:29:42 -0800
   From: Mike Hamburg <mike@shiftleft.org>

   > On Nov 16, 2015, at 18:01, Phillip Hallam-Baker <phill@hallambaker.com> wrote:
   > 
   > Is there a mechanism that would allow an attacker to force use of
   > all zeros?

   Yes, an attacker can easily force it by sending specific values of
   g^x, most of which cannot be produced by a legitimate
   implementation.  There are something like 5 such values for
   curve448 and 14 such values for curve25519.

A malicious peer can do that, but so what?  A malicious peer can also
use a secret key k known to an eavesdropper, and send k*B where B is
the standard base point.  Then the eavesdropper seeing the good guy's
public key h*B over the wire can readily predict k*h*B and find the
session key.  A malicious peer could also email the session transcript
to the eavesdropper.

What is the serious attack that is prevented by a zero check?  It
seems to me an answer to that question is more important than the
choice of verb.

v2.23.0 | Report a Bug | By Email