IETF Logo Mail Archive

Re: [Cfrg] Criteria for the selection of new ECC mechanisms

Michael Hamburg <mike@shiftleft.org> Tue, 29 April 2014 18:55 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69E631A0939 for <cfrg@ietfa.amsl.com>; Tue, 29 Apr 2014 11:55:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.557
X-Spam-Level: *
X-Spam-Status: No, score=1.557 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.982, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kpyKzvtj6A2r for <cfrg@ietfa.amsl.com>; Tue, 29 Apr 2014 11:55:42 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) by ietfa.amsl.com (Postfix) with ESMTP id 7BC631A04AF for <cfrg@irtf.org>; Tue, 29 Apr 2014 11:55:42 -0700 (PDT)
Received: from [10.184.148.249] (w035.z205158021.lax-ca.dsl.cnc.net [205.158.21.35]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 2FE9E3AA3F; Tue, 29 Apr 2014 11:53:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1398797635; bh=Yd1A9CZ1ZQ+ihC11bjlkf2VGjToMQJjRLhUkXPaEE24=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=ZVL6+a6JNAAxjnJXfq4OeYNao7XiyK5/ZcXL1rbkzIPhBK3/Zi1oLJKcZXJFQ09JM MtzJIXAbVhcLltg/MsnF65crlDcQNRKEzUwvJfRPk3qh639UG9UW5oeeah2ChFqehq 5toANCtDd1m8zj7GY/s6SOAkmUh/kaQgLxzPJKec=
Content-Type: multipart/alternative; boundary="Apple-Mail=_84D555FD-29EE-4F20-813D-43D0309FA2F1"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <535FF2BB.3050703@gmail.com>
Date: Tue, 29 Apr 2014 11:55:39 -0700
Message-Id: <B7A325D9-D156-4FAF-8C60-6B8395F5B9CA@shiftleft.org>
References: <535FB927.8080909@cisco.com> <535FDD0A.7070206@gmail.com> <535FEDA2.4090502@cisco.com> <535FF2BB.3050703@gmail.com>
To: Rene Struik <rstruik.ext@gmail.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/cJpqsXJLXZp1rFMTzCdPjCKkO3M
Cc: David McGrew <mcgrew@cisco.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Criteria for the selection of new ECC mechanisms
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2014 18:55:48 -0000

On Apr 29, 2014, at 11:43 AM, Rene Struik <rstruik.ext@gmail.com> wrote:
> RS>>
> I think Michael Hamburg also concurred with my note. I fail to see why one cannot possibly get a good PAKE protocol that relies, e.g., on GLV/GLS-friendly curves. Can you give an example of a PAKE scheme that "requires" indistinguishability, so as to have a proof point?
> <<RS

EKE requires indistinguishability.  You do a DH key exchange, but encrypt the ephemerals with the password.  This requires that the ephemerals are encoded in a way that cannot be distinguished from random.  If the adversary starts guessing passwords, then wrong guesses will result in random-looking data (in the ideal cipher model or under assumptions about the KDF).  If the adversary could distinguish the real encoded point from these random points, it would leak information about the password, and over many connections the password would be revealed by a passive attack.

But you can get indistinguishability for any elliptic curve using Tibouchi/BCIMRT’s Elligator Squared.

— Mike

v2.23.0 | Report a Bug | By Email