IETF Logo Mail Archive

Re: [Cfrg] comments on draft-irtf-cfrg-spake2-02.txt

Michael Hamburg <mike@shiftleft.org> Sun, 25 October 2015 00:30 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1E821A88EF for <cfrg@ietfa.amsl.com>; Sat, 24 Oct 2015 17:30:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.654
X-Spam-Level: ****
X-Spam-Status: No, score=4.654 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, J_CHICKENPOX_65=0.6, J_CHICKENPOX_74=0.6, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9mcNn6gzQj1k for <cfrg@ietfa.amsl.com>; Sat, 24 Oct 2015 17:30:42 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 533C91A88ED for <cfrg@irtf.org>; Sat, 24 Oct 2015 17:30:42 -0700 (PDT)
Received: from [192.168.1.116] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id DE4D7F5E75; Sat, 24 Oct 2015 17:30:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1445733005; bh=4Dz5+txNQgBGnlB0JvVSqKrTD/03i06UJwaOCWHsvCg=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=KX93TrbPMH6q7voLf1vvBqSazsxRaQ5HZCf5RS2pyKYCi357jApG1Pn/NaLDxvlUI 1tTNZtmGmfw0er/wuJb8rIPK2+Ln2g2nwLdGJHwDVU66pKp+C25E0A+hTyk5A4ezYp muBqTJPDMUmOWgdIYREM3elD1PFXOyWVLvgwrZ4Q=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <1445552992.3392.27.camel@redhat.com>
Date: Sat, 24 Oct 2015 17:30:46 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <8687079B-236E-4761-AB0A-632E4530AE76@shiftleft.org>
References: <ad7d6453a282a6b8708c0526b4a1020c.squirrel@www.trepanning.net> <x7dd1w68vuq.fsf@equal-rites.mit.edu> <1445548227.3392.13.camel@redhat.com> <CACsn0cnjaC8EQj9WGWD1OqJY0rDURH-WiF0GOmYnnUq0GU8C+g@mail.gmail.com> <1445552992.3392.27.camel@redhat.com>
To: Nathaniel McCallum <npmccallum@redhat.com>
X-Mailer: Apple Mail (2.3096.5)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/caaUnpzd4Y6S9hMO1mEf5xSTpbs>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] comments on draft-irtf-cfrg-spake2-02.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Oct 2015 00:30:44 -0000

I would expect to see a problem if M and N are not multiples of the generator G; or if the x in xG is not chosen uniformly in [0,ord G); or if ord M and/or ord M were small.  In the first case, wM mod (G) would leak.  The second case might be quite difficult to exploit, but the security proof wouldn’t hold.  The third case would result in weak authentication.

If M and N don’t generate the whole group but do generate at least the p-torsion, the loss in authentication should be negligible.  In fact, according to the document specified, it’s probably zero since w is specified to be reduced modulo p.

— Mike

> On Oct 22, 2015, at 3:29 PM, Nathaniel McCallum <npmccallum@redhat.com> wrote:
> 
> The issue arises implicitly in the multiplication wM or wN. If
> multiplication with M or N produces a different (i.e. smaller) number
> of values than multiplication against G, then the strength of the
> authentication (though not the key exchange) is weakened.
> 
> On Thu, 2015-10-22 at 18:24 -0400, Watson Ladd wrote:
>> I'm using quotients, not subgroups. This is not obvious, but I think
>> the issue you are referring to cannot happen.
>> 
>> My apologies for not pushing a new version out in a reasonable
>> timeframe: I've been a bit busy. Thanks to everyone for submitting
>> comments.
>> 
>> On Thu, Oct 22, 2015 at 5:10 PM, Nathaniel McCallum
>> <npmccallum@redhat.com> wrote:
>>> On Thu, 2015-10-22 at 16:57 -0400, Greg Hudson wrote:
>>>> Dan Harkins wrote:
>>>>> You might think about publishing the code you're using to
>>>>> generate
>>>>> M
>>>>> and N as an appendix.
>>>> 
>>>> I was able to reproduce the P-256 and P-521 M and N values with
>>>> the
>>>> following Python code (which is unnecessarily quadratic, but it
>>>> reads
>>>> more clearly this way):
>>>> 
>>>>   def iterated_hash(seed, n):
>>>>       h = seed
>>>>       for i in xrange(n):
>>>>           h = SHA256.new(h).digest()
>>>>       return h
>>>> 
>>>>   def bighash(seed, start, sz):
>>>>       n = -(-sz // 32)
>>>>       hashes = [iterated_hash(seed, i) for i in xrange(start,
>>>> start +
>>>> n)]
>>>>       return ''.join(hashes)[:sz]
>>>> 
>>>>   def gen_point(seed, ec, order):
>>>>       for i in xrange(1, 1000):
>>>>           pointstr = ec.canon_pointstr(bighash(seed, i,
>>>> ec.nbytes_point()))
>>>>           try:
>>>>               p = ec.decode_point(pointstr)
>>>>               if ec.mul(p, order) == ec.identity():
>>>>                   return pointstr, i
>>>>           except Exception:
>>>>               pass
>>>> 
>>>> combined with a home-grown Weierstrass curve implementation using
>>>> SEC
>>>> 1
>>>> compressed points.  The canon_pointstr() method in that
>>>> implementation
>>>> is:
>>>> 
>>>>     def canon_pointstr(self, s):
>>>>         return chr(ord(s[0]) & 1 | 2) + s[1:]
>>>> 
>>>> The check for point order isn't really needed for P-256 and P-521 
>>>> as
>>>> they have cofactor 1, but it would be needed for other curves
>>>> such as
>>>> the ones used in ed25519 and ed448.  The successful iterations
>>>> were 5
>>>> and 3 for P-256 M and N, and 368 and 343 for P-521 M and N.  For
>>>> P-
>>>> 521,
>>>> most trials are invalid because the high-order byte of a valid x
>>>> coordinate can only have values 00 or 01, but the algorithm is
>>>> too
>>>> dumb
>>>> to know that.
>>>> 
>>>> I believe the points were originally generated using the Java
>>>> code
>>>> in:
>>>> http://www.ietf.org/mail-archive/web/cfrg/current/msg06117.html
>>>> 
>>>> Salient differences between the code and the current draft text
>>>> (which
>>>> I believe Watson Ladd is planning to rewrite):
>>>> 
>>>> * Each trial string begins at the beginning of a hash block.
>>>> 
>>>> * Trial strings use overlapping ranges of hash blocks.  For P-521
>>>> where
>>>>   we need three hash blocks per trial string, the first trial is
>>>>   H1|H2|H3 truncated, the second is H2|H3|H4 truncated, etc..
>>>> 
>>>> * The first byte of each trial string is set to 0x02 or 0x03,
>>>> depending
>>>>   on its original low-order bit.
>>> 
>>> Thanks for your independent verification! I had drafted an email
>>> today
>>> about the cofactor issue. Thanks for bringing it up.
>>> 
>>> In short, the method used for generating constants should ignore
>>> valid
>>> points which, when used as generators, have a subgroup order that
>>> is
>>> different than the group-default generator. Failing to do this
>>> could
>>> lead to a compromise.
>>> 
>>> Nathaniel
>>> 
>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org
>>> https://www.irtf.org/mailman/listinfo/cfrg
>> 
>> 
>> 
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email