Re: [Cfrg] Response to the Attacks on key agreement in SM2
Watson Ladd <watsonbladd@gmail.com> Wed, 26 February 2014 16:16 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E1B11A0675 for <cfrg@ietfa.amsl.com>; Wed, 26 Feb 2014 08:16:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HPMh8AEhJCW7 for <cfrg@ietfa.amsl.com>; Wed, 26 Feb 2014 08:16:12 -0800 (PST)
Received: from mail-yk0-x229.google.com (mail-yk0-x229.google.com [IPv6:2607:f8b0:4002:c07::229]) by ietfa.amsl.com (Postfix) with ESMTP id 2303F1A0231 for <cfrg@irtf.org>; Wed, 26 Feb 2014 08:15:25 -0800 (PST)
Received: by mail-yk0-f169.google.com with SMTP id 142so3083227ykq.0 for <cfrg@irtf.org>; Wed, 26 Feb 2014 08:15:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5qAYYLGQb61/uIU++YT/LptknV5nbcr+b+hd2pwxCrQ=; b=DKx+/rq8ceibJNpuvNHSFa78MeoRfePgrp049ol4KrcoO0ThXry9M/FHvpTEOvR7VR lBHTFX16ormzZ5XZtUQIFFNF1mrBIV0cF9Fm9OeK8PQqUJ/V3T6Ns+X7n6JY0VXuP2lY 77VMfP9tO99elM6fBT7eY+ucTKCe5Hy+S+FSma9L5xupre1DJ7+e7aiTHrciv29nq6Wx JwXWzfIspK2U+Tv0Nyc/1qL0AVJpbgU/LiBHsKIakypTrA6Q69Ixg7otHSZQceex8Iq0 hKqQCIfypkByFo3tqS0d2QiCcW/H0UlGiqbo4cIf3FiB1b3hrHJ3dBZh7Qp9ZNFCmrbE BZ0w==
MIME-Version: 1.0
X-Received: by 10.236.194.40 with SMTP id l28mr8513642yhn.63.1393431323553; Wed, 26 Feb 2014 08:15:23 -0800 (PST)
Received: by 10.170.92.85 with HTTP; Wed, 26 Feb 2014 08:15:23 -0800 (PST)
In-Reply-To: <045f01cf32c3$ae3d2cd0$0ab78670$@is.ac.cn>
References: <045f01cf32c3$ae3d2cd0$0ab78670$@is.ac.cn>
Date: Wed, 26 Feb 2014 08:15:23 -0800
Message-ID: <CACsn0cnB6wJPkvEkdudr5YW13xai5rY_u2y7Sxf0=hUi2+txgg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Limin LIU <lmliu@is.ac.cn>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/eTc08GpAeqYFZxT98hyA2IObAPQ
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Response to the Attacks on key agreement in SM2
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 16:16:18 -0000
On Tue, Feb 25, 2014 at 11:23 PM, Limin LIU <lmliu@is.ac.cn> wrote: > Dear Watson, > > This is Limin from the team of SM2 patent holder, Data Assurance and > Communication Security Center in Chinese Academy of Sciences. Following is > the response to your concern about the attacks on SM2. (Attacks on key > agreement in SM2. > http://www.ietf.org/mail-archive/web/cfrg/current/msg04297.html ) > > In Xu's (CANS 2011) paper, the attack towards SM2 key exchange protocol > is launched in Canetti-Krawczyk model, where adversary could reveal private > session state. To make the attack successful, the adversary should have the > ability to reveal the state variable (x_v,y_v). (x_v,y_v) is the result of a > computation from B's private key d_B, B's private random number r_B, along > with other public parameters. The question here is, d_B and r_B are not easy > to be obtained in real world. What's more, if the adversary has such kind of > knowledge, he could already obtain the session key K_B by K_B = > KDF(x_v||y_v||z_A||z_B,klen), it seems unnecessary to launch other attacks. > Overall, this attack is academic crypto analysis based on strong > assumptions. It's not a practical threaten to the algorithm. > > Hope this could address your concerns. Any further comments will be > greatly appreciated. It doesn't. Instead of an analysis showing that in some reasonable threat model SM2 security reduces to some reasonable assumptions, you present an argument that the one attack I found in the literature doesn't matter in practical applications. There is a large literature and well-understood theory of key negotiation protocols, and I have yet to see any demonstration that SM2 was designed with that in mind. Sincerely, Watson Ladd > > Best, > Limin > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- Re: [Cfrg] Response to the Attacks on key agreeme… Watson Ladd
- Re: [Cfrg] Response to the Attacks on key agreeme… Watson Ladd
- Re: [Cfrg] Response to the Attacks on key agreeme… David Jacobson
- Re: [Cfrg] Response to the Attacks on key agreeme… Watson Ladd