Re: [Cfrg] Response to the Attacks on key agreement in SM2
Watson Ladd <watsonbladd@gmail.com> Thu, 06 March 2014 02:49 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97FE81A006A for <cfrg@ietfa.amsl.com>; Wed, 5 Mar 2014 18:49:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FTWfOwJbtlFS for <cfrg@ietfa.amsl.com>; Wed, 5 Mar 2014 18:49:54 -0800 (PST)
Received: from mail-yh0-x22d.google.com (mail-yh0-x22d.google.com [IPv6:2607:f8b0:4002:c01::22d]) by ietfa.amsl.com (Postfix) with ESMTP id BFA871A0021 for <cfrg@irtf.org>; Wed, 5 Mar 2014 18:49:53 -0800 (PST)
Received: by mail-yh0-f45.google.com with SMTP id i57so2077607yha.32 for <cfrg@irtf.org>; Wed, 05 Mar 2014 18:49:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=c9MSAUe69bjV8QVts/x5VLLYJRY6Fa907TDgX1qOoe8=; b=DkNtFCd8dgbRcpG8K3UvSFcT8IcKnqyruozunSzMKljgcQhLi041ND2oaizRw4cGjb ki2JG4upt72x5mNRj2h5wYiCisltjArJv7RQHygJKit12vEW8S+WCLszFo9s7qPTli0V YdP1XE6Qkv5XGCvQpR9NnKD+t3y8hCtc1wZA4Hbd82ExCiBkB78PnvKNqeKCD2e7pIZ/ k4W5RjC6UlwO9M/eSlKCNlnnYfcK0nPje5ajaZt2yvGia71nrLM+ceMpK8I+sLLEpRye 9E92DO20XNvPnKnwWreVAJ3GCqxtieNNSNLGcb+NVcnvzNHgaY7yrNgSxxRyaerVazCu vqlw==
MIME-Version: 1.0
X-Received: by 10.236.45.69 with SMTP id o45mr11774796yhb.64.1394074189802; Wed, 05 Mar 2014 18:49:49 -0800 (PST)
Received: by 10.170.92.85 with HTTP; Wed, 5 Mar 2014 18:49:49 -0800 (PST)
In-Reply-To: <014501cf3845$03f747b0$0be5d710$@is.ac.cn>
References: <045f01cf32c3$ae3d2cd0$0ab78670$@is.ac.cn> <CACsn0cnB6wJPkvEkdudr5YW13xai5rY_u2y7Sxf0=hUi2+txgg@mail.gmail.com> <014501cf3845$03f747b0$0be5d710$@is.ac.cn>
Date: Wed, 05 Mar 2014 18:49:49 -0800
Message-ID: <CACsn0ck0_mVRsj-2iMrVG236HzKxo9vmG9DMb=Qx5+abAWSMSA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Limin LIU <lmliu@is.ac.cn>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/gDnTq8TlTlKSD8-fOnX35xvoFrY
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Response to the Attacks on key agreement in SM2
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 02:49:56 -0000
On Tue, Mar 4, 2014 at 11:32 PM, Limin LIU <lmliu@is.ac.cn> wrote: > Hi Watson, > In my previous email, I addressed that the attack you mentioned is not feasible since it is based on an unpractical assumption. > As for the security model of SM2 key exchange, it's another problem. The key exchange protocol in SM2 is based on MQV, a widely standardized (ANSI, ISO/IEC, IEEE) and recommended (NIST, NSA suite B) EC-DH-based key agreement protocol. The security proof of MQV was given by Kunz-Jacques in paper " About the Security of MTI/C0 and MQV" in 2006, which you might have already read. Actually the situation is a bit better: it looks to me like the paper by Kunz-Jacques covers SM2: one needs to adjust the function f, and then everything works. However, this is not a standard assumption, and the paper takes place in weaker models then CK, something I would like to see in the security considerations. Note that MQV is no longer in suite B. Minor nits I found: The encryption scheme has a major issue: t=0 is disallowed, leaking information about M. In particular encrypting single bits is trivially insecure. I would recommend that short lengths be avoided if it is impossible to change the standard/this isn't a translation issue. It also uses a hash as a MAC, which is not the right thing. (x2,y2) is distinguishable from random bits, making an analysis of H(x1 || M || y1) hard. Encrypt and MAC is insecure because the MAC can always leak information about the message and remain a good MAC. For a hash function in the standard model I don't know why H(x1 || M || y1) has to be a MAC. Maybe the construction mentioned is secure: it's difficult to say. Certainly I would feel much happier with C3=HMAC(k2, C2) with k1 || k2=KDF(p, keylength). Pick a random number in [1, n-1] is difficult to do in constant time and with zero bias. In particular the naive modular reduction approach will leak enough bits to reconstruct the secret key. Maybe this is handled by the random number generator, but this has bitten people (including me) in the past. NIST actually had to edit ECDSA standards to fix this issue. I can't make head or tail of the message expansion in SM3. Sincerely, Watson Ladd > > Best, > Limin > -----Original Message----- > From: Watson Ladd [mailto:watsonbladd@gmail.com] > Sent: Thursday, February 27, 2014 12:15 AM > To: liulimin > Cc: cfrg@irtf.org > Subject: Re: Response to the Attacks on key agreement in SM2 > > On Tue, Feb 25, 2014 at 11:23 PM, Limin LIU <lmliu@is.ac.cn> wrote: >> Dear Watson, >> >> This is Limin from the team of SM2 patent holder, Data Assurance >> and Communication Security Center in Chinese Academy of Sciences. >> Following is the response to your concern about the attacks on SM2. >> (Attacks on key agreement in SM2. >> http://www.ietf.org/mail-archive/web/cfrg/current/msg04297.html ) >> >> In Xu's (CANS 2011) paper, the attack towards SM2 key exchange >> protocol is launched in Canetti-Krawczyk model, where adversary could >> reveal private session state. To make the attack successful, the >> adversary should have the ability to reveal the state variable >> (x_v,y_v). (x_v,y_v) is the result of a computation from B's private >> key d_B, B's private random number r_B, along with other public >> parameters. The question here is, d_B and r_B are not easy to be >> obtained in real world. What's more, if the adversary has such kind of >> knowledge, he could already obtain the session key K_B by K_B = KDF(x_v||y_v||z_A||z_B,klen), it seems unnecessary to launch other attacks. >> Overall, this attack is academic crypto analysis based on strong >> assumptions. It's not a practical threaten to the algorithm. >> >> Hope this could address your concerns. Any further comments will be >> greatly appreciated. > > It doesn't. Instead of an analysis showing that in some reasonable threat model SM2 security reduces to some reasonable assumptions, you present an argument that the one attack I found in the literature doesn't matter in practical applications. There is a large literature and well-understood theory of key negotiation protocols, and I have yet to see any demonstration that SM2 was designed with that in mind. > > Sincerely, > Watson Ladd >> >> Best, >> Limin >> > > > > -- > "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." > -- Benjamin Franklin > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- Re: [Cfrg] Response to the Attacks on key agreeme… Watson Ladd
- Re: [Cfrg] Response to the Attacks on key agreeme… Watson Ladd
- Re: [Cfrg] Response to the Attacks on key agreeme… David Jacobson
- Re: [Cfrg] Response to the Attacks on key agreeme… Watson Ladd