IETF Logo Mail Archive

Re: [Cfrg] [TLS] Curve25519 in TLS and Additional Curves in TLS

Robert Ransom <rransom.8774@gmail.com> Fri, 24 January 2014 21:05 UTC

Return-Path: <rransom.8774@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 697181A011B for <cfrg@ietfa.amsl.com>; Fri, 24 Jan 2014 13:05:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.15
X-Spam-Level:
X-Spam-Status: No, score=-1.15 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, J_CHICKENPOX_12=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GjJ2chkCob94 for <cfrg@ietfa.amsl.com>; Fri, 24 Jan 2014 13:05:01 -0800 (PST)
Received: from mail-qc0-x22e.google.com (mail-qc0-x22e.google.com [IPv6:2607:f8b0:400d:c01::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 52BC01A01B6 for <cfrg@irtf.org>; Fri, 24 Jan 2014 13:05:01 -0800 (PST)
Received: by mail-qc0-f174.google.com with SMTP id x13so5022128qcv.19 for <cfrg@irtf.org>; Fri, 24 Jan 2014 13:04:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=tOn1ASnFpr3kPhRygo+tA6GYYW+x3T9TGVwqwoPvZvk=; b=ETEF5qZagTFkCq+VZehYYVSWanfDhQhpvGjkWN9yhzlJGoFkgslpa4FRGv3d13GZXy UrMQBz6cWss903HhOPL8rSyAwZ/U5M/ijnMDgS1bUiVuTuKuuRa0Xij1Kt5eE4WJMPzV AcKDjejypTV5y9agtgjKrmIKWL2aaeyDj2HK3/E2295TWrw7xQ8OSFH96xznf3a7puSZ xTvv1ZSy7yrPraMYvIEt8o2MRQD7bLHsvXxO1i+ukcYOMcCZjcsBAQqSETri7mCxI2gi q0Plno/rD/hpu8xm33ZrF8ZdZ/27C0pmmg+ZR1bt2doFMb0XBTIjsoiTIiIl3TOrgqSD Rn3g==
MIME-Version: 1.0
X-Received: by 10.140.92.213 with SMTP id b79mr22446364qge.108.1390597499853; Fri, 24 Jan 2014 13:04:59 -0800 (PST)
Received: by 10.229.181.132 with HTTP; Fri, 24 Jan 2014 13:04:59 -0800 (PST)
In-Reply-To: <52E2CAC9.2080100@brainhub.org>
References: <87ob3456s1.fsf@latte.josefsson.org> <CABqy+spt7BYqjsqLAkZssGp3aY9M+iLqV+pmyr7ZN-TXmJJpVg@mail.gmail.com> <52E060D0.9030801@polarssl.org> <CABqy+spJoswrPovxf18QS1SGdk6K=mfny6joJm3X24Vh65oagQ@mail.gmail.com> <52E0E241.40406@polarssl.org> <CABqy+sqs31ATDWJSum55m1o5pRvw8Wq5GtB-mF-hgP2emB5eFQ@mail.gmail.com> <CABqy+sozYSOTh7pbUS2GXf=4kYV3zgztXZBa10Bx=s-N8zHHyA@mail.gmail.com> <CABqy+soSojSMfx=yU9eFhmAeuJaJ_r=4h=RDR6JtOchYZ9zsQA@mail.gmail.com> <52E1BAE0.8060809@brainhub.org> <2311ADE0-B85D-4EEA-A675-03ED3735DE1D@shiftleft.org> <52E208AD.2020100@brainhub.org> <0F98B193-910E-430B-A5DF-4F72A3D9C6EC@shiftleft.org> <52E2C6A2.1010403@brainhub.org> <98B78561-8357-4636-ADA7-1A55FE32C491@shiftleft.org> <52E2CAC9.2080100@brainhub.org>
Date: Fri, 24 Jan 2014 13:04:59 -0800
Message-ID: <CABqy+sp0dKL3iCimRuDOrV_k229UH3tm5n=sFQ8i3DnUjSastw@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Andrey Jivsov <crypto@brainhub.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] [TLS] Curve25519 in TLS and Additional Curves in TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2014 21:05:02 -0000

On 1/24/14, Andrey Jivsov <crypto@brainhub.org> wrote:
> On 01/24/2014 12:13 PM, Michael Hamburg wrote:
>> On Jan 24, 2014, at 12:01 PM, Andrey Jivsov <crypto@brainhub.org
>> <mailto:crypto@brainhub.org>> wrote:
>>> This should work for your suggestions to use the Elligator map,
>>> assuming that I get the corresponding scalar.
>>>
>>> I will need access to the private m for M=mG. I assumed it is sort of
>>> a user static public key.
>>>
>>> The server side adjustments are similar.
>>
>> It is critical to the security of SPAKE2 that nobody can know m.  Part
>> of why Elligator is nice is that it removes the possibility that
>> someone could somehow figure out m, thereby breaking the security of
>> the entire system.  It is an essential security feature of Elligator
>> (in this use and others) that it does not give you access to that
>> discrete log.
>>
>> So, in other words, you can’t do this, and changing the system so that
>> you can do this would break it.
>>
>> Cheers,
>> — Mike
>
> Given that I am trusted to keep my password, why am I not trusted to
> keep my m in M=m*G private?

M and N are protocol parameters, and must be shared among all users.


Robert Ransom

v2.23.0 | Report a Bug | By Email