IETF Logo Mail Archive

Re: [Cfrg] 2^40. I can't exhibit it, but it exists.

Watson Ladd <watsonbladd@gmail.com> Tue, 04 February 2014 23:44 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CAA31A0196 for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 15:44:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qoIyYlJmeZZM for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 15:43:57 -0800 (PST)
Received: from mail-yk0-x22c.google.com (mail-yk0-x22c.google.com [IPv6:2607:f8b0:4002:c07::22c]) by ietfa.amsl.com (Postfix) with ESMTP id D1F211A01AC for <cfrg@irtf.org>; Tue, 4 Feb 2014 15:43:56 -0800 (PST)
Received: by mail-yk0-f172.google.com with SMTP id 200so26577097ykr.3 for <cfrg@irtf.org>; Tue, 04 Feb 2014 15:43:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=zDDVKnfPUMfKDkif6x8tIS0OFiItOtYTORGYtw9eQo8=; b=Ei2Yj7pdZNFjQj5FgBSSpox4Mmn/7/+dr7baXXOK1ZxDLHGth5onDfc+jaOQ8Kqs4t yfdyj8O/9f5TPE4Ue/w2kqV41NS47KeEeuYsLQUbigejILWh8Sr13jg93XrzGevnNs4S ce//CRakRMvY4AOlKCnyqjQl5QGYrXBH0aA3TwEhAsXx/0pCPskrFX/RAs8LNGUA3xZN eUeMNF76BUnY9AB3HmXrIVYU+sTHPxN0jafUrysi9JG60ei7fjBSj1o/vaAD6Tvf9IKS qhXeu/3CPzOS+ZF3rAtX+DtUHkrHn9cw9DyCqpJ+YuQHTGGhP+Ej4wveqpHgqGdzIY7E rEFQ==
MIME-Version: 1.0
X-Received: by 10.236.168.166 with SMTP id k26mr9249928yhl.64.1391557436103; Tue, 04 Feb 2014 15:43:56 -0800 (PST)
Received: by 10.170.126.76 with HTTP; Tue, 4 Feb 2014 15:43:56 -0800 (PST)
Received: by 10.170.126.76 with HTTP; Tue, 4 Feb 2014 15:43:56 -0800 (PST)
In-Reply-To: <7BAC95F5A7E67643AAFB2C31BEE662D018B81B7F7C@SC-VEXCH2.marvell.com>
References: <20140203192451.6268.76511.idtracker@ietfa.amsl.com> <7af2f9df96e5867d493c614806235363.squirrel@www.trepanning.net> <CACsn0cm1f-P95je5AbEbZ02Ut3+HM7Hx28P6j46TqE-=06eZDg@mail.gmail.com> <52F00EF3.3040505@cisco.com> <CACsn0c=zS5GKex3eF_hKgTsL1kH=TiBi3iAP9oMrJ9hDQcT4Gw@mail.gmail.com> <7BAC95F5A7E67643AAFB2C31BEE662D018B81B7DE5@SC-VEXCH2.marvell.com> <CACsn0cn0TaHsDkyN2ewOorxxBzXivCg=QGR-ZnBiC3nJhvhpRg@mail.gmail.com> <14AB44E0-4C90-4E4C-A656-885A31CF4C02@checkpoint.com> <CACsn0cmDT-FAN8uMZ0w8TX6GKPAZjnrexLeFQd7QhRfoY6AGFQ@mail.gmail.com> <75e1e853dc391b418062ee5e51adeb2f.squirrel@www.trepanning.net> <CABqy+sr7ZKrACj4Ga2_75d9Kea0aKbrp2P5fWWu4YZP53zijxw@mail.gmail.com> <CACsn0cmS152wYQWHiX8ykzaMM=6b=r=fwVuLfPj_u0wmoq0jKw@mail.gmail.com> <7BAC95F5A7E67643AAFB2C31BEE662D018B81B7F7C@SC-VEXCH2.marvell.com>
Date: Tue, 04 Feb 2014 15:43:56 -0800
Message-ID: <CACsn0c=a5PvZOZgVRjHaJ2avGCPHF6b6nOpNh+iT0909X-jUFA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Paul Lambert <paul@marvell.com>, cfrg@irtf.org
Content-Type: multipart/alternative; boundary="20cf3040edbaa9e35104f19d36d0"
Subject: Re: [Cfrg] 2^40. I can't exhibit it, but it exists.
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 23:44:01 -0000

On Feb 4, 2014 2:06 PM, "Paul Lambert" <paul@marvell.com> wrote:
>
>
>
> >From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Watson Ladd
> >Sent: Tuesday, February 04, 2014 12:12 PM
>
>
>
> >This attack is interesting because of the limits it puts on reductions,
which are
> >the main tool for doing cryptography. If dragonfly could be shown to
have no
> >other weaknesses this would be fine, but no such proof is forthcoming.
>
> When you say ‘no other’ you continue to imply that you have identified a
realistic exploitable weakness. The difficulty in ‘reducing’ the Dragonfly
proposal is not a exploitable flaw.  The changes necessary in protocol to
allow a formal proof may in fact weaken the overall security of the
protocol (reference below).

The paper below claims no such thing. I am claiming that there is a
weakness in standard model security for dragonfly,  not that there is an
exploitable flaw.

In fact tight reductions are possible, despite your claim otherwise.
>
>
>
>                         On the Security Loss in Cryptographic Reductions
>
> Proceeding: EUROCRYPT '09 Proceedings of the 28th Annual International
Conference on Advances in Cryptology: the Theory and Applications
Cryptographic Techniques
>
> Pages 72 - 87
>
> Almost all the important cryptographic protocols we have today base their
security on unproven assumptions, which all imply NP $\ne$ P, and thus
having unconditional proofs of their security seems far beyond our reach.
One research effort then is to identify more basic primitives and prove the
security of these protocols by reductions to the security of these
primitives. However, in doing so, one often observes some security loss in
the form that the security of the protocols is measured against weaker
adversaries, e.g., adversaries with a smaller running time. Is such a
security loss avoidable? We study two of the most basic cryptographic
reductions: hardness amplification of one-way functions and constructing
pseudorandom generators from one-way functions. We show that when they are
done in a certain black-box way, such a security loss is in fact
unavoidable.
>
>
>
>
>
> Your adamancy to make up issues with Dragonfly seems to imply you feel
this is a ‘down selection’ between multiple protocols.  It is not.  TLS is
one possible application, but the Dragonfly protocol was written in a
generic manner to specifically allow the analysis independent of the target
application.  Other schemes would be viable for TLS and I would strongly
support publication and review of multiple password protocol  alternatives
for TLS.
>

I am not "making up issues". I simply think that when a protocol goes into
an RFC it gets used. And that means we should be careful with the protocols
we publish.

Which alternative do you think TLS should use?
>
>
> The Dragonfly protocol has been in other standards act ivies for quite a
few years (usually called  SAE).  The review in this forum has improved
side channel security.  Your suggestions for other TLS solutions should not
block the analysis of this protocol if it is secure.  Making sure we have
clarity on the actual security of a fielded solution in critical and we
should be professional and correct in our analysis.  Mesh networking
networks are using SAE (aka Dragonfly).  Other consumer oriented
applications will appear based on the analysis that the protocol has no
exploitable weakness.
>
>

Not our problem. We are the IETF not the consumer electronics board.
Analyse it yourself. Or wait for someone else to do so. Or pay.

>
> Do also note that the  IPR disclosures for AugPAKE that you advocate have
limitations and are constrained to the IETF and TLS.  AugPAKE is completely
unacceptable for any broader application in consumer equipment (IMHO).
There are many engineering criteria to balance in the section of
appropriate algorithms for the industry.  Support of ‘reductions’ for a
formal proof are way down the list in my priorities.  I see that we
disagree on this point, and hope that you would look at the broader set of
industry requirements  and tone down your rhetoric.  If you continue to
have objections, please be clear and correct with the analysis.  You still
owe the group a clarification or a retraction on your claimed  2^40th
attack on Dragonfly.
>

It's a foundations of hashing style attack: utterly impractical but
theoretically important.

Why don't you list the requirements, and we'll come up with a protocol that
meets them?

What about being secure against reflection attacks or being well studied?

Of course I thought we were here to support the IETF. Still, this explains
WEP: marvel does not have a single cryptographer reviewing standards
submissions and expects it to be done by the community.
>
>
> Thanks,
>
>
>
> Paul
>
>
>
>
>
>
>
> From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Watson Ladd
> Sent: Tuesday, February 04, 2014 12:12 PM
> To: rransom. 8774; cfrg@irtf.org
> Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-03.txt
>
>
>
>
> On Feb 4, 2014 11:41 AM, "Robert Ransom" <rransom.8774@gmail.com> wrote:
> >
> > On 2/4/14, Dan Harkins <dharkins@lounge.org> wrote:
> >
> > >   This is mentioned in section 6.3 of RFC 5931 (dragonfly as an EAP
> > > method), knowledge of r where PE = r * G can enable a dictionary
> > > attack. But knowledge of r requires doing a discrete logarithm. A
discrete
> > > logarithm is assumed to be "computationally infeasible" and you're
talking
> > > about doing 2^40 of them!?!
> >
> > <http://cr.yp.to/papers.html#nonuniform> is relevant here.  It
> > discusses several other ‘attacks’ of this general type, and explains
> > why they should not be taken seriously.
>
> Bernstein actually argues that one should define complexity measures to
exclude such attacks. This is clear in the paper. Unfortunately time memory
product for the weak password variation is only 2^40.
>
> The problem with foundations of hashing usually isn't a real problem: one
can sign r,H (r, m) with r random to bypass it.
>
> This attack is interesting because of the limits it puts on reductions,
which are the main tool for doing cryptography. If dragonfly could be shown
to have no other weaknesses this would be fine, but no such proof is
forthcoming.
>
> Such a proof would be in the ROM, but as the IETF 88 slides show it would
be tricky.
> >
> >
> > Robert Ransom

v2.23.0 | Report a Bug | By Email