Re: [Cfrg] 2^40. I can't exhibit it, but it exists.
Watson Ladd <watsonbladd@gmail.com> Tue, 04 February 2014 23:44 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CAA31A0196 for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 15:44:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qoIyYlJmeZZM for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 15:43:57 -0800 (PST)
Received: from mail-yk0-x22c.google.com (mail-yk0-x22c.google.com [IPv6:2607:f8b0:4002:c07::22c]) by ietfa.amsl.com (Postfix) with ESMTP id D1F211A01AC for <cfrg@irtf.org>; Tue, 4 Feb 2014 15:43:56 -0800 (PST)
Received: by mail-yk0-f172.google.com with SMTP id 200so26577097ykr.3 for <cfrg@irtf.org>; Tue, 04 Feb 2014 15:43:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=zDDVKnfPUMfKDkif6x8tIS0OFiItOtYTORGYtw9eQo8=; b=Ei2Yj7pdZNFjQj5FgBSSpox4Mmn/7/+dr7baXXOK1ZxDLHGth5onDfc+jaOQ8Kqs4t yfdyj8O/9f5TPE4Ue/w2kqV41NS47KeEeuYsLQUbigejILWh8Sr13jg93XrzGevnNs4S ce//CRakRMvY4AOlKCnyqjQl5QGYrXBH0aA3TwEhAsXx/0pCPskrFX/RAs8LNGUA3xZN eUeMNF76BUnY9AB3HmXrIVYU+sTHPxN0jafUrysi9JG60ei7fjBSj1o/vaAD6Tvf9IKS qhXeu/3CPzOS+ZF3rAtX+DtUHkrHn9cw9DyCqpJ+YuQHTGGhP+Ej4wveqpHgqGdzIY7E rEFQ==
MIME-Version: 1.0
X-Received: by 10.236.168.166 with SMTP id k26mr9249928yhl.64.1391557436103; Tue, 04 Feb 2014 15:43:56 -0800 (PST)
Received: by 10.170.126.76 with HTTP; Tue, 4 Feb 2014 15:43:56 -0800 (PST)
Received: by 10.170.126.76 with HTTP; Tue, 4 Feb 2014 15:43:56 -0800 (PST)
In-Reply-To: <7BAC95F5A7E67643AAFB2C31BEE662D018B81B7F7C@SC-VEXCH2.marvell.com>
References: <20140203192451.6268.76511.idtracker@ietfa.amsl.com> <7af2f9df96e5867d493c614806235363.squirrel@www.trepanning.net> <CACsn0cm1f-P95je5AbEbZ02Ut3+HM7Hx28P6j46TqE-=06eZDg@mail.gmail.com> <52F00EF3.3040505@cisco.com> <CACsn0c=zS5GKex3eF_hKgTsL1kH=TiBi3iAP9oMrJ9hDQcT4Gw@mail.gmail.com> <7BAC95F5A7E67643AAFB2C31BEE662D018B81B7DE5@SC-VEXCH2.marvell.com> <CACsn0cn0TaHsDkyN2ewOorxxBzXivCg=QGR-ZnBiC3nJhvhpRg@mail.gmail.com> <14AB44E0-4C90-4E4C-A656-885A31CF4C02@checkpoint.com> <CACsn0cmDT-FAN8uMZ0w8TX6GKPAZjnrexLeFQd7QhRfoY6AGFQ@mail.gmail.com> <75e1e853dc391b418062ee5e51adeb2f.squirrel@www.trepanning.net> <CABqy+sr7ZKrACj4Ga2_75d9Kea0aKbrp2P5fWWu4YZP53zijxw@mail.gmail.com> <CACsn0cmS152wYQWHiX8ykzaMM=6b=r=fwVuLfPj_u0wmoq0jKw@mail.gmail.com> <7BAC95F5A7E67643AAFB2C31BEE662D018B81B7F7C@SC-VEXCH2.marvell.com>
Date: Tue, 04 Feb 2014 15:43:56 -0800
Message-ID: <CACsn0c=a5PvZOZgVRjHaJ2avGCPHF6b6nOpNh+iT0909X-jUFA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Paul Lambert <paul@marvell.com>, cfrg@irtf.org
Content-Type: multipart/alternative; boundary="20cf3040edbaa9e35104f19d36d0"
Subject: Re: [Cfrg] 2^40. I can't exhibit it, but it exists.
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 23:44:01 -0000
On Feb 4, 2014 2:06 PM, "Paul Lambert" <paul@marvell.com> wrote: > > > > >From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Watson Ladd > >Sent: Tuesday, February 04, 2014 12:12 PM > > > > >This attack is interesting because of the limits it puts on reductions, which are > >the main tool for doing cryptography. If dragonfly could be shown to have no > >other weaknesses this would be fine, but no such proof is forthcoming. > > When you say ‘no other’ you continue to imply that you have identified a realistic exploitable weakness. The difficulty in ‘reducing’ the Dragonfly proposal is not a exploitable flaw. The changes necessary in protocol to allow a formal proof may in fact weaken the overall security of the protocol (reference below). The paper below claims no such thing. I am claiming that there is a weakness in standard model security for dragonfly, not that there is an exploitable flaw. In fact tight reductions are possible, despite your claim otherwise. > > > > On the Security Loss in Cryptographic Reductions > > Proceeding: EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications Cryptographic Techniques > > Pages 72 - 87 > > Almost all the important cryptographic protocols we have today base their security on unproven assumptions, which all imply NP $\ne$ P, and thus having unconditional proofs of their security seems far beyond our reach. One research effort then is to identify more basic primitives and prove the security of these protocols by reductions to the security of these primitives. However, in doing so, one often observes some security loss in the form that the security of the protocols is measured against weaker adversaries, e.g., adversaries with a smaller running time. Is such a security loss avoidable? We study two of the most basic cryptographic reductions: hardness amplification of one-way functions and constructing pseudorandom generators from one-way functions. We show that when they are done in a certain black-box way, such a security loss is in fact unavoidable. > > > > > > Your adamancy to make up issues with Dragonfly seems to imply you feel this is a ‘down selection’ between multiple protocols. It is not. TLS is one possible application, but the Dragonfly protocol was written in a generic manner to specifically allow the analysis independent of the target application. Other schemes would be viable for TLS and I would strongly support publication and review of multiple password protocol alternatives for TLS. > I am not "making up issues". I simply think that when a protocol goes into an RFC it gets used. And that means we should be careful with the protocols we publish. Which alternative do you think TLS should use? > > > The Dragonfly protocol has been in other standards act ivies for quite a few years (usually called SAE). The review in this forum has improved side channel security. Your suggestions for other TLS solutions should not block the analysis of this protocol if it is secure. Making sure we have clarity on the actual security of a fielded solution in critical and we should be professional and correct in our analysis. Mesh networking networks are using SAE (aka Dragonfly). Other consumer oriented applications will appear based on the analysis that the protocol has no exploitable weakness. > > Not our problem. We are the IETF not the consumer electronics board. Analyse it yourself. Or wait for someone else to do so. Or pay. > > Do also note that the IPR disclosures for AugPAKE that you advocate have limitations and are constrained to the IETF and TLS. AugPAKE is completely unacceptable for any broader application in consumer equipment (IMHO). There are many engineering criteria to balance in the section of appropriate algorithms for the industry. Support of ‘reductions’ for a formal proof are way down the list in my priorities. I see that we disagree on this point, and hope that you would look at the broader set of industry requirements and tone down your rhetoric. If you continue to have objections, please be clear and correct with the analysis. You still owe the group a clarification or a retraction on your claimed 2^40th attack on Dragonfly. > It's a foundations of hashing style attack: utterly impractical but theoretically important. Why don't you list the requirements, and we'll come up with a protocol that meets them? What about being secure against reflection attacks or being well studied? Of course I thought we were here to support the IETF. Still, this explains WEP: marvel does not have a single cryptographer reviewing standards submissions and expects it to be done by the community. > > > Thanks, > > > > Paul > > > > > > > > From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Watson Ladd > Sent: Tuesday, February 04, 2014 12:12 PM > To: rransom. 8774; cfrg@irtf.org > Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-03.txt > > > > > On Feb 4, 2014 11:41 AM, "Robert Ransom" <rransom.8774@gmail.com> wrote: > > > > On 2/4/14, Dan Harkins <dharkins@lounge.org> wrote: > > > > > This is mentioned in section 6.3 of RFC 5931 (dragonfly as an EAP > > > method), knowledge of r where PE = r * G can enable a dictionary > > > attack. But knowledge of r requires doing a discrete logarithm. A discrete > > > logarithm is assumed to be "computationally infeasible" and you're talking > > > about doing 2^40 of them!?! > > > > <http://cr.yp.to/papers.html#nonuniform> is relevant here. It > > discusses several other ‘attacks’ of this general type, and explains > > why they should not be taken seriously. > > Bernstein actually argues that one should define complexity measures to exclude such attacks. This is clear in the paper. Unfortunately time memory product for the weak password variation is only 2^40. > > The problem with foundations of hashing usually isn't a real problem: one can sign r,H (r, m) with r random to bypass it. > > This attack is interesting because of the limits it puts on reductions, which are the main tool for doing cryptography. If dragonfly could be shown to have no other weaknesses this would be fine, but no such proof is forthcoming. > > Such a proof would be in the ROM, but as the IETF 88 slides show it would be tricky. > > > > > > Robert Ransom
- [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-03.t… internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Dan Harkins
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… David McGrew
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… David McGrew
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Dan Harkins
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Paul Lambert
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Dan Harkins
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Yoav Nir
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Mike Hamburg
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Dan Harkins
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Robert Ransom
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] 2^40. I can't exhibit it, but it exist… Paul Lambert
- Re: [Cfrg] 2^40. I can't exhibit it, but it exist… Michael Hamburg
- Re: [Cfrg] 2^40. I can't exhibit it, but it exist… Watson Ladd
- [Cfrg] publishing dragonfly (was: Re: 2^40. I can… David McGrew
- Re: [Cfrg] publishing dragonfly (was: Re: 2^40. I… Eggert, Lars
- Re: [Cfrg] publishing dragonfly (was: Re: 2^40. I… Manger, James
- Re: [Cfrg] publishing dragonfly (was: Re: 2^40. I… Eggert, Lars
- [Cfrg] NSA sabotaging crypto standards Manger, James
- Re: [Cfrg] NSA sabotaging crypto standards Alexandre Anzala-Yamajako
- Re: [Cfrg] how can CFRG improve cryptography in t… Rob Stradling
- Re: [Cfrg] NSA sabotaging crypto standards Eggert, Lars
- Re: [Cfrg] NSA sabotaging crypto standards Watson Ladd
- Re: [Cfrg] NSA sabotaging crypto standards Paul Hoffman
- Re: [Cfrg] NSA sabotaging crypto standards Watson Ladd
- Re: [Cfrg] NSA sabotaging crypto standards Paul Hoffman
- Re: [Cfrg] NSA sabotaging crypto standards David McGrew
- Re: [Cfrg] NSA sabotaging crypto standards Dan Harkins
- Re: [Cfrg] NSA sabotaging crypto standards Watson Ladd
- Re: [Cfrg] how can CFRG improve cryptography in t… David McGrew
- Re: [Cfrg] NSA sabotaging crypto standards Nikos Mavrogiannopoulos
- Re: [Cfrg] NSA sabotaging crypto standards Watson Ladd
- Re: [Cfrg] NSA sabotaging crypto standards Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] NSA sabotaging crypto standards Watson Ladd
- [Cfrg] how can CFRG improve cryptography in the I… David McGrew
- Re: [Cfrg] how can CFRG improve cryptography in t… Daniel Kahn Gillmor
- Re: [Cfrg] NSA sabotaging crypto standards Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] how can CFRG improve cryptography in t… Hannes Tschofenig
- Re: [Cfrg] how can CFRG improve cryptography in t… Rene Struik
- Re: [Cfrg] how can CFRG improve cryptography in t… Stephen Farrell
- Re: [Cfrg] how can CFRG improve cryptography in t… dan
- Re: [Cfrg] how can CFRG improve cryptography in t… Watson Ladd
- Re: [Cfrg] how can CFRG improve cryptography in t… Daniel Kahn Gillmor
- Re: [Cfrg] how can CFRG improve cryptography in t… David McGrew
- Re: [Cfrg] how can CFRG improve cryptography in t… Stephen Farrell
- Re: [Cfrg] how can CFRG improve cryptography in t… Tom Ritter
- Re: [Cfrg] how can CFRG improve cryptography in t… Igoe, Kevin M.
- Re: [Cfrg] how can CFRG improve cryptography in t… Hannes Tschofenig
- Re: [Cfrg] how can CFRG improve cryptography in t… Hannes Tschofenig
- Re: [Cfrg] how can CFRG improve cryptography in t… Hannes Tschofenig
- Re: [Cfrg] how can CFRG improve cryptography in t… David McGrew
- Re: [Cfrg] how can CFRG improve cryptography in t… Paul Lambert
- Re: [Cfrg] how can CFRG improve cryptography in t… Watson Ladd
- Re: [Cfrg] how can CFRG improve cryptography in t… Rene Struik
- Re: [Cfrg] how can CFRG improve cryptography in t… Geoffrey Waters
- Re: [Cfrg] how can CFRG improve cryptography in t… S Moonesamy
- Re: [Cfrg] how can CFRG improve cryptography in t… David McGrew