Re: [Cfrg] Twist security question
Michael Hamburg <mike@shiftleft.org> Mon, 21 July 2014 17:35 UTC
Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 902F51A01C8 for <cfrg@ietfa.amsl.com>; Mon, 21 Jul 2014 10:35:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.557
X-Spam-Level: *
X-Spam-Status: No, score=1.557 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.982, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m0mgzeX_LSD1 for <cfrg@ietfa.amsl.com>; Mon, 21 Jul 2014 10:35:52 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 723421A01AC for <cfrg@irtf.org>; Mon, 21 Jul 2014 10:35:52 -0700 (PDT)
Received: from [192.168.1.124] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 8475F3AA12; Mon, 21 Jul 2014 10:34:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1405964043; bh=MvUaefHFchY6iOAnQKs5eNAPA38E9AgCATlPkQgfFCc=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=kGPZRdCK5cqN0CwiO5Oi2XaAPQcCmDi3ynztZknNfdZ4pSPeX4UzmBYA8jNair6Gk 9sPIe4g3rpO4Is/Pe6P86wXlIGbsnhfZirbU4koXqp+gIY75LTLEq44+54KBLMHVp4 PI1uJU0fJdux1nNy7Qo/v9GmQ39ZGiLHuIY7MNfU=
Content-Type: multipart/alternative; boundary="Apple-Mail=_9C4B3953-284C-4394-87E0-CD77D39A00F7"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <20140721170703.6656149.88919.16917@certicom.com>
Date: Mon, 21 Jul 2014 10:35:47 -0700
Message-Id: <31A4333C-1CDF-4734-88CB-D62E66618E5E@shiftleft.org>
References: <20140721170703.6656149.88919.16917@certicom.com>
To: Dan Brown <dbrown@certicom.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/jCAVTSlvOCDeplVwebTfVrymmUs
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Twist security question
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jul 2014 17:35:54 -0000
Yeah, I’ve wondered about that too. If you give the attacker the point on the twist, it probably gives away information in E(F^2) as well which she wouldn't obtain otherwise. But in Curve25519 you hash the point, and in the random oracle the attack is going to be really weak.
The attacker supplies a point P on the twist, and gets (information derived from) the hash of some other point Q on the twist. She can’t force Q into a subgroup other than {identity} or the whole q-torsion. She can’t guess Q if it’s in the q-torsion. So it seems she can’t learn anything from that hash. Likewise, she can’t predict anything about the hash (except whether it’s H(identity)), so she can’t attack the rest of the protocol with it.
In the ROM there's not even an attack through discrete log or CDH on the twist, because no honest party ever outputs a point on the twist.
This isn’t a rigorous argument, though, because I don’t see an obvious proof that the attacker can’t narrow down Q on the twist. That is, maybe she can figure out that your public key corresponds to at most a million “twist-public-keys” G_twist^secret, and then figure out which one by sending G_twist.
But it seems that the attacker cannot learn anything at all in the ROM without solving a sort of twisting problem:
Given (G, G^x) on the curve where x is in some big set (the Curve25519 public key set is weird),
And some sort of fixed-DDH oracle on the curve, because she can interact with the real protocol,
Find points (H, H^x) with order q on the twist with non-negligible probability.
Cheers,
— Mike
On Jul 21, 2014, at 10:07 AM, Dan Brown <dbrown@certicom.com> wrote:
> Since Curve25519 DH protocol lets info about private key out via the twist (then kdf, mac and cipher), it seems to require an extra computational assumption, right?
>
> Probably this has been considered before. Maybe there's a reduction to a standard problem, or a generic group model proof, at least, which ought to be easy.
>
> Best regards,
>
> -- Dan
>
> PS N. Smart's comments about twist security got me thinking about this.
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Twist security question Dan Brown
- Re: [Cfrg] Twist security question Michael Hamburg
- Re: [Cfrg] Twist security question Robert Ransom