Re: [Cfrg] On the use of Montgomery form curves for key agreement

[Andy Lutomirski <luto@amacapital.net>]

On Mon, Sep 8, 2014 at 1:00 PM, Manuel Pégourié-Gonnard <mpg@elzevir.fr> wrote:
> On 08/09/2014 21:34, Andy Lutomirski wrote:
>> On Mon, Sep 8, 2014 at 11:51 AM, Nico Williams <nico@cryptonector.com> wrote:
>>> As for key reuse (as opposed to how long after use the key is
>>> destroyed), obviously it cannot be bad, otherwise we'd only have
>>> ephemeral-ephemeral DH.  But we've been using DH with static keys
>>> since DH was invented.
>>>
> Key reuse is bad if the implementation has side channels. Well, arguably that
> should never be the case, but anyway.
>
>> Certainly the any exchange of the form K = H(g^(a+b)) followed by use
>> of most AEADs (e.g. GCM, most things using Poly1305, etc) starting
>> with IV 0 and key K (or a hash of K) will fail catastrophically.
>>
> This can certainly be a catastrophic failure in some protocol, but in TLS at
> least I think the random values from the hello messages prevent this particular
> mode of failure.
>
>> In summary, I think that a protocol intended to allow ephemeral key
>> reuse needs to specify that reuse is allowed (so the proofs can be
>> designed correctly) and to specify *how* the keys may be reused (to
>> avoid catastrophic failure).
>>
> However, I agree with this point.
>
>> I hope that OpenSSL doesn't already reuse ECDH keys on the client.
>> The code is entirely incomprehensible, so my five minutes of trying to
>> understand it went nowhere at all.
>>
> I would assume they don't: on server you must select one curve, while on the
> client curve selection is dynamic. I take this as an indication that they reuse
> keys on the server but not on the client. But do not trust me on this!

Except that even this isn't true in OpenSSL 1.1 (I think).  Servers
can finally specify a preference list for curves.  I think it's still
safe, though.

--Andy