Re: [Cfrg] On the use of Montgomery form curves for key agreement

Andy Lutomirski <luto@amacapital.net> Mon, 08 September 2014 20:04 UTC

Return-Path: <luto@amacapital.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C209E1A02FE for <cfrg@ietfa.amsl.com>; Mon, 8 Sep 2014 13:04:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.679
X-Spam-Level:
X-Spam-Status: No, score=-1.679 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KWr7yvrdzhdR for <cfrg@ietfa.amsl.com>; Mon, 8 Sep 2014 13:04:24 -0700 (PDT)
Received: from mail-lb0-f174.google.com (mail-lb0-f174.google.com [209.85.217.174]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78A9C1A02F2 for <cfrg@irtf.org>; Mon, 8 Sep 2014 13:04:24 -0700 (PDT)
Received: by mail-lb0-f174.google.com with SMTP id n15so7761550lbi.5 for <cfrg@irtf.org>; Mon, 08 Sep 2014 13:04:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=hjcDx8hkuY4hplrQV3EqXhUQrax6Oy5tgUbQ2b/lAks=; b=E49RG9eZtXDXmYLIJvmMztQsRy54/bN3DBtbOzE9nqvxixbXy9w2BmXD0TplX2UIoi Dyo7z0RdbNs2wo38cfeotnwWEk132SKiPsHnqp+bUK2lpRXDCEEDYpVGvQgD56wYfAwk jiVNlPBTVIhSV5BLviuGSqV02XfrR2+x37DNcDet8voOCbIYjWNOYZCmNdRzBgi3bGL8 e2ZDH0ziySmTGXk6kyyTxGEecNhuboDkIPud2CpbNfYARn7tXEhENZ6a4c+vViQ9ZlrC BTJCfj5fciN/sCtMZvWTRWV5cr99TsqflCftAWdyo/EsjYuHu+OWKzmW673XlMI1ersD Hqdg==
X-Gm-Message-State: ALoCoQn/C3yyGeFiCQY3D41f9eU/gtDx8240UnPHsfGaIQgXYbPv3zU42IaB+Lh8b3uC8jYfCoT/
X-Received: by 10.152.25.170 with SMTP id d10mr30743572lag.37.1410206662672; Mon, 08 Sep 2014 13:04:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.152.36.106 with HTTP; Mon, 8 Sep 2014 13:04:02 -0700 (PDT)
In-Reply-To: <540E0AF7.1010503@elzevir.fr>
References: <e16ac4926a934565a65456058e50b68e@BL2PR03MB242.namprd03.prod.outlook.com> <20140902165340.17284.qmail@cr.yp.to> <d4322ec172d74aab83a1d17cf4dcf786@BL2PR03MB242.namprd03.prod.outlook.com> <20140903052704.GM8540@cph.win.tue.nl> <CAK3OfOjfSxHOE4fZzgVNmxEsF4ss_Bh+x7sc0rYTBRRznsbNqw@mail.gmail.com> <CALCETrU-rMBE7_VD+5yT_MuXsXXHZ_OhSywfuez3x2ohEQ+Hjw@mail.gmail.com> <540E0AF7.1010503@elzevir.fr>
From: Andy Lutomirski <luto@amacapital.net>
Date: Mon, 08 Sep 2014 13:04:02 -0700
Message-ID: <CALCETrUOzb6G9v7+abGc+o2w6894jZ7ZTr2Q==wvEzmtUriAXg@mail.gmail.com>
To: Manuel Pégourié-Gonnard <mpg@elzevir.fr>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/jPX7k_3UpErewzyfCOrlGIdytTw
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] On the use of Montgomery form curves for key agreement
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2014 20:04:25 -0000

On Mon, Sep 8, 2014 at 1:00 PM, Manuel Pégourié-Gonnard <mpg@elzevir.fr> wrote:
> On 08/09/2014 21:34, Andy Lutomirski wrote:
>> On Mon, Sep 8, 2014 at 11:51 AM, Nico Williams <nico@cryptonector.com> wrote:
>>> As for key reuse (as opposed to how long after use the key is
>>> destroyed), obviously it cannot be bad, otherwise we'd only have
>>> ephemeral-ephemeral DH.  But we've been using DH with static keys
>>> since DH was invented.
>>>
> Key reuse is bad if the implementation has side channels. Well, arguably that
> should never be the case, but anyway.
>
>> Certainly the any exchange of the form K = H(g^(a+b)) followed by use
>> of most AEADs (e.g. GCM, most things using Poly1305, etc) starting
>> with IV 0 and key K (or a hash of K) will fail catastrophically.
>>
> This can certainly be a catastrophic failure in some protocol, but in TLS at
> least I think the random values from the hello messages prevent this particular
> mode of failure.
>
>> In summary, I think that a protocol intended to allow ephemeral key
>> reuse needs to specify that reuse is allowed (so the proofs can be
>> designed correctly) and to specify *how* the keys may be reused (to
>> avoid catastrophic failure).
>>
> However, I agree with this point.
>
>> I hope that OpenSSL doesn't already reuse ECDH keys on the client.
>> The code is entirely incomprehensible, so my five minutes of trying to
>> understand it went nowhere at all.
>>
> I would assume they don't: on server you must select one curve, while on the
> client curve selection is dynamic. I take this as an indication that they reuse
> keys on the server but not on the client. But do not trust me on this!

Except that even this isn't true in OpenSSL 1.1 (I think).  Servers
can finally specify a preference list for curves.  I think it's still
safe, though.

--Andy