Re: [Cfrg] On the use of Montgomery form curves for key agreement

Manuel Pégourié-Gonnard <mpg@elzevir.fr> Mon, 08 September 2014 20:01 UTC

Return-Path: <mpg@elzevir.fr>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FB601A037A for <cfrg@ietfa.amsl.com>; Mon, 8 Sep 2014 13:01:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.902
X-Spam-Level:
X-Spam-Status: No, score=-2.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-1.652] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GXbfd9VXCn-u for <cfrg@ietfa.amsl.com>; Mon, 8 Sep 2014 13:01:01 -0700 (PDT)
Received: from mordell.elzevir.fr (mordell.elzevir.fr [92.243.3.74]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF8BC1A02F2 for <cfrg@irtf.org>; Mon, 8 Sep 2014 13:01:00 -0700 (PDT)
Received: from thue.elzevir.fr (thue.elzevir.fr [88.165.216.11]) by mordell.elzevir.fr (Postfix) with ESMTPS id 0FA4516148; Mon, 8 Sep 2014 22:00:58 +0200 (CEST)
Received: from [192.168.0.124] (unknown [192.168.0.254]) by thue.elzevir.fr (Postfix) with ESMTPSA id B0D091F635; Mon, 8 Sep 2014 22:00:55 +0200 (CEST)
Message-ID: <540E0AF7.1010503@elzevir.fr>
Date: Mon, 08 Sep 2014 22:00:55 +0200
From: =?windows-1252?Q?Manuel_P=E9gouri=E9-Gonnard?= <mpg@elzevir.fr>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0
MIME-Version: 1.0
To: Andy Lutomirski <luto@amacapital.net>, Nico Williams <nico@cryptonector.com>
References: <e16ac4926a934565a65456058e50b68e@BL2PR03MB242.namprd03.prod.outlook.com> <20140902165340.17284.qmail@cr.yp.to> <d4322ec172d74aab83a1d17cf4dcf786@BL2PR03MB242.namprd03.prod.outlook.com> <20140903052704.GM8540@cph.win.tue.nl> <CAK3OfOjfSxHOE4fZzgVNmxEsF4ss_Bh+x7sc0rYTBRRznsbNqw@mail.gmail.com> <CALCETrU-rMBE7_VD+5yT_MuXsXXHZ_OhSywfuez3x2ohEQ+Hjw@mail.gmail.com>
In-Reply-To: <CALCETrU-rMBE7_VD+5yT_MuXsXXHZ_OhSywfuez3x2ohEQ+Hjw@mail.gmail.com>
OpenPGP: id=98EED379; url=https://elzevir.fr/gpg/mpg.asc
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/mQIrWs1RWtKNOQoo8t2k6r1ZD1g
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] On the use of Montgomery form curves for key agreement
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2014 20:01:03 -0000

On 08/09/2014 21:34, Andy Lutomirski wrote:
> On Mon, Sep 8, 2014 at 11:51 AM, Nico Williams <nico@cryptonector.com>; wrote:
>> As for key reuse (as opposed to how long after use the key is
>> destroyed), obviously it cannot be bad, otherwise we'd only have
>> ephemeral-ephemeral DH.  But we've been using DH with static keys
>> since DH was invented.
>>
Key reuse is bad if the implementation has side channels. Well, arguably that
should never be the case, but anyway.

> Certainly the any exchange of the form K = H(g^(a+b)) followed by use
> of most AEADs (e.g. GCM, most things using Poly1305, etc) starting
> with IV 0 and key K (or a hash of K) will fail catastrophically.
> 
This can certainly be a catastrophic failure in some protocol, but in TLS at
least I think the random values from the hello messages prevent this particular
mode of failure.

> In summary, I think that a protocol intended to allow ephemeral key
> reuse needs to specify that reuse is allowed (so the proofs can be
> designed correctly) and to specify *how* the keys may be reused (to
> avoid catastrophic failure).
> 
However, I agree with this point.

> I hope that OpenSSL doesn't already reuse ECDH keys on the client.
> The code is entirely incomprehensible, so my five minutes of trying to
> understand it went nowhere at all.
> 
I would assume they don't: on server you must select one curve, while on the
client curve selection is dynamic. I take this as an indication that they reuse
keys on the server but not on the client. But do not trust me on this!

Manuel.