IETF Logo Mail Archive

[Cfrg] (flaws with Curve25519 DH function, if one does not check the output) Re: Elliptic Curves - curve form and coordinate systems

Rene Struik <rstruik.ext@gmail.com> Mon, 16 March 2015 14:58 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A4611A87EF for <cfrg@ietfa.amsl.com>; Mon, 16 Mar 2015 07:58:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wrfOyLIWDTy8 for <cfrg@ietfa.amsl.com>; Mon, 16 Mar 2015 07:58:20 -0700 (PDT)
Received: from mail-ie0-x22a.google.com (mail-ie0-x22a.google.com [IPv6:2607:f8b0:4001:c03::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 771DB1A87C8 for <cfrg@irtf.org>; Mon, 16 Mar 2015 07:58:20 -0700 (PDT)
Received: by iegc3 with SMTP id c3so176189183ieg.3 for <cfrg@irtf.org>; Mon, 16 Mar 2015 07:58:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=eQMMvP6AiOwowwbd62uwZMA5+Mgg//gbOzmRNgwiG54=; b=xlsenT8clkmbwMaMLQnFMSAJOZy0b9J4fajrUNGnoBa6MOLDrT/TUXasP/BmOc5joE TwjEzdWOszgRyU9eKL+VTDW0R61WVx8s5wUvBgda18fUqfYEDPIBehjv8dVWbG0bZ2xm ztnjxzlNQD2B9PqxoN36pzbD6hOJ8icNGkDHBK+cP2OBZ7R6mXlpPuYIqZ1LVLdFT0mm 3Mt19H3bxyWVEGK+EzuAu96T2x2kVwBxhXL6pdzgHYjbmJH3NvYH6yQ4gVMW+MZCLmo4 vXQsy8Y9oT+LD9VeEtMyLv0h88UZ3MlLCPWaZIcWFwXLmL1KaazQEC6wuuuVWA6pXI40 49dA==
X-Received: by 10.42.190.78 with SMTP id dh14mr79720381icb.78.1426517899822; Mon, 16 Mar 2015 07:58:19 -0700 (PDT)
Received: from [192.168.0.10] (CPE7cb21b2cb904-CM7cb21b2cb901.cpe.net.cable.rogers.com. [99.231.49.38]) by mx.google.com with ESMTPSA id ie15sm6905987igb.12.2015.03.16.07.58.19 for <cfrg@irtf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 16 Mar 2015 07:58:19 -0700 (PDT)
Message-ID: <5506EF80.7010809@gmail.com>
Date: Mon, 16 Mar 2015 10:58:08 -0400
From: Rene Struik <rstruik.ext@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: cfrg@irtf.org
References: <5501E6A5.5040608@brainhub.org> <A6F30412-8E0A-4D8D-9F26-580307B46874@shiftleft.org> <20150316002255.28855.qmail@cr.yp.to> <20150316044906.GA27479@mournblade.imrryr.org> <5506D5BB.3090700@gmail.com> <20150316135620.GC27479@mournblade.imrryr.org>
In-Reply-To: <20150316135620.GC27479@mournblade.imrryr.org>
Content-Type: multipart/alternative; boundary="------------000800040704090104080506"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/mqUYjnRuTWS_3IsW5yMl7nXZsTo>
Subject: [Cfrg] (flaws with Curve25519 DH function, if one does not check the output) Re: Elliptic Curves - curve form and coordinate systems
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2015 14:58:22 -0000

Hi Viktor:

The key words in your email are "depending on", which does suggest that 
protocol analysis may become quite unwieldy and error-prone itself.

For some examples of authenticated key agreement schemes that are 
supposedly secure against, e.g., the unknown key share attack, but where 
this does not seem to hold any more if the DH key is publicly 
computable, see, e.g.,

    Alfred Menezes, Simon Blake-Wilson,
    Unknown Key Share Attacks Against the Station-to-Station (STS)
    Protocol,
    PKC 1999.

This suggests that what you seem to dismiss as an "attack", may indeed 
be one (i.e., one without your quotation marks).

Rene

On 3/16/2015 9:56 AM, Viktor Dukhovni wrote:
> On Mon, Mar 16, 2015 at 09:08:11AM -0400, Rene Struik wrote:
>
>> You are correct: I have no idea where Dan Bernstein got that from. I *did*
>> comment on the DH function, which, with Montgomery-style specification as
>> in the "Curve25519" draft, is completely insecure, if one does not check
>> the output to be nonzero. This is a form of the small subgroup attack and
>> has been known for over 15 years.
> But in this case the "attack" does not leak any secret key bits
> from either party.  So depending on the higher level protocol there
> may not be any issues, provided such an agreement between M and B
> does not enable M to impersonate B in a communication between A
> and B.
>
> I gather then that this is the issue, and that such higher level
> protocols should reject the zero public key (or avoid the problem
> by ensuring that predictable ECDH output cannot lead to MiTM issues
> on other traffic).
>


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363

v2.23.0 | Report a Bug | By Email