Re: [Cfrg] Handling invalid points
Michael Hamburg <mike@shiftleft.org> Sat, 22 November 2014 02:34 UTC
Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9E971AC3A5 for <cfrg@ietfa.amsl.com>; Fri, 21 Nov 2014 18:34:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.955
X-Spam-Level: **
X-Spam-Status: No, score=2.955 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VMSPsw8hVdAv for <cfrg@ietfa.amsl.com>; Fri, 21 Nov 2014 18:34:57 -0800 (PST)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BA5F1AC3A1 for <cfrg@irtf.org>; Fri, 21 Nov 2014 18:34:57 -0800 (PST)
Received: from [10.184.148.249] (unknown [209.36.6.242]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 0D4163ABAF; Fri, 21 Nov 2014 18:33:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1416623615; bh=iP/5yq0dqS+GY/sgh7ykl+FKe99tPmAK1p5RQL/aR8Q=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=brnOCswy349oz8Yq7X3AgFrWBHLjS9ESAbdVLiC73Ny3JkXxJu/kNs2WrjIYFmz8+ lU/oX+qcbydD/DGUXlTidpAoRIjRgoCKcHfm1m0fDy0+Pbijx9DQT+7pTpd5KERMfs EnjTc2ppGOY4qoAgauw+Vd7L4g1W9UXCgJk90xHU=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <5C83990C-D144-44AC-A5F9-944E499A6F2E@shiftleft.org>
Date: Fri, 21 Nov 2014 18:34:54 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <A2BB5C20-A638-4DC2-A091-998F146BA3E8@shiftleft.org>
References: <20141121231233.18473.qmail@cr.yp.to> <5C83990C-D144-44AC-A5F9-944E499A6F2E@shiftleft.org>
To: "D. J. Bernstein" <djb@cr.yp.to>
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/nSTsgVm_B09Cx7kj_EKNgzqCkis
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Handling invalid points
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Nov 2014 02:34:58 -0000
> On Nov 21, 2014, at 4:57 PM, Michael Hamburg <mike@shiftleft.org> wrote: > > 2) > > For curves with a cofactor, ECDH is not 1:1. This affects Trevor Perrin’s > TripleDH protocol, which attempts to work around concerns about patents on > session-hashing (don’t ask me what those are, I haven’t studied them). As > a result, TripleDH implementations are forbidden to clear the cofactor, and > secret keys must be invertible mod the cofactor (i.e. odd). If this requirement > were violated, it probably wouldn’t lead to an attack, but it wouldn’t guarantee > that the sessions seen by both sides were exactly the same. Trevor has corrected me: TripleDH no longer forbids clearing the cofactor, because that’s weird. Instead it deals with this issue in a different way. — Mike
- [Cfrg] Requirements for elliptic curves with a vi… RONDEPIERRE Franck
- Re: [Cfrg] Requirements for elliptic curves with … Dan Brown
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Manuel Pégourié-Gonnard
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Alyssa Rowan
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Andy Lutomirski
- [Cfrg] Handling invalid points D. J. Bernstein
- Re: [Cfrg] Handling invalid points Michael Hamburg
- Re: [Cfrg] Handling invalid points Michael Hamburg
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Handling invalid points Natanael
- Re: [Cfrg] Requirements for elliptic curves with … William Whyte
- Re: [Cfrg] Handling invalid points Ilari Liusvaara
- Re: [Cfrg] Handling invalid points Stephen Farrell
- Re: [Cfrg] Requirements for elliptic curves with … D. J. Bernstein
- Re: [Cfrg] Handling invalid points D. J. Bernstein
- Re: [Cfrg] Handling invalid points Adam Langley