Re: [Cfrg] On the use of Montgomery form curves for key agreement

Nico Williams <nico@cryptonector.com> Mon, 08 September 2014 21:26 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 930F91A03C4 for <cfrg@ietfa.amsl.com>; Mon, 8 Sep 2014 14:26:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vUPOLqFSVznD for <cfrg@ietfa.amsl.com>; Mon, 8 Sep 2014 14:26:56 -0700 (PDT)
Received: from homiemail-a105.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 1EA981A03BD for <cfrg@irtf.org>; Mon, 8 Sep 2014 14:26:56 -0700 (PDT)
Received: from homiemail-a105.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a105.g.dreamhost.com (Postfix) with ESMTP id D20D92007D810 for <cfrg@irtf.org>; Mon, 8 Sep 2014 14:26:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=LooqdZa+RTeBgN8j2OXQ XFHEIK8=; b=CyJvDBui+pSW0SbrdOGznX9gwE+qkSBX1Y/nufIW2fml8rmvivll RFFUK32d7GW0tWbYsx1rMd/ja0mMlw6LnlenXTTD0y+im/DhRx27ee8rLCvX8MVV xJVGQaT9lqDJ5u4OpV/qCRcY6PVXpHS+TD23SF3Ekybqprv0x3bdmWE=
Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com [209.85.212.175]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a105.g.dreamhost.com (Postfix) with ESMTPSA id 87A4C2007D80D for <cfrg@irtf.org>; Mon, 8 Sep 2014 14:26:55 -0700 (PDT)
Received: by mail-wi0-f175.google.com with SMTP id ex7so3249004wid.14 for <cfrg@irtf.org>; Mon, 08 Sep 2014 14:26:54 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.180.208.42 with SMTP id mb10mr20548039wic.3.1410211614415; Mon, 08 Sep 2014 14:26:54 -0700 (PDT)
Received: by 10.216.52.8 with HTTP; Mon, 8 Sep 2014 14:26:54 -0700 (PDT)
In-Reply-To: <CALCETrU-rMBE7_VD+5yT_MuXsXXHZ_OhSywfuez3x2ohEQ+Hjw@mail.gmail.com>
References: <e16ac4926a934565a65456058e50b68e@BL2PR03MB242.namprd03.prod.outlook.com> <20140902165340.17284.qmail@cr.yp.to> <d4322ec172d74aab83a1d17cf4dcf786@BL2PR03MB242.namprd03.prod.outlook.com> <20140903052704.GM8540@cph.win.tue.nl> <CAK3OfOjfSxHOE4fZzgVNmxEsF4ss_Bh+x7sc0rYTBRRznsbNqw@mail.gmail.com> <CALCETrU-rMBE7_VD+5yT_MuXsXXHZ_OhSywfuez3x2ohEQ+Hjw@mail.gmail.com>
Date: Mon, 8 Sep 2014 16:26:54 -0500
Message-ID: <CAK3OfOjjYZAmDiYxrtHfXBE3fZyB9tPLQBR3ODWyq5Wojrz4FA@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Andy Lutomirski <luto@amacapital.net>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/nUVZsgiTb_kg2WzW3YmDRRcjL_Y
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] On the use of Montgomery form curves for key agreement
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2014 21:26:57 -0000

On Mon, Sep 8, 2014 at 2:34 PM, Andy Lutomirski <luto@amacapital.net>; wrote:
> OK, I'll bite.
>
> If the various standards are to be interpreted as permitting parties
> to reuse their ephemeral DH keys for a short time, *which party* is
> allowed to do so?  I bet that, if both parties in a DH exchange reuse
> their ephemeral keys in multiple DH exchanges with each other, the
> security properties of various protocols degrade in varying amounts
> from "anything resembling a security proof is invalidated" to
> "completely insecure".
>
> Certainly the any exchange of the form K = H(g^(a+b)) followed by use
> of most AEADs (e.g. GCM, most things using Poly1305, etc) starting
> with IV 0 and key K (or a hash of K) will fail catastrophically.

This is true, but we have nonces for this.  Alternatively, if we want
no nonces (to avoid them being used to leak key material) then one
party at least must never reuse keys.  The party where reuse gets the
most wins is the server-side.

>> PFS depends on timely destruction of private keys, not non-reuse.
>
> And integrity, and possibly even confidentiality, depends on non-reuse
> of derived keys... :)

Yes, of course.  Again, nonces.

Nico
--