Re: [Cfrg] [TLS] Curve25519 in TLS and Additional Curves in TLS
"Dan Harkins" <dharkins@lounge.org> Sat, 25 January 2014 09:34 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF5611A014B for <cfrg@ietfa.amsl.com>; Sat, 25 Jan 2014 01:34:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.267
X-Spam-Level:
X-Spam-Status: No, score=-3.267 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_12=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oHZM8a4Y_9W7 for <cfrg@ietfa.amsl.com>; Sat, 25 Jan 2014 01:34:34 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 91FA01A021A for <cfrg@irtf.org>; Sat, 25 Jan 2014 01:34:34 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 10A811022400A; Sat, 25 Jan 2014 01:34:33 -0800 (PST)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Sat, 25 Jan 2014 01:34:33 -0800 (PST)
Message-ID: <e80e64ca4d7d5e2738110a7fe843c2ca.squirrel@www.trepanning.net>
In-Reply-To: <CACsn0ckBXotVh4FtUVSM2tGrN-GeR_xRGHaxFre6gfQ0r1yO7Q@mail.gmail.com>
References: <87ob3456s1.fsf@latte.josefsson.org> <CABqy+spt7BYqjsqLAkZssGp3aY9M+iLqV+pmyr7ZN-TXmJJpVg@mail.gmail.com> <52E060D0.9030801@polarssl.org> <CABqy+spJoswrPovxf18QS1SGdk6K=mfny6joJm3X24Vh65oagQ@mail.gmail.com> <52E0E241.40406@polarssl.org> <CABqy+sqs31ATDWJSum55m1o5pRvw8Wq5GtB-mF-hgP2emB5eFQ@mail.gmail.com> <CABqy+sozYSOTh7pbUS2GXf=4kYV3zgztXZBa10Bx=s-N8zHHyA@mail.gmail.com> <CABqy+soSojSMfx=yU9eFhmAeuJaJ_r=4h=RDR6JtOchYZ9zsQA@mail.gmail.com> <52E1BAE0.8060809@brainhub.org> <2311ADE0-B85D-4EEA-A675-03ED3735DE1D@shiftleft.org> <52E208AD.2020100@brainhub.org> <0F98B193-910E-430B-A5DF-4F72A3D9C6EC@shiftleft.org> <52E2C6A2.1010403@brainhub.org> <98B78561-8357-4636-ADA7-1A55FE32C491@shiftleft.org> <52E2CAC9.2080100@brainhub.org> <CABqy+sp0dKL3iCimRuDOrV_k229UH3tm5n=sFQ8i3DnUjSastw@mail.gmail.com> <52E2EB11.5030409@brainhub.org> <CACsn0ckBXotVh4FtUVSM2tGrN-GeR_xRGHaxFre6gfQ0r1yO7Q@mail.gmail.com>
Date: Sat, 25 Jan 2014 01:34:33 -0800
From: Dan Harkins <dharkins@lounge.org>
To: Watson Ladd <watsonbladd@gmail.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] [TLS] Curve25519 in TLS and Additional Curves in TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jan 2014 09:34:36 -0000
On Fri, January 24, 2014 3:15 pm, Watson Ladd wrote: > On Jan 24, 2014 2:42 PM, "Andrey Jivsov" <crypto@brainhub.org> wrote: >> >> On 01/24/2014 01:04 PM, Robert Ransom wrote: >>> >>> On 1/24/14, Andrey Jivsov <crypto@brainhub.org> wrote: >>>> >>>> On 01/24/2014 12:13 PM, Michael Hamburg wrote: >>>>> >>>>> On Jan 24, 2014, at 12:01 PM, Andrey Jivsov <crypto@brainhub.org >>>>> <mailto:crypto@brainhub.org>> wrote: >>>>>> >>>>>> This should work for your suggestions to use the Elligator map, >>>>>> assuming that I get the corresponding scalar. >>>>>> >>>>>> I will need access to the private m for M=mG. I assumed it is sort >>>>>> of >>>>>> a user static public key. >>>>>> >>>>>> The server side adjustments are similar. >>>>> >>>>> It is critical to the security of SPAKE2 that nobody can know m. >>>>> Part >>>>> of why Elligator is nice is that it removes the possibility that >>>>> someone could somehow figure out m, thereby breaking the security of >>>>> the entire system. It is an essential security feature of Elligator >>>>> (in this use and others) that it does not give you access to that >>>>> discrete log. >>>>> >>>>> So, in other words, you canât do this, and changing the system so >>>>> that >>>>> you can do this would break it. >>>>> >>>>> Cheers, >>>>> â Mike >>>> >>>> Given that I am trusted to keep my password, why am I not trusted to >>>> keep my m in M=m*G private? >>> >>> M and N are protocol parameters, and must be shared among all users. >>> >> I see. So the protocol allows a network of nodes where each one can be a > server or a client. Given recent discussions on this list, the trusted 3d > party that is generating the M,N and forgetting the m,n is better be > really > trusted ;-). > > All of this to save 32 bytes? No, it has nothing to do with saving 32 bytes. It has to do with making SPAKE2 be something other than the DUAL_EC_DRBG of PAKEs (a protocol with SUTS-- something up their sleeve). Dan.
- [Cfrg] Fwd: [TLS] Curve25519 in TLS and Additiona… Robert Ransom
- Re: [Cfrg] Fwd: [TLS] Curve25519 in TLS and Addit… Andrey Jivsov
- Re: [Cfrg] [TLS] Curve25519 in TLS and Additional… Michael Hamburg
- Re: [Cfrg] Fwd: [TLS] Curve25519 in TLS and Addit… Robert Ransom
- Re: [Cfrg] [TLS] Curve25519 in TLS and Additional… Robert Ransom
- Re: [Cfrg] [TLS] Curve25519 in TLS and Additional… Mike Hamburg
- Re: [Cfrg] [TLS] Curve25519 in TLS and Additional… Andrey Jivsov
- Re: [Cfrg] [TLS] Curve25519 in TLS and Additional… Michael Hamburg
- Re: [Cfrg] [TLS] Curve25519 in TLS and Additional… Andrey Jivsov
- Re: [Cfrg] [TLS] Curve25519 in TLS and Additional… Michael Hamburg
- Re: [Cfrg] [TLS] Curve25519 in TLS and Additional… Andrey Jivsov
- Re: [Cfrg] [TLS] Curve25519 in TLS and Additional… Robert Ransom
- Re: [Cfrg] [TLS] Curve25519 in TLS and Additional… Andrey Jivsov
- Re: [Cfrg] [TLS] Curve25519 in TLS and Additional… Watson Ladd
- Re: [Cfrg] [TLS] Curve25519 in TLS and Additional… Dan Harkins
- Re: [Cfrg] Fwd: [TLS] Curve25519 in TLS and Addit… Andrey Jivsov
- Re: [Cfrg] Fwd: [TLS] Curve25519 in TLS and Addit… Robert Ransom
- Re: [Cfrg] Fwd: [TLS] Curve25519 in TLS and Addit… Andrey Jivsov