Re: [Cfrg] [TLS] Curve25519 in TLS and Additional Curves in TLS

"Dan Harkins" <dharkins@lounge.org> Sat, 25 January 2014 09:34 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF5611A014B for <cfrg@ietfa.amsl.com>; Sat, 25 Jan 2014 01:34:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.267
X-Spam-Level:
X-Spam-Status: No, score=-3.267 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_12=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oHZM8a4Y_9W7 for <cfrg@ietfa.amsl.com>; Sat, 25 Jan 2014 01:34:34 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 91FA01A021A for <cfrg@irtf.org>; Sat, 25 Jan 2014 01:34:34 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 10A811022400A; Sat, 25 Jan 2014 01:34:33 -0800 (PST)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Sat, 25 Jan 2014 01:34:33 -0800 (PST)
Message-ID: <e80e64ca4d7d5e2738110a7fe843c2ca.squirrel@www.trepanning.net>
In-Reply-To: <CACsn0ckBXotVh4FtUVSM2tGrN-GeR_xRGHaxFre6gfQ0r1yO7Q@mail.gmail.com>
References: <87ob3456s1.fsf@latte.josefsson.org> <CABqy+spt7BYqjsqLAkZssGp3aY9M+iLqV+pmyr7ZN-TXmJJpVg@mail.gmail.com> <52E060D0.9030801@polarssl.org> <CABqy+spJoswrPovxf18QS1SGdk6K=mfny6joJm3X24Vh65oagQ@mail.gmail.com> <52E0E241.40406@polarssl.org> <CABqy+sqs31ATDWJSum55m1o5pRvw8Wq5GtB-mF-hgP2emB5eFQ@mail.gmail.com> <CABqy+sozYSOTh7pbUS2GXf=4kYV3zgztXZBa10Bx=s-N8zHHyA@mail.gmail.com> <CABqy+soSojSMfx=yU9eFhmAeuJaJ_r=4h=RDR6JtOchYZ9zsQA@mail.gmail.com> <52E1BAE0.8060809@brainhub.org> <2311ADE0-B85D-4EEA-A675-03ED3735DE1D@shiftleft.org> <52E208AD.2020100@brainhub.org> <0F98B193-910E-430B-A5DF-4F72A3D9C6EC@shiftleft.org> <52E2C6A2.1010403@brainhub.org> <98B78561-8357-4636-ADA7-1A55FE32C491@shiftleft.org> <52E2CAC9.2080100@brainhub.org> <CABqy+sp0dKL3iCimRuDOrV_k229UH3tm5n=sFQ8i3DnUjSastw@mail.gmail.com> <52E2EB11.5030409@brainhub.org> <CACsn0ckBXotVh4FtUVSM2tGrN-GeR_xRGHaxFre6gfQ0r1yO7Q@mail.gmail.com>
Date: Sat, 25 Jan 2014 01:34:33 -0800 (PST)
From: "Dan Harkins" <dharkins@lounge.org>
To: "Watson Ladd" <watsonbladd@gmail.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] [TLS] Curve25519 in TLS and Additional Curves in TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jan 2014 09:34:36 -0000

On Fri, January 24, 2014 3:15 pm, Watson Ladd wrote:
> On Jan 24, 2014 2:42 PM, "Andrey Jivsov" <crypto@brainhub.org> wrote:
>>
>> On 01/24/2014 01:04 PM, Robert Ransom wrote:
>>>
>>> On 1/24/14, Andrey Jivsov <crypto@brainhub.org> wrote:
>>>>
>>>> On 01/24/2014 12:13 PM, Michael Hamburg wrote:
>>>>>
>>>>> On Jan 24, 2014, at 12:01 PM, Andrey Jivsov <crypto@brainhub.org
>>>>> <mailto:crypto@brainhub.org>> wrote:
>>>>>>
>>>>>> This should work for your suggestions to use the Elligator map,
>>>>>> assuming that I get the corresponding scalar.
>>>>>>
>>>>>> I will need access to the private m for M=mG. I assumed it is sort
>>>>>> of
>>>>>> a user static public key.
>>>>>>
>>>>>> The server side adjustments are similar.
>>>>>
>>>>> It is critical to the security of SPAKE2 that nobody can know m.
>>>>> Part
>>>>> of why Elligator is nice is that it removes the possibility that
>>>>> someone could somehow figure out m, thereby breaking the security of
>>>>> the entire system.  It is an essential security feature of Elligator
>>>>> (in this use and others) that it does not give you access to that
>>>>> discrete log.
>>>>>
>>>>> So, in other words, you can’t do this, and changing the system so
>>>>> that
>>>>> you can do this would break it.
>>>>>
>>>>> Cheers,
>>>>> — Mike
>>>>
>>>> Given that I am trusted to keep my password, why am I not trusted to
>>>> keep my m in M=m*G private?
>>>
>>> M and N are protocol parameters, and must be shared among all users.
>>>
>> I see. So the protocol allows a network of nodes where each one can be a
> server or a client. Given recent discussions on this list, the trusted 3d
> party that is generating the M,N and forgetting the m,n is better be
> really
> trusted ;-).
>
> All of this to save 32 bytes?

  No, it has nothing to do with saving 32 bytes. It has to do with making
SPAKE2 be something other than the DUAL_EC_DRBG of PAKEs (a protocol
with SUTS-- something up their sleeve).

  Dan.