Re: [Cfrg] malicious DH base points [was Re: should the CFRG really strive for consensus?]

"Scott Fluhrer (sfluhrer)" <> Wed, 31 December 2014 15:30 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id EE0B41A9088 for <>; Wed, 31 Dec 2014 07:30:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id b5-uhOZjGTXE for <>; Wed, 31 Dec 2014 07:30:38 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E4C1B1A9084 for <>; Wed, 31 Dec 2014 07:30:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=16496; q=dns/txt; s=iport; t=1420039838; x=1421249438; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=GaWGaY6k8hGFF6/3AtiLfIJZW8z5osIxZNCNVapJCgE=; b=MWBSe/9nCFxBBM/XsP59C1VbbZ37EXztHgHhxTttO67uIRZ9TFlgflrz uch5mXUArlLLxQOlhvhfYN6i/ATGm1BDfjAOe7+8aad329Q5Ioj2fjO3L jbKJ6+xJtvFHrEcd7nWi1u27CchC1f/u1BVEtG04btuGVoCI5Cej/IRPk c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.07,673,1413244800"; d="scan'208,217";a="383578546"
Received: from ([]) by with ESMTP; 31 Dec 2014 15:30:37 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id sBVFUamK007130 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 31 Dec 2014 15:30:36 GMT
Received: from ([]) by ([]) with mapi id 14.03.0195.001; Wed, 31 Dec 2014 09:30:36 -0600
From: "Scott Fluhrer (sfluhrer)" <>
To: Dan Brown <>, Adam Langley <>, Christoph Anton Mitterer <>
Thread-Topic: [Cfrg] malicious DH base points [was Re: should the CFRG really strive for consensus?]
Thread-Index: AdAlC3ncj0vH2sKEQBKKNUfeAAj9hwAAO1rg
Date: Wed, 31 Dec 2014 15:30:35 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_A113ACFD9DF8B04F96395BDEACB340420BE9ABF9xmbrcdx04ciscoc_"
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [Cfrg] malicious DH base points [was Re: should the CFRG really strive for consensus?]
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 31 Dec 2014 15:30:40 -0000

Actually, that paper doesn’t actually say “it’s possible to pick a malicious generator from a prime-sized group”.  Instead, it (actually, claim 9) says “if we knew of a generator/KDF pair which made deriving the shared secret easy, someone setting up the group could use that to select a random-looking generator that, with that KDF, contains a trap door that he could exploit”.

If anything, that paper can be construed to be an argument for a nonrandom-looking generator (because that doesn’t give anyone a chance to build in the above trap door).

From: Cfrg [] On Behalf Of Dan Brown
Sent: Wednesday, December 31, 2014 10:07 AM
To: Adam Langley; Christoph Anton Mitterer
Subject: [Cfrg] malicious DH base points [was Re: should the CFRG really strive for consensus?]

‎The paper talks about the possibility of malicious base points for DH:

Boaz Tsaban: Fast generators for the Diffie-Hellman key agreement protocol and malicious standards. IACR Cryptology ePrint Archive 2005<>: 231 (2005)

It may be far-fetched, but the paper seems to show that the independence of DH from the base point is ‎not quite a mathematical certainty, unless the paper has been refuted in further research.

Best regards,

-- Dan
From: Adam Langley
Sent: Wednesday, December 31, 2014 9:45 AM
To: Christoph Anton Mitterer
Subject: Re: [Cfrg] should the CFRG really strive for consensus?

On Dec 31, 2014 1:50 PM, "Christoph Anton Mitterer" <<>> wrote:
> I think it's really a bad idea for the CFRG to strive so much for
> consensus.

If you believe in the security of curve25519 then you also believe in the security of Microsoft's current position at ~128 bits. They have the same structure and thus strictly the same strength.

There's /no/ possibility of weakening anything, mathematically, with a different base point (in the correct subgroup) or by using an isogeny.

IRTF groups do not, technically, have to reach consensus. However, everyone does have to function on the same Internet at the end of the day.