IETF Logo Mail Archive

Re: [Cfrg] Switching the zero-check from MUST to MAY in the curves draft.

Mike Hamburg <mike@shiftleft.org> Tue, 17 November 2015 02:29 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E8421A00EF for <cfrg@ietfa.amsl.com>; Mon, 16 Nov 2015 18:29:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.555
X-Spam-Level: *
X-Spam-Status: No, score=1.555 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qke8sL9kyBOM for <cfrg@ietfa.amsl.com>; Mon, 16 Nov 2015 18:29:48 -0800 (PST)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 147AA1A6FEE for <cfrg@irtf.org>; Mon, 16 Nov 2015 18:29:47 -0800 (PST)
Received: from [10.82.86.142] (mobile-166-171-250-180.mycingular.net [166.171.250.180]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id DFC153AA71; Mon, 16 Nov 2015 18:27:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1447727259; bh=bIufKFahtGUzzCHIDo4y69WpElsP12TKykWAMjcBVo4=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=jWj9wNAERzk9I5IvTWXtvAHvKCW0oLH19iLJbNswQQzk7Hl7MuLqt0MIfXBPJOa/H vawJAhJZlhRkOC5Gyx14qkvkcuI5bS18twMS+eNlmvh/ERekmwXvQZymVNczfHh4bd YDdeWh3NabkSL3Z2dgwubq4tO3O93TAiVilhy6H8=
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Mike Hamburg <mike@shiftleft.org>
X-Mailer: iPhone Mail (13B143)
In-Reply-To: <CAMm+LwiaKEHFRCFczQF+mUCKBLTVbaQ55P-KXNnjV3jEnnXWgA@mail.gmail.com>
Date: Mon, 16 Nov 2015 18:29:42 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <19090157-473E-4F19-BECE-0CB9955233C9@shiftleft.org>
References: <CAMfhd9XgxrFyRxEqd=4NSX29t=ymQeyq3pT6VjpezUgrm6TyBg@mail.gmail.com> <CAMm+LwiaKEHFRCFczQF+mUCKBLTVbaQ55P-KXNnjV3jEnnXWgA@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/qj61C41bW-eYOe-tHTTZ23YjQyU>
Cc: Adam Langley <agl@imperialviolet.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Switching the zero-check from MUST to MAY in the curves draft.
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2015 02:29:49 -0000


Sent from my phone.  Please excuse brevity and typos.

> On Nov 16, 2015, at 18:01, Phillip Hallam-Baker <phill@hallambaker.com> wrote:
> 
> What is the probability that all zeros occurs at random?

I believe the answer is: for x25519, zero. For x448, 1/2^445 per party, which is essentially zero.  This is because the order of curve25519 is slightly greater than a power of 2, and the order of curve448 is slightly less.

An implementation which is actually worried about this can call the x448 ephemeral keygen in a loop until it succeeds.

> Is there a mechanism that would allow an attacker to force use of all zeros?

Yes, an attacker can easily force it by sending specific values of g^x, most of which cannot be produced by a legitimate implementation.   There are something like 5 such values for curve448 and 14 such values for curve25519.

-- Mike


> 
>> On Mon, Nov 16, 2015 at 6:03 PM, Adam Langley <agl@imperialviolet.org> wrote:
>> At the moment, the curves draft says that implementations MUST check
>> for the all-zero output and abort if it's found, at least in
>> Diffie-Hellman. The all-zero output results when the input point has
>> small order and this sort of thing has, in the past, broken at least
>> Tor and TLS channel bindings.
>> 
>> While reactions on the list were ambivalent to the suggestion, I had
>> hoped that implementations would take this requirement as a simple
>> defence-in-depth measure in keeping with the general robustness theme
>> of this work.
>> 
>> I was mistaken. It's since become clear that some disagree
>> sufficiently strongly about this that we aren't going to see a
>> realignment of implementations around this behaviour. While I still
>> think that it's a sensible requirement, RFCs that are prescriptive
>> rather than descriptive are terrible and so I currently hope to switch
>> from MUST to MAY once the draft has completed the editor's queue.
>> Instead, some wording would be added to the Security Considerations
>> section.
>> 
>> This change contains the accumulation of tweaks that I currently have
>> saved up, including this one:
>> https://github.com/agl/cfrgcurve/commit/c7749d4bb5ceabdb30f211d4aaa6df2b68d7c5e1
>> 
>> This email is notice that I currently plan on making this change. Note
>> that the question here isn't whether the zero check is a good idea or
>> not. Rather it's that, given that a non-trivial number of
>> implementations aren't going to implement it, what's the best thing to
>> write?
>> 
>> 
>> Cheers
>> 
>> AGL
>> 
>> --
>> Adam Langley agl@imperialviolet.org https://www.imperialviolet.org
>> 
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email