Re: [Cfrg] Switching the zero-check from MUST to MAY in the curves draft.
Mike Hamburg <mike@shiftleft.org> Tue, 17 November 2015 02:29 UTC
Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E8421A00EF for <cfrg@ietfa.amsl.com>; Mon, 16 Nov 2015 18:29:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.555
X-Spam-Level: *
X-Spam-Status: No, score=1.555 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qke8sL9kyBOM for <cfrg@ietfa.amsl.com>; Mon, 16 Nov 2015 18:29:48 -0800 (PST)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 147AA1A6FEE for <cfrg@irtf.org>; Mon, 16 Nov 2015 18:29:47 -0800 (PST)
Received: from [10.82.86.142] (mobile-166-171-250-180.mycingular.net [166.171.250.180]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id DFC153AA71; Mon, 16 Nov 2015 18:27:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1447727259; bh=bIufKFahtGUzzCHIDo4y69WpElsP12TKykWAMjcBVo4=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=jWj9wNAERzk9I5IvTWXtvAHvKCW0oLH19iLJbNswQQzk7Hl7MuLqt0MIfXBPJOa/H vawJAhJZlhRkOC5Gyx14qkvkcuI5bS18twMS+eNlmvh/ERekmwXvQZymVNczfHh4bd YDdeWh3NabkSL3Z2dgwubq4tO3O93TAiVilhy6H8=
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Mike Hamburg <mike@shiftleft.org>
X-Mailer: iPhone Mail (13B143)
In-Reply-To: <CAMm+LwiaKEHFRCFczQF+mUCKBLTVbaQ55P-KXNnjV3jEnnXWgA@mail.gmail.com>
Date: Mon, 16 Nov 2015 18:29:42 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <19090157-473E-4F19-BECE-0CB9955233C9@shiftleft.org>
References: <CAMfhd9XgxrFyRxEqd=4NSX29t=ymQeyq3pT6VjpezUgrm6TyBg@mail.gmail.com> <CAMm+LwiaKEHFRCFczQF+mUCKBLTVbaQ55P-KXNnjV3jEnnXWgA@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/qj61C41bW-eYOe-tHTTZ23YjQyU>
Cc: Adam Langley <agl@imperialviolet.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Switching the zero-check from MUST to MAY in the curves draft.
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2015 02:29:49 -0000
Sent from my phone. Please excuse brevity and typos. > On Nov 16, 2015, at 18:01, Phillip Hallam-Baker <phill@hallambaker.com> wrote: > > What is the probability that all zeros occurs at random? I believe the answer is: for x25519, zero. For x448, 1/2^445 per party, which is essentially zero. This is because the order of curve25519 is slightly greater than a power of 2, and the order of curve448 is slightly less. An implementation which is actually worried about this can call the x448 ephemeral keygen in a loop until it succeeds. > Is there a mechanism that would allow an attacker to force use of all zeros? Yes, an attacker can easily force it by sending specific values of g^x, most of which cannot be produced by a legitimate implementation. There are something like 5 such values for curve448 and 14 such values for curve25519. -- Mike > >> On Mon, Nov 16, 2015 at 6:03 PM, Adam Langley <agl@imperialviolet.org> wrote: >> At the moment, the curves draft says that implementations MUST check >> for the all-zero output and abort if it's found, at least in >> Diffie-Hellman. The all-zero output results when the input point has >> small order and this sort of thing has, in the past, broken at least >> Tor and TLS channel bindings. >> >> While reactions on the list were ambivalent to the suggestion, I had >> hoped that implementations would take this requirement as a simple >> defence-in-depth measure in keeping with the general robustness theme >> of this work. >> >> I was mistaken. It's since become clear that some disagree >> sufficiently strongly about this that we aren't going to see a >> realignment of implementations around this behaviour. While I still >> think that it's a sensible requirement, RFCs that are prescriptive >> rather than descriptive are terrible and so I currently hope to switch >> from MUST to MAY once the draft has completed the editor's queue. >> Instead, some wording would be added to the Security Considerations >> section. >> >> This change contains the accumulation of tweaks that I currently have >> saved up, including this one: >> https://github.com/agl/cfrgcurve/commit/c7749d4bb5ceabdb30f211d4aaa6df2b68d7c5e1 >> >> This email is notice that I currently plan on making this change. Note >> that the question here isn't whether the zero check is a good idea or >> not. Rather it's that, given that a non-trivial number of >> implementations aren't going to implement it, what's the best thing to >> write? >> >> >> Cheers >> >> AGL >> >> -- >> Adam Langley agl@imperialviolet.org https://www.imperialviolet.org >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Switching the zero-check from MUST to MAY … Adam Langley
- Re: [Cfrg] Switching the zero-check from MUST to … Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Switching the zero-check from MUST to … Deirdre Connolly
- Re: [Cfrg] Switching the zero-check from MUST to … Phillip Hallam-Baker
- Re: [Cfrg] Switching the zero-check from MUST to … Mike Hamburg
- Re: [Cfrg] Switching the zero-check from MUST to … Taylor R Campbell
- Re: [Cfrg] Switching the zero-check from MUST to … Watson Ladd
- Re: [Cfrg] Switching the zero-check from MUST to … Phillip Hallam-Baker
- Re: [Cfrg] Switching the zero-check from MUST to … Adam Langley
- Re: [Cfrg] Switching the zero-check from MUST to … Deirdre Connolly
- Re: [Cfrg] Switching the zero-check from MUST to … Rene Struik
- Re: [Cfrg] Switching the zero-check from MUST to … Rene Struik
- Re: [Cfrg] Switching the zero-check from MUST to … Greg Hudson
- Re: [Cfrg] Switching the zero-check from MUST to … Watson Ladd
- Re: [Cfrg] Switching the zero-check from MUST to … Rene Struik
- Re: [Cfrg] Switching the zero-check from MUST to … Watson Ladd