Re: [Cfrg] On the use of Montgomery form curves for key agreement
"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Wed, 03 September 2014 19:13 UTC
Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF6C31A0657 for <cfrg@ietfa.amsl.com>; Wed, 3 Sep 2014 12:13:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xw6KhZSs-KwR for <cfrg@ietfa.amsl.com>; Wed, 3 Sep 2014 12:13:20 -0700 (PDT)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1lrp0014.outbound.protection.outlook.com [213.199.154.14]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2130E1A0704 for <cfrg@irtf.org>; Wed, 3 Sep 2014 12:13:19 -0700 (PDT)
Received: from DBXPR03MB383.eurprd03.prod.outlook.com (10.141.10.15) by DBXPR03MB384.eurprd03.prod.outlook.com (10.141.10.20) with Microsoft SMTP Server (TLS) id 15.0.1019.16; Wed, 3 Sep 2014 19:13:18 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) by DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) with mapi id 15.00.1015.018; Wed, 3 Sep 2014 19:13:17 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Tanja Lange <tanja@hyperelliptic.org>, Brian LaMacchia <bal@microsoft.com>
Thread-Topic: [Cfrg] On the use of Montgomery form curves for key agreement
Thread-Index: Ac/GFKdVASv0pPTeROyHvj6EvV57FQAucr0AABmnhBAAAKhnAAAe8jSA
Date: Wed, 03 Sep 2014 19:13:17 +0000
Message-ID: <D02D245C.2C3CE%kenny.paterson@rhul.ac.uk>
References: <e16ac4926a934565a65456058e50b68e@BL2PR03MB242.namprd03.prod.outlook.com> <20140902165340.17284.qmail@cr.yp.to> <d4322ec172d74aab83a1d17cf4dcf786@BL2PR03MB242.namprd03.prod.outlook.com> <20140903052704.GM8540@cph.win.tue.nl>
In-Reply-To: <20140903052704.GM8540@cph.win.tue.nl>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.3.140616
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [92.4.68.6]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;UriScan:;
x-forefront-prvs: 032334F434
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(479174003)(189002)(51704005)(199003)(24454002)(76176999)(21056001)(93886004)(54356999)(2421001)(99396002)(50986999)(81542001)(86362001)(81342001)(90102001)(87936001)(36756003)(92726001)(80022001)(83072002)(92566001)(66066001)(95666004)(46102001)(64706001)(4396001)(74662001)(83506001)(15202345003)(74482001)(79102001)(15975445006)(31966008)(107046002)(19580405001)(85306004)(83322001)(19580395003)(77982001)(74502001)(20776003)(1511001)(85852003)(2656002)(105586002)(106356001)(101416001)(76482001); DIR:OUT; SFP:; SCL:1; SRVR:DBXPR03MB384; H:DBXPR03MB383.eurprd03.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <DF435D5DF2676647987B522B8514CF64@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/sLinBEOuuWQcacjL-Aw6uHH5vZA
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] On the use of Montgomery form curves for key agreement
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2014 19:13:24 -0000
Hi, On 03/09/2014 06:27, "Tanja Lange" <tanja@hyperelliptic.org> wrote: >Dear Brian, >> Regarding the specific issue you raised concerning Microsoft¹s TLS >>implementation, as you will recall Tanja first mentioned this issue to >>me during dinner i >> >I actually made this statement in public in the Q&A after my talk >when David McGrew asked about the ephemeral key case. This is indeed true as the minutes should show. But it was a topic of some passionate discussion at the dinner later, IIRC. >> As for your suggestion regarding a blanket prohibition on reuse of any >>ephemeral cryptographic keys across all IETF protocols, given the >>current environment that does indeed seem like a good idea to me. I >>guess what we¹d really want to do is have CFRG issue a BCP on this >>point, if that¹s something the IRTF is allowed to do (I don¹t know the >>answer to that process question). Perhaps CFRG can take that issue up >>once the curve selection process has concluded. >> >What exactly do you think the security implications of key reuse are? > >Defining ephemeral in a time-based manner ist quite normal; the important >thing to guarantee PFS is to delete the key afterwards, not whether it is >used for 1 connection or 10 seconds (with potentially 0 connections). For what it's worth, ephemeral reuse invalidates all the formal security analyses (in the provable security tradition) for key exchange protocols that I know of. It certainly invalidates those proofs that I understand for the TLS Handshake. Would be interesting if the miTLS guys could say what it means for their TLS proofs from Crypto'14. My feeling is that this can be got around in the random oracle model for protocols that hash the DH shared value and various other components by using a suitable gap assumption or strong DH assumption. However, some care would be needed in the analysis. Coming up with a standard model proof for some specific protocol seems much harder because of the obvious "correlation" between shared DH values that different parties would end up with. Hashing with a random oracle of course destroys such relations. There's probably a nice research paper in this for someone - if it's not already been done (indeed writing such a paper has been on my to do list for some time - since long before this thread got started). Cheers Kenny > >All the best > Tanja > >_______________________________________________ >Cfrg mailing list >Cfrg@irtf.org >http://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] On the use of Montgomery form curves for k… Brian LaMacchia
- Re: [Cfrg] On the use of Montgomery form curves f… Andy Lutomirski
- Re: [Cfrg] On the use of Montgomery form curves f… D. J. Bernstein
- Re: [Cfrg] On the use of Montgomery form curves f… Brian LaMacchia
- Re: [Cfrg] On the use of Montgomery form curves f… Tony Arcieri
- Re: [Cfrg] On the use of Montgomery form curves f… Watson Ladd
- Re: [Cfrg] On the use of Montgomery form curves f… Benjamin Black
- Re: [Cfrg] On the use of Montgomery form curves f… Watson Ladd
- Re: [Cfrg] On the use of Montgomery form curves f… Benjamin Black
- Re: [Cfrg] On the use of Montgomery form curves f… Robert Ransom
- Re: [Cfrg] On the use of Montgomery form curves f… Brian LaMacchia
- Re: [Cfrg] On the use of Montgomery form curves f… Stephen Farrell
- Re: [Cfrg] On the use of Montgomery form curves f… Robert Ransom
- Re: [Cfrg] On the use of Montgomery form curves f… Watson Ladd
- Re: [Cfrg] On the use of Montgomery form curves f… Stephen Farrell
- Re: [Cfrg] On the use of Montgomery form curves f… Watson Ladd
- Re: [Cfrg] On the use of Montgomery form curves f… Stephen Farrell
- Re: [Cfrg] On the use of Montgomery form curves f… Nico Williams
- Re: [Cfrg] On the use of Montgomery form curves f… Tanja Lange
- Re: [Cfrg] On the use of Montgomery form curves f… Benjamin Black
- Re: [Cfrg] On the use of Montgomery form curves f… Andrey Jivsov
- Re: [Cfrg] On the use of Montgomery form curves f… Benjamin Black
- Re: [Cfrg] On the use of Montgomery form curves f… Stephen Farrell
- Re: [Cfrg] On the use of Montgomery form curves f… Benjamin Black
- Re: [Cfrg] On the use of Montgomery form curves f… Stephen Farrell
- Re: [Cfrg] On the use of Montgomery form curves f… Andrey Jivsov
- Re: [Cfrg] On the use of Montgomery form curves f… Nico Williams
- Re: [Cfrg] On the use of Montgomery form curves f… Andrey Jivsov
- Re: [Cfrg] On the use of Montgomery form curves f… Michael Hamburg
- Re: [Cfrg] On the use of Montgomery form curves f… Brian LaMacchia
- Re: [Cfrg] On the use of Montgomery form curves f… Tanja Lange
- Re: [Cfrg] On the use of Montgomery form curves f… Paterson, Kenny
- Re: [Cfrg] On the use of Montgomery form curves f… Jim Schaad
- Re: [Cfrg] On the use of Montgomery form curves f… Markulf Kohlweiss
- Re: [Cfrg] On the use of Montgomery form curves f… Paterson, Kenny
- Re: [Cfrg] On the use of Montgomery form curves f… Nico Williams
- Re: [Cfrg] On the use of Montgomery form curves f… Andy Lutomirski
- Re: [Cfrg] On the use of Montgomery form curves f… Manuel Pégourié-Gonnard
- Re: [Cfrg] On the use of Montgomery form curves f… Andy Lutomirski
- Re: [Cfrg] On the use of Montgomery form curves f… Nico Williams
- Re: [Cfrg] On the use of Montgomery form curves f… Andrey Jivsov