Re: [Cfrg] Mishandling twist attacks

"D. J. Bernstein" <djb@cr.yp.to> Sat, 29 November 2014 21:38 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F31FA1A01BA for <cfrg@ietfa.amsl.com>; Sat, 29 Nov 2014 13:38:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.095
X-Spam-Level: **
X-Spam-Status: No, score=2.095 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sr2sAW3RtyG2 for <cfrg@ietfa.amsl.com>; Sat, 29 Nov 2014 13:38:25 -0800 (PST)
Received: from calvin.win.tue.nl (calvin.win.tue.nl [131.155.70.11]) by ietfa.amsl.com (Postfix) with SMTP id 6B1EB1A0158 for <cfrg@irtf.org>; Sat, 29 Nov 2014 13:38:25 -0800 (PST)
Received: (qmail 8944 invoked by uid 1017); 29 Nov 2014 21:38:44 -0000
Received: from unknown (unknown) by unknown with QMTP; 29 Nov 2014 21:38:44 -0000
Received: (qmail 24606 invoked by uid 1001); 29 Nov 2014 21:38:15 -0000
Date: 29 Nov 2014 21:38:15 -0000
Message-ID: <20141129213815.24605.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <CACsn0cm4OBZX9RqV0nuT7547h+4e2_X3qgButJ+sdZDvG+65Ww@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/tIXV0HbdK4AMF3DK1CIxxRwiGSc
Subject: Re: [Cfrg] Mishandling twist attacks
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Nov 2014 21:38:28 -0000

Watson Ladd writes:
> What exactly is wrong with telling everyone to multiply by 8, not 4,
> even if the cofactor is 4?

Who is "everyone"? What's the strategy for not merely "telling" them 8,
but also making sure that they don't follow the many existing standards
that tell them 4? Why will this strategy be more effective than, e.g.,
MQV "telling everyone" to validate public keys---exactly the step that
was skipped in HMQV, leading to the original Menezes break of HMQV?

I'm not saying that educating protocol designers is hopeless. Sometimes
it works, and sometimes it's the only hope for security. But there are
many problems that we can solve much more easily and much more robustly
by making better choices of cryptographic primitives.

---Dan