Re: [Cfrg] Mishandling twist attacks
"D. J. Bernstein" <djb@cr.yp.to> Sat, 29 November 2014 21:38 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F31FA1A01BA for <cfrg@ietfa.amsl.com>; Sat, 29 Nov 2014 13:38:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.095
X-Spam-Level: **
X-Spam-Status: No, score=2.095 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sr2sAW3RtyG2 for <cfrg@ietfa.amsl.com>; Sat, 29 Nov 2014 13:38:25 -0800 (PST)
Received: from calvin.win.tue.nl (calvin.win.tue.nl [131.155.70.11]) by ietfa.amsl.com (Postfix) with SMTP id 6B1EB1A0158 for <cfrg@irtf.org>; Sat, 29 Nov 2014 13:38:25 -0800 (PST)
Received: (qmail 8944 invoked by uid 1017); 29 Nov 2014 21:38:44 -0000
Received: from unknown (unknown) by unknown with QMTP; 29 Nov 2014 21:38:44 -0000
Received: (qmail 24606 invoked by uid 1001); 29 Nov 2014 21:38:15 -0000
Date: Sat, 29 Nov 2014 21:38:15 -0000
Message-ID: <20141129213815.24605.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <CACsn0cm4OBZX9RqV0nuT7547h+4e2_X3qgButJ+sdZDvG+65Ww@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/tIXV0HbdK4AMF3DK1CIxxRwiGSc
Subject: Re: [Cfrg] Mishandling twist attacks
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Nov 2014 21:38:28 -0000
Watson Ladd writes: > What exactly is wrong with telling everyone to multiply by 8, not 4, > even if the cofactor is 4? Who is "everyone"? What's the strategy for not merely "telling" them 8, but also making sure that they don't follow the many existing standards that tell them 4? Why will this strategy be more effective than, e.g., MQV "telling everyone" to validate public keys---exactly the step that was skipped in HMQV, leading to the original Menezes break of HMQV? I'm not saying that educating protocol designers is hopeless. Sometimes it works, and sometimes it's the only hope for security. But there are many problems that we can solve much more easily and much more robustly by making better choices of cryptographic primitives. ---Dan
- Re: [Cfrg] Mishandling twist attacks Watson Ladd
- [Cfrg] Mishandling twist attacks D. J. Bernstein
- Re: [Cfrg] Mishandling twist attacks Michael Hamburg
- Re: [Cfrg] Mishandling twist attacks Alyssa Rowan
- Re: [Cfrg] Mishandling twist attacks Samuel Neves
- Re: [Cfrg] Mishandling twist attacks David Leon Gil
- Re: [Cfrg] Mishandling twist attacks D. J. Bernstein
- Re: [Cfrg] Mishandling twist attacks Ilari Liusvaara
- Re: [Cfrg] Mishandling twist attacks Lochter, Manfred
- Re: [Cfrg] Mishandling twist attacks D. J. Bernstein
- Re: [Cfrg] Mishandling twist attacks Lochter, Manfred
- Re: [Cfrg] Mishandling twist attacks Watson Ladd
- Re: [Cfrg] Mishandling twist attacks Lochter, Manfred
- Re: [Cfrg] Mishandling twist attacks Watson Ladd