Re: [Cfrg] Security proofs v DH backdoors

Tony Arcieri <bascule@gmail.com> Sun, 30 October 2016 21:20 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E6E112940A for <cfrg@ietfa.amsl.com>; Sun, 30 Oct 2016 14:20:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TJ3rhmICe7AW for <cfrg@ietfa.amsl.com>; Sun, 30 Oct 2016 14:20:49 -0700 (PDT)
Received: from mail-ua0-x22d.google.com (mail-ua0-x22d.google.com [IPv6:2607:f8b0:400c:c08::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F42C129480 for <cfrg@irtf.org>; Sun, 30 Oct 2016 14:20:49 -0700 (PDT)
Received: by mail-ua0-x22d.google.com with SMTP id 12so91519812uas.2 for <cfrg@irtf.org>; Sun, 30 Oct 2016 14:20:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rRvcT5NbrD3tVHFwYvkXTNJLaYwzS2puliJGNmWscKs=; b=o2fxv0KdtKrqUmzNiOGUClRbcm6jF2hbAMxINlv3e1iRYuDbJjG9AWCxuVqnHQ5MrV ha177hVJOMr+qbNgHIbsOnHIYMM+RTI4eS89vmm8YQsKcUf0D9BT1dyyWuHaThUhjtek ASaes5s2ijQCSt4Ceqx0fQJLqAISowa8Zz12mA6eFk7HGzds638trVyq+yYGif3urkK6 lNaZYTFfO8M4XBot8pY3/lyczJp3j7FvfOsp17JQgSM2mTeHJY09UauaqRsWcZvguzCY fxKoJQygEQ02cyFB7RfdwLjqRc6OtI7DEZTI0KiGJhYbA63mjIjQ2fEyGPvMakjhcNRS On3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rRvcT5NbrD3tVHFwYvkXTNJLaYwzS2puliJGNmWscKs=; b=Q83bygy7C4zql4suvt/VbfyBs1tmgvj0ISnzo9goAqs6Wv4OsAtPOoIQTGURBRzkyA N73M+O3jAUB4jncAEoLvqcBsHZRJTKX/Yzg/befmY1FPqjuDVe15ztzRjiEHdrsDnl0J lFl5hnl9gkZzx/HY0Wq7joI82sISTRljk2zNsQ0O7Wj3+H46whrUAmj+GVf4p/xzrpt7 LU2fcZjktKgzYnMMiSm2P+xzjQxPZJ7Shjs0dssVostSbV+8N0mmf1264jTHfD0xg7Vt qycu5QGZIVcHsy8id/3LVMxO2FrvFx1HE/7RpMyPpQ8Mcg+Bc/zgdy4fCm4fx9FsSvhL aqTw==
X-Gm-Message-State: ABUngvctDNankaEEPaXiRBGSexgZQ2bOdWK4s6FqKspwLtDDjhI6PqV3G6/HNo7Zqqt+jiAACsRnsxdEpAXguA==
X-Received: by 10.159.55.200 with SMTP id q66mr21181138uaq.107.1477862448306; Sun, 30 Oct 2016 14:20:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.141.6 with HTTP; Sun, 30 Oct 2016 14:20:27 -0700 (PDT)
In-Reply-To: <1477647359860.49982@cs.auckland.ac.nz>
References: <20161025131014.5709905.2866.6563@blackberry.com> <20161025133016.GA9081@LK-Perkele-V2.elisa-laajakaista.fi> <1477456366629.49872@cs.auckland.ac.nz> <44595.1477524032@eng-mail01.juniper.net> <20161027103214.5709905.11728.6650@blackberry.com> <20161027125120.4d260334@pc1> <1477647359860.49982@cs.auckland.ac.nz>
From: Tony Arcieri <bascule@gmail.com>
Date: Sun, 30 Oct 2016 14:20:27 -0700
Message-ID: <CAHOTMVJprJ0HAXLcvdzeSW8N99L-_43Gh7vEqL4Z=T541TVnSQ@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Content-Type: multipart/alternative; boundary=94eb2c04c8ce4224ed05401baa75
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/tnYXihM_RWaeolecbEPzzVKLAIY>
Cc: CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] Security proofs v DH backdoors
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Oct 2016 21:20:52 -0000

On Fri, Oct 28, 2016 at 2:36 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz>
wrote:

> Hanno Böck <hanno@hboeck.de> writes:
>
> >This line of debate and all the recently released papers show one very
> >concerning thing: We haven't learned how to use Diffie Hellman properly
>
> Well, we have, what it really shows is that there are still implementations
> around that use it badly.  As there are for almost everything.


FFDH has a massive legacy of insecure deployments. I do not think you can
say the same of ECDH. Granted there are implementations which e.g. fail to
check if points are on the curve (a problem X25519 remedies by design), but
I don't think ECDH in general has issues which are nearly as widespread or
pervasive as they are with FFDH.

-- 
Tony Arcieri