Re: [MLS] small subgroup validation

Nadim Kobeissi <nadim@symbolic.software> Wed, 28 February 2018 15:16 UTC

Return-Path: <nadim@symbolic.software>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D454112EB0D for <mls@ietfa.amsl.com>; Wed, 28 Feb 2018 07:16:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=symbolic.software header.b=d/MxuFyw; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=nCzJjfHD
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gWbci0n794lY for <mls@ietfa.amsl.com>; Wed, 28 Feb 2018 07:16:42 -0800 (PST)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00E8A12EB0C for <mls@ietf.org>; Wed, 28 Feb 2018 07:16:41 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 1DDFA21238; Wed, 28 Feb 2018 10:16:41 -0500 (EST)
Received: from frontend2 ([10.202.2.161]) by compute1.internal (MEProxy); Wed, 28 Feb 2018 10:16:41 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= symbolic.software; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=AKSBN6 xIN+3565dZ+ptbnc+j8RvcL/Lk7C3sNr7+yQU=; b=d/MxuFywglxtrsE9f4x6+O 4MrSs+fZsX79wZli8T62fke5U+CCB/SQhrUAl7XT/6CZF8WJELq0o4FZe8mSo9uR AqGnk+7wcd6tZzH6Hdrrvb71V9ElUNVDWE1xSW0o0dQaAe9+jJ73khyw7BzYcd3z BSOsIzyE6S85OO3C0pI3mWfBHtDMIGM9YUTg9sag+EYnbhrMGeQZjTJcNkgjlCq7 lgVy/QW/LYRS6BykcYX2nH/ImRfbMxViJ5Of/g5WMtFOyTeDTvPx5yHjAyNakw7x ayoukxhkNru/GNFNOPlz/A7/usWMWp4nsEwf5d6HCi6WkZBbeDPZ+P+jk9qp3SUg ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=AKSBN6 xIN+3565dZ+ptbnc+j8RvcL/Lk7C3sNr7+yQU=; b=nCzJjfHD2h1UOe27gOBJ+C 3hd76UEAgEuumMo62Q5xp/5hEBj0H/zLSmCwkP9C2tPfegZaXDMDZ+zokmdNBaX6 0KK2lz4A+rVP3XiPTFX4fINLG76eH3hR3u2W8xRWNdYoQ1GkIc414S70sawH2krO jRvjuysPe/tquwk+4unyxwuRSGDySywoTQfuZuPwuC1+SAQdmSC/E+DAHX6OVjDA Okkwz/mii+nvyZiNDl5nfKjcTxX5qDF/FxSrsxntn6y7RdD22QKGkjsrv7R71bt8 kKWPi13tPAmvaSnHNXwp5DUXt5pjLgSGmero0h83gZVofEiiKsjdTnL/+dyJOKXA ==
X-ME-Sender: <xms:2ceWWnZZOyYTqOiQITErPkNY4VYIm9U8yFPOTTzS6K51nfNKDucN5w>
Received: from nadims-macbook.home (lfbn-1-478-154.w86-245.abo.wanadoo.fr [86.245.184.154]) by mail.messagingengine.com (Postfix) with ESMTPA id 657DB24802; Wed, 28 Feb 2018 10:16:40 -0500 (EST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Nadim Kobeissi <nadim@symbolic.software>
In-Reply-To: <1519740340.1025773.1285066592.29F98648@webmail.messagingengine.com>
Date: Wed, 28 Feb 2018 16:16:38 +0100
Cc: Eric Rescorla <ekr@rtfm.com>, mls@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <5A8A9711-43B8-45A2-B535-D89A445BAD37@symbolic.software>
References: <1519725212.924168.1284819432.01A6E695@webmail.messagingengine.com> <CABcZeBPCP6bLBka0vDXa99=xqesBCvkHdo_AxFVdWa10xs-a=w@mail.gmail.com> <1519740340.1025773.1285066592.29F98648@webmail.messagingengine.com>
To: Katriel Cohn-Gordon <me@katriel.co.uk>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/bLFWw_cMLqrhf8R74zkBb_3lvZU>
Subject: Re: [MLS] small subgroup validation
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2018 15:16:44 -0000

Perhaps we could restrict curve-based primitives to those that do not require expensive validation?

Nadim Kobeissi
Symbolic Software • https://symbolic.software
Sent from office

> On Feb 27, 2018, at 3:05 PM, Katriel Cohn-Gordon <me@katriel.co.uk> wrote:
> 
> I'm not an expert on small subgroup attacks in ECC so wanted to make sure we had thought it through fully, particularly where we reason about what invalid points an adversary can send, and where we state our assumptions on primitives.
> 
> That is to say, the current text may well be enough, I just wanted to flag it up :)
> 
> Katriel
> 
> 
> On Tue, 27 Feb 2018, at 1:53 PM, Eric Rescorla wrote:
>> The current drafts do require some validation, borrowed from Matt Green's contributed text to TLS 1.3.
>> 
>> https://tools.ietf.org/html/draft-barnes-mls-protocol-00#section-6.1.1
>> https://tools.ietf.org/html/draft-barnes-mls-protocol-00#section-6.1.2
>> 
>> I haven't gone through this in detail in a while. Perhaps it's insufficient? Or were you just making the general point that we should state it for new curves?
>> 
>> -Ekr
>> 
>> 
>> On Tue, Feb 27, 2018 at 1:53 AM, Katriel Cohn-Gordon <me@katriel.co.uk> wrote:
>> Hi all,
>> 
>> We should probably consider small subgroup attacks more carefully in the threat analysis and the draft documents.
>> 
>> Specifically, computational proofs often implicitly assume point validation, which is particularly important in the case that a malicious group member sends an invalid copath element. I think the draft should state that point validation is required on all received group elements (unless using a group that doesn't require it); if I understand correctly this will cost roughly an additional exponentiation for each check, so O(log(n)) for a new and untrusted copath.
>> 
>> [This was pointed out by Dennis Jackson.]
>> 
>> best,
>> Katriel
>> 
>> _______________________________________________
>> MLS mailing list
>> MLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/mls
>> _______________________________________________
>> MLS mailing list
>> MLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/mls
> 
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls