Re: [MLS] small subgroup validation

"Katriel Cohn-Gordon" <me@katriel.co.uk> Tue, 27 February 2018 14:05 UTC

Return-Path: <me@katriel.co.uk>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA323126DC2 for <mls@ietfa.amsl.com>; Tue, 27 Feb 2018 06:05:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.719
X-Spam-Level:
X-Spam-Status: No, score=-2.719 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=katriel.co.uk header.b=wxX045r9; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=eV+r+Zzm
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oE19YUkYgXiI for <mls@ietfa.amsl.com>; Tue, 27 Feb 2018 06:05:41 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B179012D876 for <mls@ietf.org>; Tue, 27 Feb 2018 06:05:41 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id D387B20DD6; Tue, 27 Feb 2018 09:05:40 -0500 (EST)
Received: from web6 ([10.202.2.216]) by compute6.internal (MEProxy); Tue, 27 Feb 2018 09:05:40 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=katriel.co.uk; h=cc:content-transfer-encoding:content-type:date:from :in-reply-to:message-id:mime-version:references:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=mesmtp; bh=XYzM3xj083JqK4 wGCLH7LFBbRZoQYsTmB1CILqTcbr4=; b=wxX045r9AaMY0WBWIIG8t7O6BFqyJ5 F8ZciP+g43RDfORQNsOw5HY2c6drrq5+kCxK7hgkJIaO42jD0cuJx3D8o1C0/Ab2 JfO5gcdHPFFzMIZ4+7VHXtD2DES3KQmF+ZL7yfXTJSVA5EIgdt2hMu9r/MEdMNhr 70DyRj484Yc0o=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=XYzM3x j083JqK4wGCLH7LFBbRZoQYsTmB1CILqTcbr4=; b=eV+r+Zzms+RPN7BBQvveZO jf5cNxlKoB1xS1mOB1ZuEpN3uQPTidTM3Xr4bdCKvcEGOzgPWPabcLpGsmtCxdLG 8I+8cVEQbEvtJW4FfQoL2djanvAvOzne7fhVSIl3A61pcpmxfpeGsOJ4XfIPDEMb 5pkMWvbyJFgEbLenRzwvW+PTrMYPeDSzF7LfU9RVxNeeQ9OTxtz4s/rJM+U4v18s KoIdK42xSvQnJ4N2V4msPJ5qT8vFd++ICk5I77kk98XOTdwLJnbSCIIP4a6Jl24Y 8yeWYhdRNgJQLna60FoDRBoBu6rizV5AuWronsUY5S1PBd0WWLNiQyo5c7IWzfiA ==
X-ME-Sender: <xms:tGWVWrJu9rWpERt6nic1L3Lx-OhpIgd64bTdeTgo0aM3OvWiQKmUfg>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id A7217429A; Tue, 27 Feb 2018 09:05:40 -0500 (EST)
Message-Id: <1519740340.1025773.1285066592.29F98648@webmail.messagingengine.com>
From: "Katriel Cohn-Gordon" <me@katriel.co.uk>
To: Eric Rescorla <ekr@rtfm.com>
Cc: mls@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="_----------=_151974034010257730"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-efbb3405
Date: Tue, 27 Feb 2018 14:05:40 +0000
References: <1519725212.924168.1284819432.01A6E695@webmail.messagingengine.com> <CABcZeBPCP6bLBka0vDXa99=xqesBCvkHdo_AxFVdWa10xs-a=w@mail.gmail.com>
In-Reply-To: <CABcZeBPCP6bLBka0vDXa99=xqesBCvkHdo_AxFVdWa10xs-a=w@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/nPegJ2jLTGIKu_VZBEJnf4Y96Fk>
Subject: Re: [MLS] small subgroup validation
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2018 14:05:44 -0000

I'm not an expert on small subgroup attacks in ECC so wanted to make
sure we had thought it through fully, particularly where we reason about
what invalid points an adversary can send, and where we state our
assumptions on primitives.
That is to say, the current text may well be enough, I just wanted to
flag it up :)
Katriel


On Tue, 27 Feb 2018, at 1:53 PM, Eric Rescorla wrote:
> The current drafts do require some validation, borrowed from Matt
> Green's contributed text to TLS 1.3.> 
> https://tools.ietf.org/html/draft-barnes-mls-protocol-00#section-6.1.1> https://tools.ietf.org/html/draft-barnes-mls-protocol-00#section-6.1.2> 
> I haven't gone through this in detail in a while. Perhaps it's
> insufficient? Or were you just making the general point that we should
> state it for new curves?> 
> -Ekr
> 
> 
> On Tue, Feb 27, 2018 at 1:53 AM, Katriel Cohn-Gordon
> <me@katriel.co.uk> wrote:>> Hi all,
>> 
>>  We should probably consider small subgroup attacks more carefully in
>>  the threat analysis and the draft documents.>> 
>>  Specifically, computational proofs often implicitly assume point
>>  validation, which is particularly important in the case that a
>>  malicious group member sends an invalid copath element. I think the
>>  draft should state that point validation is required on all received
>>  group elements (unless using a group that doesn't require it); if I
>>  understand correctly this will cost roughly an additional
>>  exponentiation for each check, so O(log(n)) for a new and untrusted
>>  copath.>> 
>>  [This was pointed out by Dennis Jackson.]
>> 
>>  best,
>>  Katriel
>> 
>>  _______________________________________________
>>  MLS mailing list
>> MLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/mls
> _________________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls