Re: [Privacy-pass] Fwd: [messaging] Issues in Schnorr DLEQ proofs
Alex Davidson <adavidson@cloudflare.com> Wed, 08 January 2020 22:31 UTC
Return-Path: <adavidson@cloudflare.com>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EED7B12022A for <privacy-pass@ietfa.amsl.com>; Wed, 8 Jan 2020 14:31:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0oabnq2AEL6N for <privacy-pass@ietfa.amsl.com>; Wed, 8 Jan 2020 14:31:24 -0800 (PST)
Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C7DC1200C7 for <privacy-pass@ietf.org>; Wed, 8 Jan 2020 14:31:24 -0800 (PST)
Received: by mail-qt1-x834.google.com with SMTP id d5so4238195qto.0 for <privacy-pass@ietf.org>; Wed, 08 Jan 2020 14:31:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=0ncc/HAwuOyyTNZoilqNTpqn/fGhngWe2Ip7AusFC3Y=; b=cDzqy4dDg78lFaQdX/q9iZ/sryWlBzYNW18FrfSEjd45gzNDe2aEmVxmqAK+x7bInU 1UW8yVbl7Kw5Zm5zuRvq8ObH1eWFBqPRVVouY1Vr4gYVvQXd7yCgAyQy8emKPpyA3U6r ot0pVQ5JsGiJxf9rHTDbXBc+fRhW0R9lxNRcU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=0ncc/HAwuOyyTNZoilqNTpqn/fGhngWe2Ip7AusFC3Y=; b=HAArd4dJPgBE9qArfgHmQ6L9vs9VT28qdjbIl4PXtPXBCp6ZbZOiaGecjVPMLMwWHW 6+uwp4+oniBUWXq7OBP2tHibeJBd9Ahup0hNTfEMkQAD9Kgct8bxgFv1B5vyrg5OPbPj pPqDiA+188DklgyQIAZBUqlBX9BXeaRQQJf+92YBOB3eDVF/lwb1HkAAxc/gS3sXwaNA a6bXG/JJQ+V1QuBzOS5HPgMWjgeRI1p/Sdvzn+p+CXXxajmeoVH7jJAJLzrSZOEGGXFZ l8r///UCR3AY6v5RBWXf3+pV0vFpgpTN0fIWtIONHHWnOhVoK0KcTjB2JSSkReuzv5fc UoYA==
X-Gm-Message-State: APjAAAX8FpVP2R/ghJDPOEvs5DOspdviUOrLh5d9xLeVDwWMbciHsHMu f3LCk4HIqhbaN8D1nYYUN1fV1Fo4mCQR0gx+
X-Google-Smtp-Source: APXvYqx/xisHdQbTAEqwQG+PQADp2ieH0H4UEHVxvpmUtxrAuq+z/+uaWWs0RdBe+Td6OeBgPx7Fpw==
X-Received: by 2002:ac8:6999:: with SMTP id o25mr5559474qtq.342.1578522683383; Wed, 08 Jan 2020 14:31:23 -0800 (PST)
Received: from dyn-160-39-226-190.dyn.columbia.edu (dyn-160-39-226-190.dyn.columbia.edu. [160.39.226.190]) by smtp.gmail.com with ESMTPSA id a24sm2037648qkl.82.2020.01.08.14.31.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Jan 2020 14:31:22 -0800 (PST)
From: Alex Davidson <adavidson@cloudflare.com>
Message-Id: <C45BB57F-43DD-43CF-BE13-E5F174D563C7@cloudflare.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2BCAD6F9-ED02-487B-8372-E27DC08355C3"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 08 Jan 2020 17:31:21 -0500
In-Reply-To: <CAFDDyk-gc4rRsPWovcK_0T2Rwi2pm_dT-=pRQMYsPEMxsFNUkw@mail.gmail.com>
Cc: privacy-pass@ietf.org
To: Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org>
References: <55FBEEE3-2DCD-4E4C-BCDB-3C146D5B478E@gnunet.org> <CAFDDyk-gc4rRsPWovcK_0T2Rwi2pm_dT-=pRQMYsPEMxsFNUkw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/U6lZLYbS9Ni5C-e9BNR32-oUVCw>
Subject: Re: [Privacy-pass] Fwd: [messaging] Issues in Schnorr DLEQ proofs
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 22:31:27 -0000
Had a quick look, I think this is something that needs to be better handled in draft-irtf-cfrg-voprf. The draft currently only assumes a prime-order group so we don’t really have access to the cofactor. However, we should make it clear exactly what we expect of the group that is being used in this draft (including how cofactors are accounted for). I'll create an issue at https://github.com/cfrg/draft-irtf-cfrg-voprf/ <https://github.com/cfrg/draft-irtf-cfrg-voprf/> to track this. FWIW, the Cloudflare implementation uses P-256 (which is a prime-order curve), so the attack does not apply. Alex > On 8 Jan 2020, at 16:40, Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org> wrote: > > Hello folks! > > Cross-posting this from another mailing list since it seems to be of interest. > > Nick > > ---------- Forwarded message --------- > From: Jeff Burdges <burdges@gnunet.org <mailto:burdges@gnunet.org>> > Date: Wed, Jan 8, 2020 at 2:51 PM > Subject: [messaging] Issues in Schnorr DLEQ proofs > To: <messaging@moderncrypto.org <mailto:messaging@moderncrypto.org>> > > > > I’ve started some approachable notes on issues in current specs for Schnorr DLEQ proof protocols at https://github.com/w3f/ring-vrf/blob/master/papers/vrf_issues.tex <https://github.com/w3f/ring-vrf/blob/master/papers/vrf_issues.tex> > > I have not yet checked if implementations of either V(X)Ed2551 or Privacy Pass correct the cofactor spec bugs. I have not yet either added all the references for the protocols being commented on or ported over all the reverences for the non-cofactor concerns from https://github.com/w3f/schnorrkel/blob/master/src/vrf.rs <https://github.com/w3f/schnorrkel/blob/master/src/vrf.rs> either. > > Jeff > > > _______________________________________________ > Messaging mailing list > Messaging@moderncrypto.org <mailto:Messaging@moderncrypto.org> > https://moderncrypto.org/mailman/listinfo/messaging <https://moderncrypto.org/mailman/listinfo/messaging> > <signature.asc>-- > Privacy-pass mailing list > Privacy-pass@ietf.org > https://www.ietf.org/mailman/listinfo/privacy-pass
- [Privacy-pass] Fwd: [messaging] Issues in Schnorr… Nick Sullivan
- Re: [Privacy-pass] Fwd: [messaging] Issues in Sch… Alex Davidson