Re: [TLS] Twist security for brainpoolp256r1

Manuel Pégourié-Gonnard <mpg@polarssl.org> Tue, 11 November 2014 21:55 UTC

Return-Path: <mpg@polarssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 382721ACEF4 for <tls@ietfa.amsl.com>; Tue, 11 Nov 2014 13:55:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.397
X-Spam-Level:
X-Spam-Status: No, score=0.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_EQ_NL=1.545, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H4cDnywQvvwK for <tls@ietfa.amsl.com>; Tue, 11 Nov 2014 13:55:12 -0800 (PST)
Received: from vps2.offspark.com (vps2.brainspark.nl [141.138.204.106]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67F471ACEEF for <tls@ietf.org>; Tue, 11 Nov 2014 13:55:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=polarssl.org; s=exim; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To:References:To:MIME-Version:From:Date:Message-ID; bh=7aTH2DevF2mChWtsugEiZpNi2Gx1mat6oo3kxRvDHEI=; b=jZFOHw+WCTpfQBayhvSLWuN4jH9a5Pen2FDVxGsHUzMJW5I27heNchC8L/1CMdDPfL7aiHUMo53mAJSQU8ZnaMw4Vz1gviv5/F2Xj1Ut28Ag96vNL3lyPikvEkdbZgJZirQDD21R3yJ6PIGzQVsyraaAvoCOeVp/Lx23dUd8umw=;
Received: from thue.elzevir.fr ([88.165.216.11] helo=[192.168.0.124]) by vps2.offspark.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mpg@polarssl.org>) id 1XoJOw-00057D-Ee; Tue, 11 Nov 2014 22:55:02 +0100
Message-ID: <546285BB.6070600@polarssl.org>
Date: Tue, 11 Nov 2014 22:55:07 +0100
From: Manuel Pégourié-Gonnard <mpg@polarssl.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Oleg Gryb <oleg@gryb.info>, Johannes Merkle <johannes.merkle@secunet.com>, "tls@ietf.org" <tls@ietf.org>
References: <54625A39.70700@secunet.com> <1437313076.601391.1415736676771.JavaMail.yahoo@jws106117.mail.bf1.yahoo.com>
In-Reply-To: <1437313076.601391.1415736676771.JavaMail.yahoo@jws106117.mail.bf1.yahoo.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-SA-Exim-Connect-IP: 88.165.216.11
X-SA-Exim-Mail-From: mpg@polarssl.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.offspark.com)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Oc7JjlPASaHtqJkF-b8vo3CD0Z8
Subject: Re: [TLS] Twist security for brainpoolp256r1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Nov 2014 21:55:13 -0000

On 11/11/2014 21:11, Oleg Gryb wrote:
> Thanks for explaining all that, but I just want to clarify it a bit further.
> 
> What 2^44 means for the brainpoolP256t1 in DJB table?
> 
It's the cost of an attack for an attacker who can force you to accept a point
that is not on the curve but on its non-quadratic twist.

In the context of TLS (with the currently available curves and point formats)
what safecurves calls "twist security" is totally irrelevant: either the
implementation validates that points are on the curve, or you're vulnerable to
an invalid curve attack which is much more powerful than a twist attack.

Any decent implementation (which includes OpenSSL and some others) of ECC with
TLS will check that points belong on the intended curve.

> The last question that I have is related to brainpool curves implementations in openssl.

This question is more suited to the OpenSSL list, as it is specific to this
implementation. This list is about the protocol.

Manuel.