Re: [TLS] Curve25519 and TLS

[Viktor Dukhovni <viktor1dane@dukhovni.org>]

On Fri, Jun 13, 2014 at 06:30:46PM -0300, Watson Ladd wrote:

> TLS with ECC computes the premaster secret as H(abg) where g is the
> generator of the group, and a and b are the ephemeral exponents.
> Because of protocol weaknesses, this premaster secret must be
> "contributory": neither side can be allowed to dictate it.
> 
> Curve25519 has order 8*q, where q is some prime. All encoded public
> keys lie on this or a twist with order 4*q'. (I might be wrong in the
> details, but it's right enough). In particular there is a point of
> order 2.

As far as I can tell, this is not the case with Diffie-Hellman over
Curve 25519, because the base-point (namely 9) has order 8, and
the cyclic sub-group it generates has prime order.  All private
keys are multiples of 8, so an attacker M who chooses a low order
element must send a public key m of order 1, 2, 4 or 8, which since
Alice's private exponent is a multiple of 8 means that g^{am} is
the identity.

See the "Small-subgroup attacks" section of DJB's paper.  Since
key agreement with Curve25519 is presumably Diffie-Hellman with
(9) as the base point and the recommended constraints on private
exponents, there should be no problem.

> A malicious server can provide a point of order 2, and with 50%
> probability get a dictated premaster secret.

Not useful when Alice's (or Bob's depending on whom Mallory is
trying to fool) private exponent is a multiple of 8, the only check
required is that the final shared secret is not the identity (IIRC
the point at infinity is represented by "0" in Curve 25519 so the
check is then just to make sure that the DH shared secret is not
32 zero octets).

Corrections/elaboration from folks more familiar with 25519 welcome.

-- 
	Viktor.