Re: [TLS] Safe ECC usage

Dan Brown <dbrown@certicom.com> Wed, 02 October 2013 18:51 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5252F21F9D3B for <tls@ietfa.amsl.com>; Wed, 2 Oct 2013 11:51:30 -0700 (PDT)
X-Quarantine-ID: <N3-OeLvDvffP>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "MIME-Version"
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N3-OeLvDvffP for <tls@ietfa.amsl.com>; Wed, 2 Oct 2013 11:51:18 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id EB19821F9D44 for <tls@ietf.org>; Wed, 2 Oct 2013 11:47:44 -0700 (PDT)
Content-Type: multipart/mixed; boundary="===============0092626920=="
MIME-Version: 1.0
Received: from xct106cnc.rim.net ([10.65.161.206]) by mhs212cnc.rim.net with ESMTP/TLS/AES128-SHA; 02 Oct 2013 14:47:41 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT106CNC.rim.net ([fe80::d824:6c98:60dc:3918%16]) with mapi id 14.03.0123.003; Wed, 2 Oct 2013 14:47:40 -0400
From: Dan Brown <dbrown@certicom.com>
To: "'djb@cr.yp.to'" <djb@cr.yp.to>, "'tls@ietf.org'" <tls@ietf.org>
Thread-Topic: [TLS] Safe ECC usage
Thread-Index: AQHOv4s0xn3XJXmgAkKRAg2ZE6kwf5nhtYbA
Date: Wed, 02 Oct 2013 18:47:39 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5BDE90F@XMB116CNC.rim.net>
References: <523E176F.3050304@gmail.com> <9A043F3CF02CD34C8E74AC1594475C7355674EE0@uxcn10-6.UoA.auckland.ac.nz> <20130926152757.15842.qmail@cr.yp.to> <810C31990B57ED40B2062BA10D43FBF5BDB49B@XMB116CNC.rim.net> <20130928223648.1113.qmail@cr.yp.to> <20130929025714.5578895.47771.4422@certicom.com> <20131001143511.11010.qmail@cr.yp.to> <810C31990B57ED40B2062BA10D43FBF5BDE21E@XMB116CNC.rim.net> <20131002161944.8125.qmail@cr.yp.to>
In-Reply-To: <20131002161944.8125.qmail@cr.yp.to>
Accept-Language: en-CA, en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.251]
MIME-Version: 1.0
Subject: Re: [TLS] Safe ECC usage
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Oct 2013 18:51:30 -0000


> D. J. Bernstein writes
> 
> Dan Brown writes:
> > Brainpool and RFC 5639 recommends pseudo-random parameters to avoid
> > unanticipated attacks, and you are arguing against this
> recommendation
> > by anticipating from known attacks.
> 
> No, and no.
> 
> The Brainpool standard (from which RFC 5639 is derived) says that the
> unexplained NIST seeds leave "an essential part of the security
> analysis open" and that this is a "major issue." I completely agree
> with this.
> 
> There are two reasonable ways to address this problem. One way, which
> Brainpool uses, is to generate curves "in a pseudo-random manner using
> seeds that are generated in a systematic and comprehensive way,"
> subject of course to other requirements. Another way, which I use, is
> to take the smallest possible curves meeting the other requirements.

[DB] Yes. Security requirement 5 says "verifiably pseudo-random ..." and
then refers to Section 5, where it is applied to the field size p.  Earlier
it noted that existing field sizes are all "special".  As you noted, using a
random prime instead of a special one incurs a computational cost.  So, I
think I was reasonable to infer that Brainpool was implying that special
fields were lacking in security.  (The implication against special values
may then be inferred further.)  But now, I notice that the Brainpool
document gives another reason to avoid special fields, so your
interpretation is more reasonable than mine. 

> 
> Both of these approaches are clear improvements over what NIST/NSA did.

[DB] Not disputing that.  All they had to do was reveal how their seeds were
generated.

> As Brainpool puts it, choosing fully explained seeds will "enhance
> trust in the recommended curves." Choosing smallest curves has the same
> effect. There's no contradiction between these statements.
> 
[DB] I am not asking whether anybody trusts which curve.  I am asking for
formal claims of security, even ones that contain an unknown variable.

> There is zero reason to believe that either of these approaches is more
> secure than the other. There is, in particular, zero reason to believe
> that either approach is safer against "unanticipated attacks." You are
> wrong to attribute any such belief to the Brainpool standard; the
> document says no such thing. All available evidence is that both
> approaches are fine; if we've missed an attack then we have no way to
> guess whether the attack is more likely to apply to one curve or to the
> other.

[DB] No.  

This is the essence of what I've been trying to say about Curve25519 being
special.  I will try again.  

Assume we trust the verifiably pseudo-random generation algorithms.  Then we
have a proof that Brainpool are invulnerable to the "missed attack" with
probability equal to the density of the vulnerable curves.  We have no such
proof for special curves such as Curve25519, because we do not know the
nature of the missed attack.

We cannot assume that a missed attack will render a uniformly random set of
vulnerable curves.

You provided valid arguments in favour of Curve25519 if the missed attacks
are similar to known attacks, with which I agree, but that does not go as
far as the Brainpool.

Therefore, in terms of security, Brainpool >~ Curve25519 >> P256, if we
posit missed EC attacks and trust hash functions, else Brainpool ==
Curve25519 == P256 if not.  (I'm using >~ for slightly better, and >> for
considerably better.)

> 
> My reason for not taking the Brainpool approach is that it has a rather
> heavy cost. We have enough problems deploying secure crypto without
> incurring unnecessary costs; if we can afford extra costs then I'd
> rather put those into taking steps that actually matter for security,
> such as adding defenses against quantum computers. So I prefer the
> second approach. Conversely, Brainpool does not discuss the second
> approach, and does not state any reason to avoid the approach.
> 

[DB] Agreed, to this end, I just want to quantify the security gains, so the
cost-benefit analysis can be better formalized.
---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.