Re: [STDS-802-11-TGAI] TDS-802-11-TGAI] A suggestion to clean up the list of IANA groups that 802.11ai should consider -- i.e., ditch roughly 40% of those as inadequate

[Rene Struik <rstruik.ext@xxxxxxxxx>]

[probably my last email on this topic for a while (this may be 
considered as esoteric topic by most of TGai)]

Hi Tero:

Thanks for your note. While I do appreciate your argument that others 
may use Sophie-Germaine groups with "truncated exponents", this by 
itself does not necessarily mean 802.11ai should do the same. My note 
was one of reflection on whether we really want to go this route, esp. 
in the light of good alternatives that do have less caveats.

As suggested in my email of Wed March 20th, the "truncated exponent" DH 
agreement yields a key K:=g^d, where d=x*y, i.e., d is the product of 
two t-bit integers x and y. In my email, I suggested that this makes the 
derived DH key highly biased, since if d is a prime in the interval 
{2t-bit}\{t-bit}, it does never occur. While this does not seem that 
disastrous (e.g., the probability that a 512-bit number d is prime is 
only roughly 0.25%, so that the bias seems limited), in fact, this bias 
is more wide-spread: one can show that roughly 30% of all 2t-bit 
integers d cannot arise via the "truncated exponent DH problem" (see 
Handbook of Applied Cryptography, Fact 3.1). As I already wrote in my 
Wed email, whether this can be directly exploited, remains to be seen. 
Nevertheless, whether or not I see an immediate attack was not the point 
of my note: my perception that this "truncated exponent" DH agreement 
problem has not been carefully studied is (glad to see papers that prove 
me wrong here). Hence, my suggestion that this requires more reflection.

The question is not whether one should do what some others may seem to 
see no problem in doing: it is one of prudence and safety margins.

Your quoted internet draft would actually be an example of where IETF 
now feels the need to "beef up" on the "prudence" factor, where they 
previously saw no need (just speculating here, of course: I do not know 
the entire history).

I would prefer 802.11 to take this prudence as a strict guideline, thus 
increasing the odds that one does allow "security freedoms" now that one 
may come to regret in the future. Especially, since there are so many 
good alternatives for discrete log group cryptography available that are 
well-studied and still allow for okay performance, even when being 
strict/conservative on the "prudence" front.

If one were to favor crypto based on ordinary discrete log groups with 
"beefed up" performance, but without "short-cuts", one place to look 
would be XTR groups, rather than "DH groups with truncated exponents" 
(see CRYPTO 2001 paper or, e.g., http://en.wikipedia.org/wiki/XTR).

Best regards,

Rene

[excerpt of my email as of Fri March 22, 2013, 10:12am EDT]

If you know crypto papers that have studied the highly unusual 
"truncated exponent DH problem" that seems to underlie Sophie-Germane 
groups of IANA, I would appreciate. I have never seen this studied in 
the technical literature, so would be happy to be educated.

If you know about any papers that delve into side channel attacks and 
use of base point 2, I would appreciate as well.

[excerpt of my email as of Wed March 20, 2013, 5:52pm EDT]
1) Security (a).
Indeed, one could use small-size t-bit exponents in a subgroup G of size 
q of Zp, where p=1+2*q. However, it may lead to quite biased 
distributions that would not have been there if the private exponents 
would have been random integers in the range [1,q-1], as is nowadays 
(2013) "the norm". As an example, with a 3072-bit discrete log group Zp 
and 256-bit exponents, the key K:=g^d has as pre-image all 256-bit 
integers x and y for which x*y=d. Hence, the number of preimages depends 
on the factorization of d (e.g., if d is a prime number in the range 
{512-bit}\{256-bit}, this set would be empty; if d is a 128-bit prime, 
it has two pre-images {(1,d), (d,1)}, etc.). With drawing private keys 
from the entire set [1,q-1], one gets a flat distribution of the integer 
d in the range [1,q-1]. Whether this is really exploitable is another 
question of course. However, this seems to be a red flag to me and might 
suggest that perhaps this 2003 RFC might be somewhat dated? Are there 
any papers that have studied the non-standard DLP problem that seems to 
be underlying the suitability of the groups suggested in this RFC 
document? (I know those with random exponents from [1,q-1], but none 
where one simply truncates and "hopes for the best".)

On 3/25/2013 8:49 AM, Tero Kivinen wrote:
> Rene Struik writes:
> > Dear Tero:
> >
> > Thanks for your response regarding the expression of my concern re
> > a) security of Sophie-Germain groups;
> > b) security aspects of using "2" as a generator;
> > c) computational complexity.
> >
> > While I do appreciate your informal assessments, I am not sure whether
> > those would have sufficient merit to sway 802.11ai into using those groups.
> No. I would not agree on that. Those groups are used in almost all
> security protocols standardized in the IETF. If there is any problems
> with the group that is much bigger issue than just this issue with
> 802.11ai...
>
> > Wouldn't you agree that avoiding those groups altogether, at least for
> > 802.11, would make for less navigation of potentially very choppy waters?
> Lets put it this way, that I trust those groups more than the MODP
> groups defined in the RFC5114 (which is the other option), as for
> those there is at least the primality proofs available, and they are
> also generated using known method. If I remember right the other modp
> groups were generated by NIST, and they said they did use the method
> specified in their documents, but I think they didn't store the
> initial values used for generating those groups, so nobody can really
> verify they were correctly generated.
>
> >   From your note I get the impression that it is fine to use
> > Sophie-Germain groups since
> > a) while cutting corners in truncating ephemeral private keys
> > (presumably to make performance acceptable) may create strong biases,
> > these might be compensated for by
> > opening a vast arsenal of tricks;
> Regardless what kind of groups you use, it is not safe to truncate the
> output of Diffie-Hellman. You need to use proper key derivation
> function to extract the keys out from the secret. I.e. you cannot "cut
> corners" there, you need to use proper KDF.
>
> > b) while tricks may seriously impact performance (and may land us into
> > "nontechnical" minefields), there are ways to cut corners here as well,
> > seemingly without impact;
> I do not understand what you are meaning here.
>
> > c) while performance may be quite poor, one could do computations
> > offline and reuse ephemerals to fair somewhat better. And, there is
> > always hardware...
> I do not think there is that big difference in the computation cost
> between the group 14 and group 23 or 24, except that with groups 23
> and 24 you need to check against the small subgroup attack, which
> means you do not gain anything for reusing them private key values for
> those groups 21-24, as you need to do computation that is about as
> expensive as generating new private key.
>
> See section 2.2 of
> http://datatracker.ietf.org/doc/draft-ietf-ipsecme-dh-checks/ for more
> information.
>
> > Let us assume that one accepts those arguments on face value. Wouldn't
> > there then still be an issue using Sophie-Germain groups with 802.11ai
> > in the "non-TTP case"? After all, there one needs DSS signature, where
> > if one were to use the Sophie-Germain arsenal of tricks, one would
> > essentially use private keys where roughly 80-90% of the private key
> > bits are known? Again, the literature is full of examples where knowing
> > just 1-2% (e.g., 3-4 out of 256 bits) has disastrous ripple effect.
> I have not checked what is specified in the 802.11ai, but usually
> those groups are only used in the Diffie-Hellman key agreement, not in
> the DSS signature. I do not think any of the IETF standards uses any
> of the groups defined in the IKE or IKEv2 group registries in the DSS
> signatures, so if you need groups that are suitable for that, I have
> no idea if any of them are suitable for that.
>
> Normally the DSS signature private keys needs to be generated
> specifically and the parameters (which include the group) must be
> generated using the rules set by the NIST in their publication. If you
> do not follow those rules when generating those parameters, it is not
> really DSS, which means for that you cannot use those IKE groups.
>
> Even then the groups 21-23 claims to be generated using the NIST
> rules, there is no way to verify that, so I am not sure whether those
> are enough.
>
> On the other hand there is no reason why the Diffie-Hellman group
> should be same than the group used for the DSS signature. Is there any
> benefits for that? I do not think there is any computational benefits
> from that, as you still need to do anonymous Diffie-Hellman
> calculation and the signature generation / verification both, even if
> you use the same groups.
>
> > Rather than trying and finding strong technical evidence that supports
> > informal "gut-feel" (no better how appealing this sounds), wouldn't it
> > be much better to just avoid going that route altogether (at least for
> > 802.11 purposes) and simply use Diffie-Hellman groups for which safe use
> > seems to involve less "navigation of treacherous waters".
> There is nothiong wrong using those groups in the uses they are meant
> for, i.e. for Diffie-Hellman. Using them for any other purposes might
> or might not be safe.
>
> I just only now understood that you really want to use those same
> groups as DSS FFC Domain parameters, i.e. trying to use them in uses
> which they are not meant to be used (none of IKE groups are meant to
> be used for that purpose). I.e. even when the groups 21-23 are
> believed to be generated using the algorithms in the appedix A of the
> FIPS PUB 186-3 Digital Signature Standard (DSS), I do not think the
> any of the information needed to verify it is available anywhere, so
> you cannot really verify them.
>
> > Thus, unless one can dig up all the strong technical evidence, it seems
> > that foregoing more or less 40% of the IANA curves, at least for 802.11
> > use, seems the "wiser" approach? The remaining roughly 60% of IANA
> > curves would still work and often much better, with less security
> > headaches, more in line with the directions practice-based crypto is
> > moving in the world, and with quite reasonable and sometimes even
> > (almost) great performance.
> I would say forget 100% of the IANA IKE curves when you are talking
> about the DSS. And for Diffie-Hellman you can use any of the IANA IKE
> curves. The groups are not meant for DSS, thus there is no guarantees
> that any of them are suitable for that use (some of them might be,
> some might not, but as they are not meant to be used for those, nobody
> has verified that fact).
>
> > Would you agree? (at least for 802.11's purposes)?
> Yes, for DSS use 802.11ai needs to generate their own groups that are
> generated to be suitable for DSS use, i.e do not use any of the IANA
> IKE groups for uses other than what they are intended for.


--
email: rstruik.ext@xxxxxxxxx | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363

_______________________________________________________________________________

IF YOU WISH to be Removed from this reflector, PLEASE DO NOT send your request to this
CLOSED reflector. We use this valuable tool to communicate on the issues at hand.

SELF SERVICE OPTION:
Point your Browser to - http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGAI and
then amend your subscription on the form provided.  If you require removal from the reflector
press the LEAVE button.

Further information can be found at: http://www.ieee802.org/11/Email_Subscribe.html
_______________________________________________________________________________