Re: [Cfrg] Security proofs v DH backdoors

Tony Arcieri <bascule@gmail.com> Sun, 30 October 2016 20:10 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7FA51279EB for <cfrg@ietfa.amsl.com>; Sun, 30 Oct 2016 13:10:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aig5b7Y6OXTh for <cfrg@ietfa.amsl.com>; Sun, 30 Oct 2016 13:10:45 -0700 (PDT)
Received: from mail-ua0-x232.google.com (mail-ua0-x232.google.com [IPv6:2607:f8b0:400c:c08::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B7A912941C for <cfrg@irtf.org>; Sun, 30 Oct 2016 13:10:45 -0700 (PDT)
Received: by mail-ua0-x232.google.com with SMTP id 51so73077416uai.1 for <cfrg@irtf.org>; Sun, 30 Oct 2016 13:10:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=c5UVNifBLCB206iXY4HfiLX8Bg9URxuZa+MEEW1QCSc=; b=o0WFdeNRX+jL4CEThZzhMvM2mh5uJlAmB2tOnAbprcEl4QkwYfZ5AQOwqxgrff2mtr bsv/Z8rmXcYB8XUUH3DMdtGdrekIFbj2PrelZGAfr6kvEyCW3yoCITG5TrLvfnG0H2oe E6sgT0R4barRkV7dEQb+mb+pQI71QZHnkoVGJqf6/3bTgqZumPewoWcEQR92hCWA4xeO XjSUxeoTwB/+9FbmBa0bwdYVL/75giupPCeusOOctSpobOKCR8yAdC74UlwPvgkR3jUb rUVXlzVEJNrX+C3PThqkN/Lqwj43tB/n7s8dt7vouDRUI5Hx4V5YFEY7vRviR/e0NypS b8Fg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=c5UVNifBLCB206iXY4HfiLX8Bg9URxuZa+MEEW1QCSc=; b=ghNwXs1RBaQ8vEooGLhJvPX9ZCwdC017/WLllcJRcdvaNms7VpoRaiYTfZFZ3vGoKo 4qjI+0T9kwrNYgkr6qZpDFXchLUG6p7ICVlQNu7MoGvkEZdcAHldQHcMXBJW4OjNYSNB 52k8PBIaNLKYuBQti2/Q/IJhBtbYB0pv4fDnziRHo31eTGfFt6la8jsPspcgqQ+ZNtjS UGgHtXGgnurBkLcLAk4Y4G8WBqTs/lB/p8cR5gQ3Z6/tQG8lFbKauyMOOxP0Q3nMuQXc 3lKM87xvY2G0ctlFjxAKJhIUYz65qZtQKK1Wv4ilZ7fMFEddZHstjztviv2vaHKNWD00 jC2Q==
X-Gm-Message-State: ABUngvf2L6zTAVBj9qIofTBdvum6yQV6OKOzbOTgrTI+kL061rOsIJLd1esUbC4cNi1KVbErSdPBVYXRtZLnNw==
X-Received: by 10.176.64.234 with SMTP id i97mr1547764uad.7.1477858244458; Sun, 30 Oct 2016 13:10:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.141.6 with HTTP; Sun, 30 Oct 2016 13:10:23 -0700 (PDT)
In-Reply-To: <1477825903078.89540@cs.auckland.ac.nz>
References: <20161025131014.5709905.2866.6563@blackberry.com> <20161025133016.GA9081@LK-Perkele-V2.elisa-laajakaista.fi> <1477456366629.49872@cs.auckland.ac.nz> <44595.1477524032@eng-mail01.juniper.net> <20161027103214.5709905.11728.6650@blackberry.com> <20161027125120.4d260334@pc1> <1477647359860.49982@cs.auckland.ac.nz> <20161028114758.6a361db1@pc1> <1477648689042.85039@cs.auckland.ac.nz> <20161028124319.082acf90@pc1> <1477825903078.89540@cs.auckland.ac.nz>
From: Tony Arcieri <bascule@gmail.com>
Date: Sun, 30 Oct 2016 13:10:23 -0700
Message-ID: <CAHOTMV+x5Up4tj4PtuwayX8TakFd0nbRK3YniC-exjhSoNEFvA@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Content-Type: multipart/alternative; boundary=94eb2c123566b0805305401aafed
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/2lFiQ0kxkxhCpnYO1g1VQUYbntU>
Cc: CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] Security proofs v DH backdoors
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Oct 2016 20:10:48 -0000

On Sun, Oct 30, 2016 at 4:11 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz>
wrote:

>   A Fault Attack on ECDSA
>   Fault Attacks on Elliptic Curve Cryptosystems
>   A Novel Fault Attack Against ECDSA
>   Synthesis of Fault Attacks on Cryptographic Implementations
>   Fault Attack to the Elliptic Curve Digital Signature Algorithm
>   [...]
>
> Real-world attacks would be, for example, the recovery of the PS3 master
> signing key due to bad RNG use in ECDSA, equivalent to an RNG fault.


Note the common theme here: ECDSA. Using deterministic ECDSA solves the RNG
issue, but opens you up to an additional class of fault attacks.

EdDSA is considerably more resilient to these sort of attacks than ECDSA:

https://books.google.com/books?id=EC0DDQAAQBAJ&lpg=PA192&ots=UHwHH8LGA4&pg=PA182#v=onepage&q&f=false

-- 
Tony Arcieri