IETF Logo Mail Archive

Re: [Cfrg] square roots

David Jacobson <dmjacobson@sbcglobal.net> Thu, 04 June 2015 16:14 UTC

Return-Path: <dmjacobson@sbcglobal.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ED5F1A9008 for <cfrg@ietfa.amsl.com>; Thu, 4 Jun 2015 09:14:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.5
X-Spam-Level:
X-Spam-Status: No, score=-1.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, GB_ABOUTYOU=0.5, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uFHcVS8bmEyF for <cfrg@ietfa.amsl.com>; Thu, 4 Jun 2015 09:14:57 -0700 (PDT)
Received: from nm13-vm5.access.bullet.mail.gq1.yahoo.com (nm13-vm5.access.bullet.mail.gq1.yahoo.com [216.39.63.131]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D8481A9006 for <cfrg@irtf.org>; Thu, 4 Jun 2015 09:14:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s2048; t=1433434494; bh=1Lmk4Rceov2+j9AFB0w/VH2iaxLm46PVVQCb9K2RPUo=; h=Date:From:To:CC:Subject:References:In-Reply-To:From:Subject; b=knzmGFvL6NuQ6Hje3yw4ITb7EWkoqs+h+IM3q9JBCJjRr4n5F53saUB3MKYy5/vSV1o5aesUOdi4vb6/GT2GfP4BGVwxGnOcaood6yN+HGBPcFmaTi9drheZc/r3fwjBueXfm+B0ih8HQdnVheJ1bPmAjRtA1QQ8WxSmwC1DQX9elCHA3nSdag4hUSCc1jUt7jZffGQSUZvivrMhd6PcofazFuXFaLUPkwFjfTWRSzOFq2ZShtkqzXEcMUHT/MZDn6LVxTIBl8K73ydVTzVlL0mH2fbRpfbzlZI9Z8Lu+CT3WS6g4nrKUGS6HJr306mX/TjqlxsS+q8LPFhC06N/3A==
Received: from [216.39.60.169] by nm13.access.bullet.mail.gq1.yahoo.com with NNFMP; 04 Jun 2015 16:14:54 -0000
Received: from [67.195.23.147] by tm5.access.bullet.mail.gq1.yahoo.com with NNFMP; 04 Jun 2015 16:14:54 -0000
Received: from [127.0.0.1] by smtp119.sbc.mail.gq1.yahoo.com with NNFMP; 04 Jun 2015 16:14:54 -0000
X-Yahoo-Newman-Id: 649639.73385.bm@smtp119.sbc.mail.gq1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: lz9oMQoVM1l8eEtzXlwZwLBFbfFQxtjChW8nHa92KYi.7Od tLvwkIsY40Kj.gw0TTKjAwSQwXNw5vt_7__HKzwn_F6VpTVVqtpkXRl_nART 7T5ps10lIs.YCqnDjnpIybmnqnhv_DTpB_PA3Yk_VhDYovDhsurmcjtlwylx m5xoDjGQgJVxrjHBHn8rseIQ58Tf7cxKxCV9ie.cLZEtqrDjti0jpcYZHByw U5_0S3t.YSWXw1V6LLvNRuHOi907XTdYYQ52KjQgUYzx5kokLJ0Emm3LwA_j CC6JO.beZGiEmM.W_iWj21GMpIcBkMcWi4bQLgcWTMY4oCI4DOMsHUgWvS7j 5gnKipSp.4EZlddTrcev1mCMUqQO6EFj9C52JBE2IS1QdZVu1do0J39CJ3Z6 6cY8dJ03vOx5XCF_LIRT_NBznWVnrBMRC8JSfYDOu_pmht4JU4vkIp1Ry7kZ 0Ss8aAD1MabNulqvCxQqsH7srPz5YzH3H2Eu9Poe8HrUKP.AzK7nyngOnmqm Gn6tRgBMEmu5rMs06l2FvsRmJd2ahxvdVFW.wLOvHzDc1HSE14x6uOAG5
X-Yahoo-SMTP: nOrmCa6swBAE50FabWnlVFUpgFVJ9Gbi__8U5mpvhtQq7tTV1g--
Message-ID: <5570797D.7060209@sbcglobal.net>
Date: Thu, 04 Jun 2015 09:14:53 -0700
From: David Jacobson <dmjacobson@sbcglobal.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Rene Struik <rstruik.ext@gmail.com>, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com> <556F8811.2070101@cs.tcd.ie> <20150604065658.GA14531@LK-Perkele-VII> <55705235.6000501@gmail.com>
In-Reply-To: <55705235.6000501@gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/2w2qaUWfvunGiEFazosqJXuQCr4>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] square roots
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jun 2015 16:14:58 -0000

If the field modulus p is congruent to 3 mod 4, one of the square roots 
of x can be computed by x^((p+1)/4) mod p, and the inverse can computed 
with x^(p-2) mod p.  Since the exponent is known, one does not need to 
worry about leaking bits of the exponent.  Underneath that, it is just 
multiplies and adds, and of those leak were are had anyway.

I don't see the problem.

      --David Jacobson


On 6/4/15 6:27 AM, Rene Struik wrote:
> Hi Ilari:
>
> Just curious about your side channel remarks: could you give an 
> example where side channel resistance of sqrt{x} is required? Wouldn't 
> this computation only arise if one were to uncompress points, or can 
> you give another example?
>
> Best regards, Rene
>
> where is On 6/4/2015 2:56 AM, Ilari Liusvaara wrote:
>> On Thu, Jun 04, 2015 at 12:04:49AM +0100, Stephen Farrell wrote:
>>> I'd hate to miss one of Alexey's polls:-)
>>>
>>> I'm almost neutral on this one. While we have historically preferred
>>> #1 for the reason noted in the subject line, there are really very few
>>> cases where that turns out to be a real issue, as opposed to being a
>>> theoretical one.
>>>
>>> So I think we could probably live with #2, and that could suffice for
>>> TLS and DNSSEC and other applications, even though #2 would mean
>>> that users of the signature scheme (e.g. IETF protocol developers) may
>>> need to learn something new, which is a downside.
>>>
>>> While #3 seems superficially attractive, my guess is it'd cause more
>>> confusion and interop issues, and is of course offering a choice to
>>> users of the scheme and so I don't like that one:-)
>> Having an option of hashing the message first (with an indication that
>> message was prehashed or even what hash was used) would be #3.
>>
>> Conversely, that would be the most reasonable implementation of #3.
>>
>> The reason for including hash function is to guard against trying to
>> confuse implementations over what hash function is used, allowing
>> forging signatures using stronger hashes by abusing weaker ones. The
>> internal hash function is much less of concern due to natural
>> strengthtening from hashing in various things derived from key.
>>
>>
>>> So put me down for (#2 or #1) for this one, with a very very tiny
>>> preference for #2 and documenting that one ought not use this for
>>> signing large things directly (which one probably ought not do in any
>>> case). But #1 would also be an acceptable outcome from my POV since
>>> we're in practice already dependent on the collision resistance of
>>> all the relevant hash functions and that won't ever really go away
>>> as long as there are RSA/SHA256 certificates out there which'll be
>>> the case for years and maybe decades to come. So the security
>>> benefit of #2 isn't so great, although it's real.
>> The problem with #1 isn't so much the CR requirement, but what it will
>> do to implementation safety:
>>
>> Basically, it is difficult to do #1 without either:
>> - Prehashing the message with something capabile of signing much larger
>>    things. Adding an indication that this prehash has been done would 
>> give
>>    #3).
>> - Making scheme that is dangerous by breaking basic safety.
>>
>>
>> The basic safety requirements I am thinking are:
>>
>> 1) Determinism.
>>
>> The scheme is fully deterministic.
>>
>> Breaking this makes the implementations very hard to test.
>>
>> 2) No random/unpredictable inputs except key.
>>
>> No input to functions except key may be assumed random in any way nor
>> unpredictable.
>>
>> Breaking this makes primitive easy to misuse in ways that cause
>> catastrophic breakage (reveal signing private key).
>>
>> 3) No scalar inversions or square roots for signature
>>
>> Signing must not need computing 1/x mod l or sqrt(x) mod l.
>>
>> Breaking this doesn't just make scheme slow, but also causes severe
>> side-channel hazards.
>>
>> And sidechannels matter: Modern CPUs and OSes are ridiculously 
>> vulernable,
>> with attackers capable of exploiting such bugs across virtual 
>> machines on
>> the same physical hardware.
>>
>> 4) No nonces in main mode
>>
>> The main mode may not assume any input is not repeated.
>>
>> Breaking this again makes scheme easy to misuse with very bad results
>> (hopefully anything using special modes will read the caveats).
>>
>>
>> Breaking any of these will cause real-world failures, as has been
>> demonstrated many times by ECDSA.
>>
>>
>> -Ilari
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>
>

v2.23.0 | Report a Bug | By Email