IETF Logo Mail Archive

[Cfrg] square roots

Rene Struik <rstruik.ext@gmail.com> Thu, 04 June 2015 13:32 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A92431B34D4 for <cfrg@ietfa.amsl.com>; Thu, 4 Jun 2015 06:32:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.5
X-Spam-Level:
X-Spam-Status: No, score=-1.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_ABOUTYOU=0.5, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ULN46wXYybNw for <cfrg@ietfa.amsl.com>; Thu, 4 Jun 2015 06:32:37 -0700 (PDT)
Received: from mail-ig0-x233.google.com (mail-ig0-x233.google.com [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5F711B33AF for <cfrg@irtf.org>; Thu, 4 Jun 2015 06:27:37 -0700 (PDT)
Received: by igbhj9 with SMTP id hj9so15309691igb.1 for <cfrg@irtf.org>; Thu, 04 Jun 2015 06:27:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=NB34zp+RVqYpKxJXzlvFYCu1AvjNtv0RAPbMhFqpRZI=; b=Lk8+tnzSagxg/HpBQqIqn9QwVrDsMUClfuPEZw3eggXaccxGQOprP68FzJV4N37mVt EhqYVsSmXYvLnXK3xF7Ibvvbc6E/G3C6VTg57IxHI5ftyOFfLI/+04/OdzbX1MImOEQx HSNW/POPO+lt6s11YFTt8YG/RRWa1JuKTT4kU6RVMjgvmRW7KjGECa9igOOGHdIvq8tz sfUq0tywP9P7cv9/z5/Su1AyoW6OohnFarNAYno00gb3COox2dWN/Yin6cRbO5ZT/IAY QcaCRwtR9WV/hb3xIKOXjQ+WQExELfBga7ZRwpAyYshAl3IGYWfgMrspdTcd+cL8J5MO uyOw==
X-Received: by 10.107.159.77 with SMTP id i74mr34419720ioe.9.1433424457329; Thu, 04 Jun 2015 06:27:37 -0700 (PDT)
Received: from [192.168.0.14] (CPE7cb21b2cb904-CM7cb21b2cb901.cpe.net.cable.rogers.com. [99.231.49.38]) by mx.google.com with ESMTPSA id q10sm14242837ige.16.2015.06.04.06.27.36 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 04 Jun 2015 06:27:36 -0700 (PDT)
Message-ID: <55705235.6000501@gmail.com>
Date: Thu, 04 Jun 2015 09:27:17 -0400
From: Rene Struik <rstruik.ext@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com> <556F8811.2070101@cs.tcd.ie> <20150604065658.GA14531@LK-Perkele-VII>
In-Reply-To: <20150604065658.GA14531@LK-Perkele-VII>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/5DekVs_vE34BbabPB9g_WyWSf6k>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: [Cfrg] square roots
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jun 2015 13:32:38 -0000

Hi Ilari:

Just curious about your side channel remarks: could you give an example 
where side channel resistance of sqrt{x} is required? Wouldn't this 
computation only arise if one were to uncompress points, or can you give 
another example?

Best regards, Rene

where is On 6/4/2015 2:56 AM, Ilari Liusvaara wrote:
> On Thu, Jun 04, 2015 at 12:04:49AM +0100, Stephen Farrell wrote:
>> I'd hate to miss one of Alexey's polls:-)
>>
>> I'm almost neutral on this one. While we have historically preferred
>> #1 for the reason noted in the subject line, there are really very few
>> cases where that turns out to be a real issue, as opposed to being a
>> theoretical one.
>>
>> So I think we could probably live with #2, and that could suffice for
>> TLS and DNSSEC and other applications, even though #2 would mean
>> that users of the signature scheme (e.g. IETF protocol developers) may
>> need to learn something new, which is a downside.
>>
>> While #3 seems superficially attractive, my guess is it'd cause more
>> confusion and interop issues, and is of course offering a choice to
>> users of the scheme and so I don't like that one:-)
> Having an option of hashing the message first (with an indication that
> message was prehashed or even what hash was used) would be #3.
>
> Conversely, that would be the most reasonable implementation of #3.
>
> The reason for including hash function is to guard against trying to
> confuse implementations over what hash function is used, allowing
> forging signatures using stronger hashes by abusing weaker ones. The
> internal hash function is much less of concern due to natural
> strengthtening from hashing in various things derived from key.
>
>
>> So put me down for (#2 or #1) for this one, with a very very tiny
>> preference for #2 and documenting that one ought not use this for
>> signing large things directly (which one probably ought not do in any
>> case). But #1 would also be an acceptable outcome from my POV since
>> we're in practice already dependent on the collision resistance of
>> all the relevant hash functions and that won't ever really go away
>> as long as there are RSA/SHA256 certificates out there which'll be
>> the case for years and maybe decades to come. So the security
>> benefit of #2 isn't so great, although it's real.
> The problem with #1 isn't so much the CR requirement, but what it will
> do to implementation safety:
>
> Basically, it is difficult to do #1 without either:
> - Prehashing the message with something capabile of signing much larger
>    things. Adding an indication that this prehash has been done would give
>    #3).
> - Making scheme that is dangerous by breaking basic safety.
>
>
> The basic safety requirements I am thinking are:
>
> 1) Determinism.
>
> The scheme is fully deterministic.
>
> Breaking this makes the implementations very hard to test.
>
> 2) No random/unpredictable inputs except key.
>
> No input to functions except key may be assumed random in any way nor
> unpredictable.
>
> Breaking this makes primitive easy to misuse in ways that cause
> catastrophic breakage (reveal signing private key).
>
> 3) No scalar inversions or square roots for signature
>
> Signing must not need computing 1/x mod l or sqrt(x) mod l.
>
> Breaking this doesn't just make scheme slow, but also causes severe
> side-channel hazards.
>
> And sidechannels matter: Modern CPUs and OSes are ridiculously vulernable,
> with attackers capable of exploiting such bugs across virtual machines on
> the same physical hardware.
>
> 4) No nonces in main mode
>
> The main mode may not assume any input is not repeated.
>
> Breaking this again makes scheme easy to misuse with very bad results
> (hopefully anything using special modes will read the caveats).
>
>
> Breaking any of these will cause real-world failures, as has been
> demonstrated many times by ECDSA.
>
>
> -Ilari
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363

v2.23.0 | Report a Bug | By Email