Re: [Cfrg] Security proofs v DH backdoors

Hanno Böck <hanno@hboeck.de> Fri, 28 October 2016 10:43 UTC

Return-Path: <hanno@hboeck.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BCA3129A45 for <cfrg@ietfa.amsl.com>; Fri, 28 Oct 2016 03:43:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1s5EhRMGtuUi for <cfrg@ietfa.amsl.com>; Fri, 28 Oct 2016 03:43:24 -0700 (PDT)
Received: from zucker.schokokeks.org (zucker.schokokeks.org [178.63.68.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61097129A63 for <cfrg@irtf.org>; Fri, 28 Oct 2016 03:43:24 -0700 (PDT)
Received: from pc1 ([2001:2012:115:3d00:8e6b:8908:764f:9343]) (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 256bits, ECDHE-RSA-AES256-GCM-SHA384) by zucker.schokokeks.org with ESMTPSA; Fri, 28 Oct 2016 12:43:21 +0200 id 00000000000000E5.0000000058132BC9.00001F93
Date: Fri, 28 Oct 2016 12:43:19 +0200
From: Hanno =?UTF-8?B?QsO2Y2s=?= <hanno@hboeck.de>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Message-ID: <20161028124319.082acf90@pc1>
In-Reply-To: <1477648689042.85039@cs.auckland.ac.nz>
References: <20161025131014.5709905.2866.6563@blackberry.com> <20161025133016.GA9081@LK-Perkele-V2.elisa-laajakaista.fi> <1477456366629.49872@cs.auckland.ac.nz> <44595.1477524032@eng-mail01.juniper.net> <20161027103214.5709905.11728.6650@blackberry.com> <20161027125120.4d260334@pc1> <1477647359860.49982@cs.auckland.ac.nz> <20161028114758.6a361db1@pc1> <1477648689042.85039@cs.auckland.ac.nz>
X-Mailer: Claws Mail 3.14.0 (GTK+ 2.24.31; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-8083-1477651401-0001-2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/5SJbKWnWIuFgVDTI5Q819OJBCqg>
Cc: CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] Security proofs v DH backdoors
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2016 10:43:26 -0000

On Fri, 28 Oct 2016 09:58:16 +0000
Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:

> Hanno Böck <hanno@hboeck.de> writes:
> 
> >Can you elaborate what brittleness you mean?  
> 
> Uh, faults, as I said in my original message.  Any data corruption,
> bit-flips, RNG faults, anything, and you end up leaking the private
> key.

I'm really interested what you mean here, can you point to concrete
examples of such attacks?

Then main thing I'm aware of that goes into this direction are the
attacks on RSA-CRT. (originally Lenstra 1996, recently reinvestigated
with practical impact by Florian Weimer [1]) Which kinda for me
supports the impression that a seemingly simple alg like RSA has more
brittleness than many people realize.

I heard people speculating on similar attacks on eddsa (the signatures,
not the key exchange), but this was more chatter that something
practical.

[1] https://access.redhat.com/blogs/766093/posts/1976703

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42