Re: [Cfrg] Security proofs v DH backdoors

Hanno Böck <hanno@hboeck.de> Sun, 30 October 2016 20:33 UTC

Return-Path: <hanno@hboeck.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DB6212945F for <cfrg@ietfa.amsl.com>; Sun, 30 Oct 2016 13:33:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yeZ3CtUrk7Gl for <cfrg@ietfa.amsl.com>; Sun, 30 Oct 2016 13:33:20 -0700 (PDT)
Received: from zucker.schokokeks.org (zucker.schokokeks.org [178.63.68.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FB0C129440 for <cfrg@irtf.org>; Sun, 30 Oct 2016 13:33:20 -0700 (PDT)
Received: from pc1 ([2001:2012:115:3d00:8e6b:8908:764f:9343]) (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 256bits, ECDHE-RSA-AES256-GCM-SHA384) by zucker.schokokeks.org with ESMTPSA; Sun, 30 Oct 2016 21:33:17 +0100 id 000000000000002F.000000005816590D.00002125
Date: Sun, 30 Oct 2016 21:33:15 +0100
From: Hanno =?UTF-8?B?QsO2Y2s=?= <hanno@hboeck.de>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Message-ID: <20161030213315.1937114d@pc1>
In-Reply-To: <1477825903078.89540@cs.auckland.ac.nz>
References: <20161025131014.5709905.2866.6563@blackberry.com> <20161025133016.GA9081@LK-Perkele-V2.elisa-laajakaista.fi> <1477456366629.49872@cs.auckland.ac.nz> <44595.1477524032@eng-mail01.juniper.net> <20161027103214.5709905.11728.6650@blackberry.com> <20161027125120.4d260334@pc1> <1477647359860.49982@cs.auckland.ac.nz> <20161028114758.6a361db1@pc1> <1477648689042.85039@cs.auckland.ac.nz> <20161028124319.082acf90@pc1> <1477825903078.89540@cs.auckland.ac.nz>
X-Mailer: Claws Mail 3.14.0 (GTK+ 2.24.31; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-8485-1477859597-0001-2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/65S2V6Fd9MRn4NlkdPut_M-B3Ow>
Cc: CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] Security proofs v DH backdoors
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Oct 2016 20:33:22 -0000

On Sun, 30 Oct 2016 11:11:55 +0000
Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:

> There's so much I don't really know where to start... I've just done
> a quick google of "fault attack ecdsa" and got 29,700 hits (OK, lots
> will be dups :-), but the first few (de-dup'd) papers are:
> 
>   A Fault Attack on ECDSA
>   Fault Attacks on Elliptic Curve Cryptosystems
>   A Novel Fault Attack Against ECDSA
>   Synthesis of Fault Attacks on Cryptographic Implementations
>   Fault Attack to the Elliptic Curve Digital Signature Algorithm
>   [...]
> 
> Real-world attacks would be, for example, the recovery of the PS3
> master signing key due to bad RNG use in ECDSA, equivalent to an RNG
> fault.

Peter, I find your line of reasoning very dishonest.

You bring up an example that has nothing to do with ECC. The PS3 issue
is a well known problem of both classic / finite field DSA and ECDSA.
How is that an argument for the brittleness of ECC?

Yeah, we can agree that ECDSA is a bad algorithm. DSA is also a bad
algorithm. But we were talking about key exchanges, so that's really
beside the point here.
We can also agree that fault attacks against ECC can happen. However
that's not the question. The question is whether ECC is more at risk
compared to non-ECC crypto. I don't see evidence for that.

As far as I see several of the papers you mention also talk about
attacks against RSA or DSA.

I have not yet seen an attack that is specific to ECC that is as
devastating and practical as the RSA-CRT fault attacks.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42