Re: [Cfrg] Mishandling twist attacks

Watson Ladd <> Wed, 14 January 2015 15:55 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B550F1A8AF8 for <>; Wed, 14 Jan 2015 07:55:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id D1MqWvkG_IdN for <>; Wed, 14 Jan 2015 07:55:41 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c01::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 999AD1A8ADE for <>; Wed, 14 Jan 2015 07:55:41 -0800 (PST)
Received: by with SMTP id i57so4752343yha.7 for <>; Wed, 14 Jan 2015 07:55:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=PSA2+UUFdJqOM4RyEyCGx08sD9J9j5RQi9c9C5q3+tY=; b=aLLzN8Vf2FTGM98vnYLqp6RLN7Wkm8O3LGTYIc/J8hZMr4jsHpjVSgpUGre9QZnKmG 0cgJtv3ZY8UBSAhVv1u4OBE2IKgtsxci92LD8EwYLD6lksNU2hmsff+JvMIFEiGrD6PU JmWlkv0H9DfazndQoW51pQHOmPEJtWdM1doBk5rLedfcT9sJZpjPwHhLjWGN1wpyeHKP U7MsZ1QC+dzUixpXxu9Oa3kLeEoJcZuO72pdg21tZRUJNf4KNyd+DFB5DIPLKyWYL0el AdPyTusJf57XCoS0hmznQ83fy6SI5l1zT5x8tmwiVw6Pmxviw3I1TPQOEruWl2aIX++v meKA==
MIME-Version: 1.0
X-Received: by with SMTP id l42mr2398310yhl.172.1421250940799; Wed, 14 Jan 2015 07:55:40 -0800 (PST)
Received: by with HTTP; Wed, 14 Jan 2015 07:55:40 -0800 (PST)
In-Reply-To: <>
References: <> <>
Date: Wed, 14 Jan 2015 07:55:40 -0800
Message-ID: <>
From: Watson Ladd <>
To: "Lochter, Manfred" <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc: "" <>, "D. J. Bernstein" <>
Subject: Re: [Cfrg] Mishandling twist attacks
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 14 Jan 2015 15:55:45 -0000

On Wed, Jan 14, 2015 at 5:44 AM, Lochter, Manfred
<> wrote:
> Here we still seem to disagree, Dan.
> When we talked about this topic during RWC I had the impression that you were
> only adressing DH and not signatures. Now I rechecked your contribution and
> would like to make some comments:
> For signatures setting any bit may allow lattice-attacks. Do you have a proof
> for your claim that "Setting the high bit of such a long nonce is also
> perfectly safe."? I would be glad to have a look at it if you provide a
> source.

Remember how the Bleichenbacher attack actually works, and what the
countermeasure recommended in standards is.

The Bleichenbacher attack relies on the bias caused by reducing a
number uniformly in the range [0, 2^n) modulo p, where p
is close to 2^n. The bias is approximately 1/2^(n-log(p)). When n is
about 2 log p, this becomes negligible.

Adding the high bit means taking numbers in the range [2^(n-1), 2^n).
The bias is now 1/2^(n-1-log(p)), which is still small.

> I' m not blaming the high bit, as you state, but the unnecessary tweak of the
> nonce. The same effect can easily be achived by using dummy operations.
> In addition this method does not make an implementors life easier. In real
> world applications users will forget the additional bit and make their
> implementations vulnerable to Timing Attacks.

Implementors can also use powering computations that are constant
time. The countermeasures you describe are frequently not implemented,
and in many cases can be bypassed by cache-based attacks examining
data flow, for instance. It's also not clear that they are necessary:
the Montgomery ladder is extremely performant and has a uniform flow
of operations. Comb based methods with protection can be trickier.

(For use in signatures, one would likely need to add on y coordinate
reconstruction and an isogeny: the formulas  for reconstruction exist
out there, but I've not found a good source yet.)

> The necessary length of nonces depends on the stucture of the underlying prime
> field and of the order of the chosen group order. Whilst for NIST curves 32
> bits seem to be OK, for general n-bit curves over special prime fields n bits
> of blinding are necessary. This blinding length is then not "an extra long
> nonce" but the minimum-length nonce to withstand SCA.

You appear to be confusing two issues: generation of signature nonces
and computing scalar multiples securely. Using a double-length nonce
solves the secure generation problem. When it comes to computing
scalar multiples, blinding of the scalar involves adding a random
multiple of the
prime. Of course, when this is a nonce used in a signature, produced
by reducing a double length nonce, adding back a random multiple might
as well be using the original nonce.

In particular, the length of extra bits required for Bleichenbacher
defense is largely independent of the prime. The claimed superiority
of random primes for blinding is in doubt: several people have pointed
to papers breaking this protection unless we use 256, not 32 extra
bits. Certainly for the NIST primes 32 bits extra will not randomize
significant blocks of bits.

> I admit, that for some implementations (depending on hardware used, and other
> factors) your method may still allow faster implementations than random prime
> curves with maximum necessary nonce length.
> However implementation security may not be improved:
> (a) Users will change to shorter nonces to become even faster. They be then
> use a too short nonce.
> (b) Even if the curves support constant-time ladders, there is no guarantee
> that users will implement these ladders.

One can use a uniform nonce in [0, p), obtained by rejection sampling.
I don't see how this issue doesn't also apply to random primes.

Yes, implementors in the pay of the NSA or BND can always make
"mistakes". However, we've described the constant-time ladder in the
draft and explained why it should be used. When it comes to
signatures, I expect that a similar amount of attention will be paid.

Watson Ladd

> Manfred
> __________ ursprüngliche Nachricht __________
> Von:            "D. J. Bernstein" <>
> Datum:  Montag, 1. Dezember 2014, 23:37:20
> An:   
> Kopie:
> Betr.:  Re: [Cfrg] Mishandling twist attacks
>> Lochter, Manfred writes:
>> > On the other hand this countermeasure is quite dangerous, when applied
>> > during signature generation.
>> No. It's true that minimum-length signature nonces with the high bit set
>> are dangerous, but minimum-length signature nonces _without_ the high
>> bit set are _also_ dangerous, so blaming the high bit is unreasonable.
>> The best protection we know is to generate much longer nonces---such as
>> the 512-bit nonces in Ed25519. Then the system isn't broken by a timing
>> attack revealing the nonce length. Setting the high bit of such a long
>> nonce is also perfectly safe.
>> Of course, an implementor can still get in trouble by (1) reducing these
>> nonces and then (2) leaking the lengths of the reduced nonces through a
>> variable-time scalarmult method. So, as another line of defense, we also
>> choose curves that support simple, fast, constant-time ladders.
>> ---Dan
>> _______________________________________________
>> Cfrg mailing list
> --
> Lochter, Manfred
> --------------------------------------------
> Bundesamt für Sicherheit in der Informationstechnik (BSI)
> Referat K21
> Godesberger Allee 185 -189
> 53175 Bonn
> Postfach 20 03 63
> 53133 Bonn
> Telefon: +49 (0)228 99 9582 5643
> Telefax: +49 (0)228 99 10 9582 5643
> E-Mail:
> Internet:
> _______________________________________________
> Cfrg mailing list

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin