Re: [Cfrg] Poly1305 and timing attacks
Yoav Nir <ynir.ietf@gmail.com> Mon, 10 March 2014 13:19 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D47221A0441 for <cfrg@ietfa.amsl.com>; Mon, 10 Mar 2014 06:19:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 45nspraVtmnk for <cfrg@ietfa.amsl.com>; Mon, 10 Mar 2014 06:19:39 -0700 (PDT)
Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 390051A043E for <cfrg@irtf.org>; Mon, 10 Mar 2014 06:19:39 -0700 (PDT)
Received: by mail-wg0-f46.google.com with SMTP id b13so2485487wgh.29 for <cfrg@irtf.org>; Mon, 10 Mar 2014 06:19:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5NTmSFqg/Fwj4k2Ue9l1cqaXBfPOoUJg0wv//znFTi0=; b=QTC5ycze1829ZH1rop25Jwew38z46575nOxxz44a+vwoX7ktxKMLdsHWgEpTqYB6yb b1r42Q2+bf/LJ8SfHsDMOzil6D6iL6eAuoFahtFcLd/nCq4MY2aQ9nnr3hC0gtCNqnHq BDj2TfjhTC9oT7kjU4rHd1p/OVp+51xoRZmrNpiDvaSRi+2XhZP99lcm+ghBX7SeR1sH ugAXW5jYPq1C/IDwUX9Xd2Ll0ldnQCsX6iefIfJK0MAwH7oB9kOt9wBblK4j0FjhiPcs /WyzD6k0NAqotN6P0C+jKMbMD7lAXmKbkLRWUcQet95QSVvdtlPixjLJZbZXvtWnT+C9 13AA==
MIME-Version: 1.0
X-Received: by 10.194.188.41 with SMTP id fx9mr1388596wjc.56.1394457573303; Mon, 10 Mar 2014 06:19:33 -0700 (PDT)
Received: by 10.194.89.1 with HTTP; Mon, 10 Mar 2014 06:19:33 -0700 (PDT)
In-Reply-To: <CACsn0cmNA15ZM9S2s73oTtKGH5SujSef9_3ez12jzg934HW9ow@mail.gmail.com>
References: <CAGvU-a7Mpn9Wrie=QEftsZrojQAcwysnQgNt5BOjdr8ZRY08Zg@mail.gmail.com> <CACsn0ckrTB37jB4Apj7GxAZUjou_=RUj7j4dgFeWpqxS4HKq6Q@mail.gmail.com> <CA0A4F63-89AB-4AC2-8955-E3C575E3B01C@gmail.com> <CACsn0cmNA15ZM9S2s73oTtKGH5SujSef9_3ez12jzg934HW9ow@mail.gmail.com>
Date: Mon, 10 Mar 2014 15:19:33 +0200
Message-ID: <CAGvU-a4m+ZVw6Gsq-_hPX_aLTajKkHD31G++otx5B-xu1vJ78g@mail.gmail.com>
From: Yoav Nir <ynir.ietf@gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="047d7beb909c4fa95f04f4407410"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/AXgzmSOte_f39uT5Vk3Q8hGxBgQ
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Poly1305 and timing attacks
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Mar 2014 13:19:42 -0000
On Mon, Mar 10, 2014 at 12:48 AM, Watson Ladd <watsonbladd@gmail.com> wrote: > On Sun, Mar 9, 2014 at 3:00 PM, Yoav Nir <ynir.ietf@gmail.com> wrote: > > > > On Mar 9, 2014, at 6:45 PM, Watson Ladd <watsonbladd@gmail.com> wrote: > <snipped agreement> > > > >> For Poly1305 as used in this draft, I am very, very hesitant about > >> approving any draft that says not-constant time is okay. However, if > >> the entire keys are being generated pseudorandomly, then I think, if > >> the side channel isn't gratuitously large, it's possibly safe. Saying > >> anything more concrete would require a lot of painful analysis of what > >> is leaked and how it can be used. > >> > >> Personally, I don't understand why making the crypto not constant > >> time, and thus open to attacks, simplifies the security > >> considerations. It might make the job of the implementor easier, but > >> it makes the job of the person who builds on top harder. > > > > It makes the security considerations simpler because it makes all the > talk about constant time implementations go away and eliminates the need > for pointing people at how to accomplish this. I agree I probably can't do > this, as this implementation might later be used as part of a library for > other things. It's not generally good to instruct people on how to make an > implementation with a warning label (that they will later ignore). > > Well, I have to fundamentally disagree with this. A constant-time, > constant-memory access, constant-control flow implementation is far > more reassuring than one which doesn't have these properties. Hey, no need to pile it on. You've already convinced me that the text needs to stay. Do you have a reference I can point to on how to make the Poly1305 calculations constant-time? Yoav
- Re: [Cfrg] Poly1305 and timing attacks Paterson, Kenny
- [Cfrg] Poly1305 and timing attacks Yoav Nir
- Re: [Cfrg] Poly1305 and timing attacks Watson Ladd
- Re: [Cfrg] Poly1305 and timing attacks Yoav Nir
- Re: [Cfrg] Poly1305 and timing attacks Watson Ladd
- Re: [Cfrg] Poly1305 and timing attacks Yoav Nir
- Re: [Cfrg] Poly1305 and timing attacks David Jacobson
- Re: [Cfrg] Poly1305 and timing attacks (clarifica… David Jacobson
- Re: [Cfrg] Poly1305 and timing attacks Watson Ladd