[Cfrg] Side channel effectiveness against P256?

Dan Brown <dbrown@certicom.com> Thu, 24 July 2014 19:54 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 72ABF1A0ADD for <cfrg@ietfa.amsl.com>; Thu, 24 Jul 2014 12:54:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.299
X-Spam-Status: No, score=-1.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_22=0.6] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 3FiMG7UIuhDM for <cfrg@ietfa.amsl.com>; Thu, 24 Jul 2014 12:54:49 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com []) by ietfa.amsl.com (Postfix) with ESMTP id 0AF8F1A0AC1 for <cfrg@irtf.org>; Thu, 24 Jul 2014 12:54:48 -0700 (PDT)
Received: from xct106cnc.rim.net ([]) by mhs210cnc.rim.net with ESMTP/TLS/AES128-SHA; 24 Jul 2014 15:54:44 -0400
Received: from XCT114CNC.rim.net ( by XCT106CNC.rim.net ( with Microsoft SMTP Server (TLS) id; Thu, 24 Jul 2014 15:54:43 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT114CNC.rim.net ([::1]) with mapi id 14.03.0174.001; Thu, 24 Jul 2014 15:54:43 -0400
From: Dan Brown <dbrown@certicom.com>
To: "D. J. Bernstein" <djb@cr.yp.to>
Thread-Topic: Side channel effectiveness against P256?
Thread-Index: Ac+neRxn9JPdjeeURryk8KmXSL41ag==
Date: Thu, 24 Jul 2014 19:54:42 +0000
Message-ID: <20140724195442.6656149.37460.17103@certicom.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="===============2140904899=="
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/BZJgamS3AXVbTzZj4JenyWmbZHA
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: [Cfrg] Side channel effectiveness against P256?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jul 2014 19:54:50 -0000


Forgot to ask yesterday: is the side channel on naive P256 you described in the CFRG meeting exploitable against ECDHE over Internet via timing?‎ If not, when is it exploitable? Eg,by timing 256 key re-uses on a local network only? By another process in the same machine? I really don't know this area. Should we recommend against such settings rather than just relying on side channel countermeasures for P256? 

Best regards, 

-- Dan

PS Sorry if you already answered this in your talk‎.