Re: [Cfrg] Security proofs v DH backdoors

Watson Ladd <watsonbladd@gmail.com> Mon, 31 October 2016 00:56 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65D2F1293D8 for <cfrg@ietfa.amsl.com>; Sun, 30 Oct 2016 17:56:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WuV0UHshOlOj for <cfrg@ietfa.amsl.com>; Sun, 30 Oct 2016 17:56:07 -0700 (PDT)
Received: from mail-ua0-x232.google.com (mail-ua0-x232.google.com [IPv6:2607:f8b0:400c:c08::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF19212940A for <cfrg@irtf.org>; Sun, 30 Oct 2016 17:56:06 -0700 (PDT)
Received: by mail-ua0-x232.google.com with SMTP id b35so21906969uaa.3 for <cfrg@irtf.org>; Sun, 30 Oct 2016 17:56:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=pVN1xsdc1GhvBeniFL/NLceL6bU+R1A9cXLMhOXqAfo=; b=K1lN1SoBXTOjk+9E/Q/vFE0w3istknURSILlLQemK+Hnbg4L0Xekk8RliKHQdM0FTW BjiBB4JH7H4cpY/Dz6eqT+UZ7HEmN1KmM6mUWpkLKJFggTYKfqFWpYxdVtcv/3jNeRDg bYP+IPDUynWyx+LVRSfu+ucmvlu1cnjOTYSLxJ0dwvNPrQizGA/o09H8Z9cuZZQZ2/lk g93Lk2zx+eEAgjw5petKjUBTGPpsRxIfBwK7aBN9nLZ9jlYi+B83qXhABpika+LVA2cP yzXTrNpgpvXgLAjPCKTbg9/1O2k8HERBpEH7VWSBqVZYaHl0MFSLQBDC1z5Yu1UaUqYb cpIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=pVN1xsdc1GhvBeniFL/NLceL6bU+R1A9cXLMhOXqAfo=; b=m38lQ7kTvQWK64Cg+v7imkLa/wd7hUVGwEBhMCDelZhtD+rwb7xnNvqtBymg6Wy2Uk UY0ErgOFKrJ+jJBBUz0QWHjLW5gI70lxTJVL6RCGnh0aixduI6YAQ3q0jkmrca3bpDJm ZFgGpaEeJpaEKAYIhOGCiFjCYBRTKTu1cekq58iCcIOtBmkdpzeZnUX8Owjl6kM+4vhi dm3kEY++PVM7Bg6GsXDpC9m8am+I8wQ4ae82iNhN7zle9QOlaWeqUcJtMVIUiP/cEJY1 SlWlF9ctr9whxv9oT+Ma63DMs0PlGT7D8zbO4Uamc4QN6tfE6lm7Y87veq57X5nl55cP IhkQ==
X-Gm-Message-State: ABUngvfIpTDI/pJDQ42DJZl177MFdS9SbZ95NCDMtw9xfVoEiKd+rWGVx2uC7LkJVhk1K6f864Fab2q65TU1pg==
X-Received: by 10.176.65.33 with SMTP id j30mr945284uad.94.1477875365958; Sun, 30 Oct 2016 17:56:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.68.135 with HTTP; Sun, 30 Oct 2016 17:56:05 -0700 (PDT)
Received: by 10.176.68.135 with HTTP; Sun, 30 Oct 2016 17:56:05 -0700 (PDT)
In-Reply-To: <1477825903078.89540@cs.auckland.ac.nz>
References: <20161025131014.5709905.2866.6563@blackberry.com> <20161025133016.GA9081@LK-Perkele-V2.elisa-laajakaista.fi> <1477456366629.49872@cs.auckland.ac.nz> <44595.1477524032@eng-mail01.juniper.net> <20161027103214.5709905.11728.6650@blackberry.com> <20161027125120.4d260334@pc1> <1477647359860.49982@cs.auckland.ac.nz> <20161028114758.6a361db1@pc1> <1477648689042.85039@cs.auckland.ac.nz> <20161028124319.082acf90@pc1> <1477825903078.89540@cs.auckland.ac.nz>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 31 Oct 2016 01:56:05 +0100
Message-ID: <CACsn0ckDevVdS+1JKfBWps7znFpkXxGAeF6C8+ygtSZBUwdy5w@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Content-Type: multipart/alternative; boundary=94eb2c12464435d91605401eac89
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/C5peNebA7kcdRMPgZxdSbV0u9O8>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Security proofs v DH backdoors
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2016 00:56:08 -0000

On Oct 30, 2016 4:12 AM, "Peter Gutmann" <pgut001@cs.auckland.ac.nz> wrote:
>
> Hanno Böck <hanno@hboeck.de> writes:
>
> >I'm really interested what you mean here, can you point to concrete
examples
> >of such attacks?
>
> There's so much I don't really know where to start... I've just done a
quick
> google of "fault attack ecdsa" and got 29,700 hits (OK, lots will be dups
:-),
> but the first few (de-dup'd) papers are:
>
>   A Fault Attack on ECDSA
>   Fault Attacks on Elliptic Curve Cryptosystems
>   A Novel Fault Attack Against ECDSA
>   Synthesis of Fault Attacks on Cryptographic Implementations
>   Fault Attack to the Elliptic Curve Digital Signature Algorithm
>   [...]
>
> Real-world attacks would be, for example, the recovery of the PS3 master
> signing key due to bad RNG use in ECDSA, equivalent to an RNG fault.

How many of those papers would apply to DSA? What about the vulnerability
of RSA signatures to faults?

>
> Peter.
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg