Re: [Cfrg] Exposing the private key by signing "too many times"
ned+cfrg@mrochek.com Thu, 14 April 2016 19:12 UTC
Return-Path: <ned+cfrg@mrochek.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 141DE12E0A5 for <cfrg@ietfa.amsl.com>; Thu, 14 Apr 2016 12:12:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.998
X-Spam-Level:
X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mrochek.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pMDIJzTpcAiY for <cfrg@ietfa.amsl.com>; Thu, 14 Apr 2016 12:12:14 -0700 (PDT)
Received: from mauve.mrochek.com (mauve.mrochek.com [68.183.62.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC88312E043 for <cfrg@irtf.org>; Thu, 14 Apr 2016 12:12:14 -0700 (PDT)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01PZ03T07R6800JZC6@mauve.mrochek.com> for cfrg@irtf.org; Thu, 14 Apr 2016 12:12:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mrochek.com; s=mauve; t=1460661125; bh=mxXiIEteuOnPKhWXgEN7UMsWVW7Zc9JY5yCmBaRlhlo=; h=From:Cc:Date:Subject:In-reply-to:References:To; b=mvocGcAj44IrWxK2b/952ofYBw+FwaCpoGqCGQTwWId+eqHWAcNFZQ3Bpr2bSaX+b 1vpvlv9JrZ12aVCl+pln9qwBk6uISSY1lBeq/rUR7Y2oxHdMTsprcPaKAysjzEttOJ UH5uAs80Z0KMjiGQw89Ly5OI5XZyO1YH7TKanqFg=
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: TEXT/PLAIN; CHARSET="us-ascii"
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01PYL04N2GJK00005M@mauve.mrochek.com> (original mail from NED@mauve.mrochek.com) for cfrg@irtf.org; Thu, 14 Apr 2016 12:12:03 -0700 (PDT)
From: ned+cfrg@mrochek.com
Message-id: <01PZ03SYW51800005M@mauve.mrochek.com>
Date: Thu, 14 Apr 2016 12:03:03 -0700
In-reply-to: "Your message dated Thu, 14 Apr 2016 19:05:27 +0200" <20160414170527.GA22878@bolet.org>
References: <C33F3EC3-AF92-4BC0-8191-32839135BBBB@vpnc.org> <20160414144442.5709908.79799.15426@certicom.com> <20160414170527.GA22878@bolet.org>
To: Thomas Pornin <pornin@bolet.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/F3Kj3xfGfiBJYagWBzmdQaZNjqU>
Cc: Dan Brown <dbrown@certicom.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Exposing the private key by signing "too many times"
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Apr 2016 19:12:16 -0000
There are also several so-called "lattice attacks", mostly based on work done on modular polynomial factorization by Dan Coppersmith. AFAIK all of these attacks assume that either some bits of the ephemeral are leaked (e.g., by a timing attack), or that there's some way to control the value of some bits of the ephemeral key (e.g., so-called glitch attacks). In such circumstances the results of some number (sometimes quite small) of signature operations are used to extract the private key. See for example: http://www.hpl.hp.com/techreports/1999/HPL-1999-90.pdf Ned > On Thu, Apr 14, 2016 at 02:44:43PM +0000, Dan Brown wrote: > > Long ago DSA allowed biased ephemeral secrets, which Bleichenbacher > > exploited to extract the private key. > > > > Not aware of history or survey papers on topic, sorry. > The attack is described in this report from Serge Vaudenay (section 5): > http://www.ipa.go.jp/security/enc/CRYPTREC/fy15/doc/1002_reportDSA.pdf > Serge says that the attack was announced in February 2001; apparently, > according to that CHES 2013 article: > http://www.iacr.org/archive/ches2013/80860105/80860105.pdf > the attack was also presented and discussed at an IEEE P1363 WG meeting > on November 15th, 2000. > To my knowledge it was never formally published. > Conceptually, this is a generalization of the dreaded "secret value > reuse". If you reuse the same k value in two distinct signatures (with > the same private key) then the private key is revealed. Bleichenbacher's > attack generalizes that result into leveraging a selection bias; plain > reuse just being an awfully large selection bias. > --Thomas Pornin > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Exposing the private key by signing "too m… Paul Hoffman
- Re: [Cfrg] Exposing the private key by signing "t… Phillip Hallam-Baker
- Re: [Cfrg] Exposing the private key by signing "t… Paul Grubbs
- Re: [Cfrg] Exposing the private key by signing "t… Phillip Hallam-Baker
- Re: [Cfrg] Exposing the private key by signing "t… Taylor R Campbell
- Re: [Cfrg] Exposing the private key by signing "t… Manger, James
- Re: [Cfrg] Exposing the private key by signing "t… William Whyte
- Re: [Cfrg] Exposing the private key by signing "t… Aaron Zauner
- Re: [Cfrg] Exposing the private key by signing "t… Dan Brown
- Re: [Cfrg] Exposing the private key by signing "t… Thomas Pornin
- Re: [Cfrg] Exposing the private key by signing "t… David Jacobson
- Re: [Cfrg] Exposing the private key by signing "t… ned+cfrg