Re: [Cfrg] Handling invalid points
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Sat, 22 November 2014 12:51 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFA7C1A6EE4 for <cfrg@ietfa.amsl.com>; Sat, 22 Nov 2014 04:51:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F41YwQpsYMz7 for <cfrg@ietfa.amsl.com>; Sat, 22 Nov 2014 04:51:53 -0800 (PST)
Received: from emh01.mail.saunalahti.fi (emh01.mail.saunalahti.fi [62.142.5.107]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E6591A0117 for <cfrg@irtf.org>; Sat, 22 Nov 2014 04:51:53 -0800 (PST)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh01.mail.saunalahti.fi (Postfix) with ESMTP id 1A3EF90071 for <cfrg@irtf.org>; Sat, 22 Nov 2014 14:51:50 +0200 (EET)
Date: Sat, 22 Nov 2014 14:51:50 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: cfrg@irtf.org
Message-ID: <20141122125150.GA16596@LK-Perkele-VII>
References: <8FBEB0194016E64D9DF7E7855CD88E0C073A6D@FRPASERV0088.emea.oberthurcs.com> <20141121231233.18473.qmail@cr.yp.to>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <20141121231233.18473.qmail@cr.yp.to>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/KFklvfCkwy2K84nFbVPqmNxdpqk
Subject: Re: [Cfrg] Handling invalid points
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Nov 2014 12:51:56 -0000
On Fri, Nov 21, 2014 at 11:12:33PM -0000, D. J. Bernstein wrote: > > Why would anyone talk about small-subgroup attacks as being stopped by a > "check" that might be "forgotten", the same way that a curve-equation > check can stop invalid-curve attacks but might be forgotten? Answer: > What I've described so far is > > * a computational (robust) defense against small-subgroup attacks, > * a verifying (not robust) defense against invalid-curve attacks, and > * a computational (robust) defense against invalid-curve attacks, > > but there's also > > * a verifying (not robust) defense against small-subgroup attacks. > > Specifically, instead of multiplying the incoming point Q by h, one can > check whether hQ = 0. This check runs a serious risk of being omitted, > the same way that a curve-equation check runs a serious risk of being > omitted, although the resulting damage is much less severe. Also keep in mind for what CFRG is giving recommendations. Small subgroup attacks: TLS can easily deal with small-subgroup attacks without extra checks. Invalid-curve attacks: The only realistic way of avoiding checks there is to pick complete twist-secure Montgomery curve. Implementation environment: Software-only uses of ECC in TLS utterly dwarf any hardware implementations (embedded does not mean hardware). And number of software implementations that need serious timing attack protections dwards hardware implementations that need advanced side channel protections (and those software protections are very nasty to implement unless curve is complete). -Ilari
- [Cfrg] Requirements for elliptic curves with a vi… RONDEPIERRE Franck
- Re: [Cfrg] Requirements for elliptic curves with … Dan Brown
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Manuel Pégourié-Gonnard
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Lochter, Manfred
- Re: [Cfrg] Requirements for elliptic curves with … Alyssa Rowan
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Requirements for elliptic curves with … Andy Lutomirski
- [Cfrg] Handling invalid points D. J. Bernstein
- Re: [Cfrg] Handling invalid points Michael Hamburg
- Re: [Cfrg] Handling invalid points Michael Hamburg
- Re: [Cfrg] Requirements for elliptic curves with … Watson Ladd
- Re: [Cfrg] Handling invalid points Natanael
- Re: [Cfrg] Requirements for elliptic curves with … William Whyte
- Re: [Cfrg] Handling invalid points Ilari Liusvaara
- Re: [Cfrg] Handling invalid points Stephen Farrell
- Re: [Cfrg] Requirements for elliptic curves with … D. J. Bernstein
- Re: [Cfrg] Handling invalid points D. J. Bernstein
- Re: [Cfrg] Handling invalid points Adam Langley