Re: [CFRG] Psychic Signatures
Peter Dettman <peter.dettman@bouncycastle.org> Mon, 25 April 2022 07:26 UTC
Return-Path: <peter.dettman@bouncycastle.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C09D3A0DD1 for <cfrg@ietfa.amsl.com>; Mon, 25 Apr 2022 00:26:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bouncycastle.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XAV9wbxBsBjr for <cfrg@ietfa.amsl.com>; Mon, 25 Apr 2022 00:26:48 -0700 (PDT)
Received: from tauceti.org.au (mail.tauceti.org.au [203.32.61.25]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CABF3A0DC6 for <cfrg@irtf.org>; Mon, 25 Apr 2022 00:26:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bouncycastle.org; s=default; t=1650871607; bh=kqXq/R4S1F+ZFhr5cIBKz4osZJVQ4XAB1zWj6T9704o=; h=Date:Subject:To:From; b=Wq8xMUccCsLCtipurTKtUHglYSAMvmX5dm8QVr2j/zrtlzdq6WxbHJDyfJnrBisny jclN4plVT0qFje4+O420/QlihU7D5t8puUl6eBUYshhfGJuNV2wYCHIBPqM44PDf4j iUsJyjfnvv40y+XGwWUuvq/A8LrVT5tt631MOwDQ=
X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=mx-ll-183.89.176-23.dynamic.3bb.in.th; envelope-from=<peter.dettman@bouncycastle.org>;
Message-ID: <0c31c1cf-7976-936e-be03-b43f86a30786@bouncycastle.org>
Date: Mon, 25 Apr 2022 14:26:43 +0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0
To: cfrg@irtf.org
References: <SY4PR01MB62519FEA53D39AABAF0BD0F4EEF49@SY4PR01MB6251.ausprd01.prod.outlook.com> <2CBA5AE5-DF84-4E9C-85DA-4DC38464710A@ericlagergren.com> <SY4PR01MB6251CA4D5F7C83FA564FD204EEF49@SY4PR01MB6251.ausprd01.prod.outlook.com> <2438a7cd-e0f7-685b-ad47-e9ba5995a5a0@mail.muni.cz> <87FFD633-DAF5-44B8-A2BF-55B547616560@dmjacobson.com> <SY4PR01MB62519B1EE1177740A9FE4C22EEF79@SY4PR01MB6251.ausprd01.prod.outlook.com> <3690036F-3BBD-4B73-A5B1-0007DFBD5346@antarateknik.com> <8AD748B7-8C0F-4254-8A15-78E36C524E12@shiftleft.org>
From: Peter Dettman <peter.dettman@bouncycastle.org>
In-Reply-To: <8AD748B7-8C0F-4254-8A15-78E36C524E12@shiftleft.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Qnum: 36556041
X-Authenticated-User: peter.dettman@bouncycastle.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/KVE3IsONKGPTzKhWwue7BxtOefI>
Subject: Re: [CFRG] Psychic Signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 07:26:54 -0000
On 4/22/2022 11:09 PM, Mike Hamburg wrote: > There is a cost in less common deployments. If you have to check the order of the public key, because the curve has a cofactor, then this costs at least a Jacobi symbol but often much more. At least this paper [1] proposes (in the context of a fault attack) that the full scalar multiplication shouldn't be skipped, even with cofactor 1. Note: this paper was apparently withdrawn from eprint (reasons unknown to me), but a title search will find copies elsewhere. Regards, Pete Dettman [1] "A new weak curve fault attack on ECIES: embedded point validation is not enough during decryption". https://eprint.iacr.org/2021/516
- [CFRG] Psychic Signatures Phillip Hallam-Baker
- Re: [CFRG] Psychic Signatures Peter Gutmann
- Re: [CFRG] Psychic Signatures Eric Lagergren
- Re: [CFRG] Psychic Signatures Neil Madden
- Re: [CFRG] Psychic Signatures Peter Gutmann
- Re: [CFRG] Psychic Signatures Neil Madden
- Re: [CFRG] Psychic Signatures Phillip Hallam-Baker
- Re: [CFRG] Psychic Signatures Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Psychic Signatures Paul Hoffman
- Re: [CFRG] Psychic Signatures Salz, Rich
- Re: [CFRG] Psychic Signatures Yolan Romailler
- Re: [CFRG] Psychic Signatures Ján Jančár
- Re: [CFRG] Psychic Signatures David Jacobson
- Re: [CFRG] Psychic Signatures Peter Gutmann
- Re: [CFRG] Psychic Signatures Mehmet Adalier
- Re: [CFRG] Psychic Signatures Mike Hamburg
- Re: [CFRG] Psychic Signatures John Bradley
- Re: [CFRG] Psychic Signatures Peter Gutmann
- Re: [CFRG] Psychic Signatures Mike Hamburg
- Re: [CFRG] Psychic Signatures Peter Dettman
- Re: [CFRG] Psychic Signatures Mike Hamburg