Re: [CFRG] Does OPRF/OPAQUE require full implementation of RFC 9380
Hubert Kario <hkario@redhat.com> Thu, 04 April 2024 16:31 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC5B1C14F6B2 for <cfrg@ietfa.amsl.com>; Thu, 4 Apr 2024 09:31:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.175
X-Spam-Level:
X-Spam-Status: No, score=-2.175 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.08, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J2eFbP2dPPvh for <cfrg@ietfa.amsl.com>; Thu, 4 Apr 2024 09:31:13 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 385BEC1654EF for <cfrg@irtf.org>; Thu, 4 Apr 2024 09:30:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1712248246; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=c7mNMmsYCa7YOpqtUYstidTV/prkD6eoJxR9alelILM=; b=czgddv+rydue7iOfqwkgSoroxZ7EAmpzAxfyoXOLBdh2whh4byPfm2ijb2qDBotuYlVkMb owCigrO0Jfr0Q9tTO/mPksGW4IqdVuKjmuiSFdrr/Gm935MftrRpAZMBim1N9cTXPDCqar anPQv4/k8O8fnfepXzQocFkeEXG2fPs=
Received: from mail-lj1-f197.google.com (mail-lj1-f197.google.com [209.85.208.197]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-150-8fZKO-PuPpisja-kXOi7Fw-1; Thu, 04 Apr 2024 12:30:44 -0400
X-MC-Unique: 8fZKO-PuPpisja-kXOi7Fw-1
Received: by mail-lj1-f197.google.com with SMTP id 38308e7fff4ca-2d6b5ac2537so11272701fa.0 for <cfrg@irtf.org>; Thu, 04 Apr 2024 09:30:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712248243; x=1712853043; h=content-transfer-encoding:user-agent:organization:references :in-reply-to:message-id:mime-version:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=c7mNMmsYCa7YOpqtUYstidTV/prkD6eoJxR9alelILM=; b=dFJNQ8L6f3fChqVYOZX1D5f/ddDDwJeBxMS0UFXTuiGMbX7fQpT1ftnTdIeol4RrIR wsE4TYCi+mFr/AsrGzFWaBLVeB9apwAPkmr0spa/xypjvOlUg2QfXOK2wlSpzU6m9Dyp 7p0kVn+DHAyg7bDztzW+YUFai41+jsE9FOlnyP7hnAQ0za+IADKxi0EgVvWnoCUFgvLJ Ebru9gZVM2twwLauOOo5xIJVrnmW1hvNS1/+R/MeiFQG7IwGUl2IAa8afxbTnHFws6oA VHEO5+hnhPtiSNFKhMogQ/A19o2uXPGiu/t/zv1vr5gMw3Jfz1U68BtXRVLPLZQn6/rr ce6A==
X-Forwarded-Encrypted: i=1; AJvYcCVmWBYk/KvXAMZ+YGB22RoQ7aZijfHRsEoTjmbNFivkwohl6S7l0gJVbtUP7iwfYTX6Of20wYN9RYeIXW/B
X-Gm-Message-State: AOJu0YwmhwLbflMx9IleJnNn6ch/a5sampeczLy0wnt1XlQkLqYsqWbQ HiyG18KaMDiR/QXgNE7E6F3wu+zawVL+UcTE7gcLAPtIfuwojjYH2/tL9RalP45NrX0P9XI8hQJ WtdNePSQLLjeX70b7EmgVFEJ60EswVpsTiI1tdm4LyLj5GXpZow==
X-Received: by 2002:a2e:a36e:0:b0:2d6:f127:f5e7 with SMTP id i14-20020a2ea36e000000b002d6f127f5e7mr1714976ljn.21.1712248243181; Thu, 04 Apr 2024 09:30:43 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IEDUfWpAcpiAOm33GTRjoGiZWhEmU1/8VVz30RU+hGhCOLiNe/tTA5mnp1QD31Xsv4xEQxVzw==
X-Received: by 2002:a2e:a36e:0:b0:2d6:f127:f5e7 with SMTP id i14-20020a2ea36e000000b002d6f127f5e7mr1714958ljn.21.1712248242785; Thu, 04 Apr 2024 09:30:42 -0700 (PDT)
Received: from localhost (nat-pool-brq-u.redhat.com. [213.175.37.12]) by smtp.gmail.com with ESMTPSA id r13-20020a05600c458d00b004162c25d54bsm1076973wmo.3.2024.04.04.09.30.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 09:30:42 -0700 (PDT)
From: Hubert Kario <hkario@redhat.com>
To: Stefan Santesson <stefan@aaa-sec.com>
Cc: Mike Hamburg <mike@shiftleft.org>, IRTF CFRG <cfrg@irtf.org>
Date: Thu, 04 Apr 2024 18:30:41 +0200
MIME-Version: 1.0
Message-ID: <fbffd7a8-a4ed-402a-9241-1917bae3f2cb@redhat.com>
In-Reply-To: <12d2505e-2700-4333-9dc8-22c7be779399@aaa-sec.com>
References: <410a0800-78ff-422f-8ca3-5a0211478cbd@aaa-sec.com> <ZggHSDs5bRweThW5@localhost> <CAPC=aNUSTv=JtpkG71vhu25jgpVqzL5XS81543ntLMUuXcchqw@mail.gmail.com> <a5ec7b9e-62d3-4bd0-8bc9-ad23c9818e2b@aaa-sec.com> <739A462E-D02A-4B36-871E-19C282A09F90@shiftleft.org> <eb7dd447-adab-47cc-870a-51c31d4b42b4@aaa-sec.com> <4976080c-12eb-4bfe-8301-19fafb20661d@aaa-sec.com> <555b51d6-f9df-4e9c-a22e-d98effca48ad@redhat.com> <12d2505e-2700-4333-9dc8-22c7be779399@aaa-sec.com>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.15.11; xcb; Linux; Fedora release 38 (Thirty Eight)
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/NttRlImZKaIwFlyLA1PHW9y_Beo>
Subject: Re: [CFRG] Does OPRF/OPAQUE require full implementation of RFC 9380
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 16:31:19 -0000
On Thursday, 4 April 2024 17:25:35 CEST, Stefan Santesson wrote: > Hubert, > > Fully understood! and I fully agree. > > I just want to make clear that this is just a hypothetical > discussion and not any form of proposal of any kind. > > I'm exploring what you could do if side channel attacks of this > kind is not an issue. > > Theoretically. Is there any other reasons why try-and-increment > is bad. It seems not. My wider point is that a cryptographic algorithm that is very hard to implement in side-channel way, or worse still, algorithm that inherently leaks information useful to the attacker outside the cryptographic library boundary is a very bad cryptographic algorithm. That's precisely why RSAES-PKCS#1-v1.5 is a very bad algorithm. But yes, as long as the reason why the ultimately chosen value was accepted doesn't leak through timing, then try-and-increment schemes aren't inherently vulnerable to side-channel attacks. I know at least of one RFC6979 implementation that I'm comfortable claiming is side-channel secure. > Being "almost perfect" does have some advantage in that it > requires more samples to draw any conclusions as the information > leakage is less, but it still leaks. I don't think that being vulnerable only to persistent attackers is much of a consolation to the people that got hacked. So, unless the number of samples necessary isn't specified using exponents of two at least three digits long, then it's not really any protection. > /Stefan > > > > > On 2024-04-04 14:38, Hubert Kario wrote: >> Please note that as Marvin[1] showed, doing "almost" exactly >> the same amount >> of work doesn't work for side-channel protection. The code needs >> to execute the same instructions, with the same memory accesses, in the >> same order, irrespective of any checks performed. >> >> Differences as small as individual clock cycles are >> realistically detectable >> even over network, with multiple routers between the victim >> and the attacker. >> >> 1 - https://people.redhat.com/~hkario/marvin/ >> >> On Thursday, 4 April 2024 00:01:54 CEST, Stefan Santesson wrote: >>> I just have to post a correction. That experimental test I >>> posted is not correct. There is no reason to reveal through >>> the Y value if you succeeded on an odd or even attempt. >>> >>> The correct version of the algorithm we tested was: >>> >>> loop a fixed amount (e.g. 0 -> 64) { >>> >>> test and increment { >>> >>> compressed (y,x) = hkdf(hash(pw), counter) ... >> > > > -- Regards, Hubert Kario Principal Quality Engineer, RHEL Crypto team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Michael StJohns
- [CFRG] Does OPRF/OPAQUE require full implementati… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… stef
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… stef
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Jack Grigg
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Mike Hamburg
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Mike Hamburg
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Hubert Kario
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Hubert Kario
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Stefan Santesson
- Re: [CFRG] Does OPRF/OPAQUE require full implemen… Sander Dijkhuis