IETF Logo Mail Archive

Re: [Cfrg] A downside of deterministic DL signatures?

David Jacobson <dmjacobson@sbcglobal.net> Sat, 02 August 2014 02:55 UTC

Return-Path: <dmjacobson@sbcglobal.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E6221A035F for <cfrg@ietfa.amsl.com>; Fri, 1 Aug 2014 19:55:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FIDwDLWNwneO for <cfrg@ietfa.amsl.com>; Fri, 1 Aug 2014 19:55:53 -0700 (PDT)
Received: from nm5-vm6.access.bullet.mail.gq1.yahoo.com (nm5-vm6.access.bullet.mail.gq1.yahoo.com [216.39.63.153]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B285C1A020A for <cfrg@irtf.org>; Fri, 1 Aug 2014 19:55:53 -0700 (PDT)
Received: from [216.39.60.166] by nm5.access.bullet.mail.gq1.yahoo.com with NNFMP; 02 Aug 2014 02:55:53 -0000
Received: from [67.195.23.144] by tm2.access.bullet.mail.gq1.yahoo.com with NNFMP; 02 Aug 2014 02:55:53 -0000
Received: from [127.0.0.1] by smtp116.sbc.mail.gq1.yahoo.com with NNFMP; 02 Aug 2014 02:55:53 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s1024; t=1406948153; bh=vZuATxJVpyEqM+xEh5lhg+BixlM9BAleSdO+U+w3QZM=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type; b=fV3+2f01nzHTEjHvrx/Lw2LRzU2cwZP9cjaWVd1bErP4h0awQO2PjvvaXisEASRv22sYLSD6wuTtBPHHBtEX4oGT9gJOw0UCwU0+3HazXHeg/yJzewcDskLo9MFio2dO/1Q/VTkc20DTsvlx2+UYYk+aqjitlZz7SLmQPwBcmYE=
X-Yahoo-Newman-Id: 70853.42210.bm@smtp116.sbc.mail.gq1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: ZqZmW2UVM1mY3Y7MjmimubDs8BQOq9h1jiX7XoYdH.wbVbn EtyeI.1C1kiYdCKn4pdR5ItCWWa6uW.WaaL1JaGgMCN69p9xFx79dhyn2eQH ZOzZSjtMMGYVAe3ds6jJTjxvQ4B9pyl6rSL5XKebRB9UuzATBYq.T6yhQRlw Y5qGkRAxdkiGQRSR7Ezcl_.Fp2sQEIhXMnBxIauiKXv3Isk4x4Oa30pwhZmb vg.uAbkQWvTdQgc1Rx1beHKjNfanHzvfr_cE1KtC9BSC.BTZ_4SsT1A38Z8w 5FNlvyguSslFyN2LWMcNZN9B69e02SGLLIbydzMEyNqp95Ap2jzP.ql3ontn 6xIgu9hh41XFRnukQLDqyQ58z_wb2UXD49azSJbKjceg9E3uqrXdkx6V3gT8 JKvkLKRoKOwJ6bMyrAlJbymUYzJeOvKgzQU8TcyxeOkyX6T.pQfXIkloksnq 3XTJ42h0ZtOe_Xxgg5I0zgzcvsQUOy3oVMd6o.4VNfuP.lfI_tom4gPGc4rV OUGdmQJwJL9i3mOjRxOgf5s98QgXMzyInO6qhBgCQ9KFAZ2uglns.D7mGfGU UOgDUCoMaSxsTqTcfu3cxpwn_yMNIOwuR5kaZXeeyxJG7onqimXdfzjdp6w- -
X-Yahoo-SMTP: nOrmCa6swBAE50FabWnlVFUpgFVJ9Gbi__8U5mpvhtQq7tTV1g--
X-Rocket-Received: from Davids-iMac.local (dmjacobson@99.120.97.155 with plain [67.195.15.5]) by smtp116.sbc.mail.gq1.yahoo.com with SMTP; 02 Aug 2014 02:55:53 +0000 UTC
Message-ID: <53DC5337.9070501@sbcglobal.net>
Date: Fri, 01 Aug 2014 19:55:51 -0700
From: David Jacobson <dmjacobson@sbcglobal.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Dan Brown <dbrown@certicom.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <20140729205846.6639765.71649.17355@certicom.com> <CAHOTMVJ4AirY+tRnVfwt1umgx=Q2xNwVTks6OoVNaV0gkKihOg@mail.gmail.com> <947D45A1-AF36-470B-8D50-7600FEF7FB30@shiftleft.org> <CAHOTMVJYr=S1fXXSYCHDJz2m6sn10uQ=ztXT7htW1m53qEZHog@mail.gmail.com> <53DA7B79.70709@fifthhorseman.net> <CAHOTMVKb8w2TeTpoZsMnJHtspp+xZrO-Ug7YpqUqW2Bc5itNmQ@mail.gmail.com> <810C31990B57ED40B2062BA10D43FBF5CC6690@XMB116CNC.rim.net>
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5CC6690@XMB116CNC.rim.net>
Content-Type: multipart/alternative; boundary="------------060705070609090107060907"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/OE5KNuQvb5LOL03LIZvcngU8cJE
Subject: Re: [Cfrg] A downside of deterministic DL signatures?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Aug 2014 02:55:56 -0000

It is easy to blind k.  Remember you compute something like

k^-1 * (z + r*d)

You also compute k*G.    You do that with the Montgomery ladder, so it 
doesn't leak.

The next problem is to computing k^-1.  We might use the binary inverse 
method, but it has zillions of data-dependent branches and doesn't run 
in anything even close to constant time.  He is how we solve that.

Let b be a fresh for each computation uniform random value in the range 
[1, n-1].

Compute instead

(k * b)^-1 * b * (z + r * d)

Even though the inverse is full of data-dependent branches and isn't at 
all constant time, that doesn't matter, because all values of b are 
equally likely, so it is kind of like encrypting k with a one-time-pad: 
you get information-theoretic security.

I thought about distributing b inside stuff to the right like this:

(k*b)^-1 * (b*z + r * (b*d))

to also avoid a multiplication of d with r, which is both random and 
known to the attacker---generally considered favorable for DPA attacks.  
And if that multiplication could be attacked it would leak d, the 
private key.  But I'm worried because there is a multiplication of b*z, 
and z (basically H(msg)) is known by the attacker.  (I only know enough 
about DPA to get myself into trouble.  So I'll stop before making a 
blunder.)

     --David Jacobson


On 8/1/14 10:46 AM, Dan Brown wrote:
>
> I was also asking if pre-computing kG is useful as a secondary 
> side-channel countermeasure, which occurred to me upon skimming:
>
> http://eprint.iacr.org/2011/232
>
> As I understand the abstract of that paper, the implemented form 
> Montgomery ladder was not constant time. This resulted in an 
> exploitable side channel.  They describe a simple fix.  But in the 
> event of other possible side channels, such as those arising from bugs 
> and underlying system quirks (whatever acceleration the system tries 
> to provide), does it make sense to use some secondary independent 
> side-channel countermeasures?  For example, does computing the ECDSA 
> signature component kG at the start of the TLS handshake in parallel 
> with other operations, such as the ECDHE computations and so on, have 
> any potential help by blurring any timing information?
>
> Best regards,
>
> Dan
>
> *From:*Tony Arcieri [mailto:bascule@gmail.com]
> *Sent:* Thursday, July 31, 2014 5:09 PM
> *To:* Daniel Kahn Gillmor
> *Cc:* Michael Hamburg; Dan Brown; IRTF Crypto Forum Research Group
> *Subject:* Re: [Cfrg] A downside of deterministic DL signatures?
>
> On Thu, Jul 31, 2014 at 10:23 AM, Daniel Kahn Gillmor 
> <dkg@fifthhorseman.net <mailto:dkg@fifthhorseman.net>> wrote:
>
> neither of these required nationstate-level effort, and they date back
>
> to 2008.
>
> Okay, let me put it this way instead:
>
> Collisions:
>
> - Can be used to alter the content of individual messages
>
> - This requires that the design of the hash function itself be broken
>
> Bad nonces:
>
> - Leak the private key which can then be used to forge as many 
> messages as you wish
>
> - Can be the result of bad RNGs/implementation errata even if the 
> algorithm and the rest of its implementation is sound
>
> Which is worse?
>
> -- 
> Tony Arcieri
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.20.3 | Report a Bug | By Email