IETF Logo Mail Archive

Re: [Cfrg] Poly1305 and timing attacks

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Sun, 09 March 2014 22:22 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8305F1A022C for <cfrg@ietfa.amsl.com>; Sun, 9 Mar 2014 15:22:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ckPuFgt0TP7A for <cfrg@ietfa.amsl.com>; Sun, 9 Mar 2014 15:22:50 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe004.messaging.microsoft.com [216.32.181.184]) by ietfa.amsl.com (Postfix) with ESMTP id 2F74C1A022B for <cfrg@irtf.org>; Sun, 9 Mar 2014 15:22:50 -0700 (PDT)
Received: from mail49-ch1-R.bigfish.com (10.43.68.240) by CH1EHSOBE013.bigfish.com (10.43.70.63) with Microsoft SMTP Server id 14.1.225.22; Sun, 9 Mar 2014 22:22:44 +0000
Received: from mail49-ch1 (localhost [127.0.0.1]) by mail49-ch1-R.bigfish.com (Postfix) with ESMTP id C8F5B4006C; Sun, 9 Mar 2014 22:22:44 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.249.149; KIP:(null); UIP:(null); IPV:NLI; H:AM2PRD0311HT005.eurprd03.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -1
X-BigFish: PS-1(zz98dIc85fh146fIdbf2izz1f42h208ch1ee6h1de0h1d18h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6hzz1de098h17326ah8275bh8275dh18c673h1de097h186068h1d68dehz2fh109h2a8h839hd25he5bhf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1bceh224fh1d0ch1d2eh1d3fh1dfeh1dffh1fe8h1ff5h2052h20b3h20f0h2216h22d0h2336h2438h2461h2487h24d7h2516h2545h255eh25cch25f6h2605h1155h)
Received-SPF: pass (mail49-ch1: domain of rhul.ac.uk designates 157.56.249.149 as permitted sender) client-ip=157.56.249.149; envelope-from=Kenny.Paterson@rhul.ac.uk; helo=AM2PRD0311HT005.eurprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10019001)(428001)(189002)(199002)(52314003)(24454002)(66066001)(80022001)(74876001)(90146001)(56816005)(65816001)(81816001)(63696002)(94946001)(95416001)(92566001)(92726001)(93136001)(97186001)(50986001)(76796001)(59766001)(85852003)(79102001)(36756003)(74366001)(86362001)(49866001)(74662001)(76786001)(31966008)(93516002)(81542001)(15202345003)(2656002)(47976001)(33656001)(81342001)(87936001)(74502001)(56776001)(69226001)(19273905006)(77982001)(74482001)(81686001)(95666003)(16236675002)(54316002)(80976001)(83322001)(94316002)(97336001)(74706001)(47736001)(83072002)(46102001)(87266001)(53806001)(51856001)(4396001)(19580405001)(19580395003)(85306002)(82746002)(83716003)(15975445006)(54356001)(76482001); DIR:OUT; SFP:1102; SCL:1; SRVR:DBXPR03MB029; H:DBXPR03MB383.eurprd03.prod.outlook.com; CLIP:80.42.226.146; FPR:9C0F6135.932834D3.B0D17193.8AB4F86C.2035E; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Received: from mail49-ch1 (localhost.localdomain [127.0.0.1]) by mail49-ch1 (MessageSwitch) id 1394403762819686_11405; Sun, 9 Mar 2014 22:22:42 +0000 (UTC)
Received: from CH1EHSMHS037.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.254]) by mail49-ch1.bigfish.com (Postfix) with ESMTP id C3E5C20055; Sun, 9 Mar 2014 22:22:42 +0000 (UTC)
Received: from AM2PRD0311HT005.eurprd03.prod.outlook.com (157.56.249.149) by CH1EHSMHS037.bigfish.com (10.43.69.246) with Microsoft SMTP Server (TLS) id 14.16.227.3; Sun, 9 Mar 2014 22:22:42 +0000
Received: from DBXPR03MB029.eurprd03.prod.outlook.com (10.242.145.145) by AM2PRD0311HT005.eurprd03.prod.outlook.com (10.255.162.40) with Microsoft SMTP Server (TLS) id 14.16.423.0; Sun, 9 Mar 2014 22:22:40 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com (10.141.10.15) by DBXPR03MB029.eurprd03.prod.outlook.com (10.242.145.145) with Microsoft SMTP Server (TLS) id 15.0.893.10; Sun, 9 Mar 2014 22:22:39 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) by DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) with mapi id 15.00.0893.001; Sun, 9 Mar 2014 22:22:39 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Yoav Nir <ynir.ietf@gmail.com>
Thread-Topic: [Cfrg] Poly1305 and timing attacks
Thread-Index: AQHPO6fBJBkHi6qVekCadSn5VKUGVprZVNn7
Date: Sun, 09 Mar 2014 22:22:38 +0000
Message-ID: <37CD9BE1-3576-4818-B03C-2C1C2890EBAE@rhul.ac.uk>
References: <CAGvU-a7Mpn9Wrie=QEftsZrojQAcwysnQgNt5BOjdr8ZRY08Zg@mail.gmail.com>
In-Reply-To: <CAGvU-a7Mpn9Wrie=QEftsZrojQAcwysnQgNt5BOjdr8ZRY08Zg@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [80.42.226.146]
x-forefront-prvs: 0145758B1D
Content-Type: multipart/alternative; boundary="_000_37CD9BE135764818B03C2C1C2890EBAErhulacuk_"
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/OZDAIhdD_bUhqTuZRIyqZtIJRGQ
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Poly1305 and timing attacks
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Mar 2014 22:22:53 -0000

Hi Yoav,

I disagree with the argument as it is currently stated. Suppose 96 bits of a 128-bit MAC key leak via a side channel analysis from a single invocation of the MAC. (Somewhat extreme but within the scope of the scenario you mention.)

Then an active MITM adversary can successfully inject a modified packet for the same key/sequence number with probability 2^{-32}, simply by guessing the missing key bits. That is, the effect of partial key leakage on security is not "null", even in the scenario where keys are only used once.

The argument you cite needs to be more carefully stated to properly account for this weakness.

Cheers

Kenny

Sent from my iPad

On 9 Mar 2014, at 14:56, "Yoav Nir" <ynir.ietf@gmail.com<mailto:ynir.ietf@gmail.com>> wrote:

Hi

I mentioned this during the meeting, but there was no discussion on this subject there, so I thought I'd raise it here.

I got a private message in response to draft-nir-cfrg-chacha20-poly1305 that questions the text about constant time implementations for Poly1305. The argument can be outlined as follows:

Side channels in general and timing vulnerabilities in particular are bad because they reveal either parts of the plaintext they work on, or parts of the key that is used. However, Poly1305 works on the ciphertext that is sent on the wire anyway, so exposing that does not matter. Also, Poly1305 requires a different one-time key for each invocation, so revealing some information about that one-time key doesn't matter, because it will not be used again. So in summary, timing attacks on Poly1305 don't matter.

This argument is very attractive to me, because if it is valid, it makes the security considerations much simpler, and significantly reduces the complexity of implementing these algorithms (the "competent" vs "good" coder from slide 2).

So can anyone on this list comment on this argument?

Thanks

Yoav

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org<mailto:Cfrg@irtf.org>
http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email