[Cfrg] Side channel attack and Edwards curves...

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 05 July 2017 18:38 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F136E131D9E for <cfrg@ietfa.amsl.com>; Wed, 5 Jul 2017 11:38:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.398
X-Spam-Level:
X-Spam-Status: No, score=-2.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Vl1YwqBHwPr for <cfrg@ietfa.amsl.com>; Wed, 5 Jul 2017 11:38:24 -0700 (PDT)
Received: from mail-lf0-x235.google.com (mail-lf0-x235.google.com [IPv6:2a00:1450:4010:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03D2C131DB2 for <cfrg@irtf.org>; Wed, 5 Jul 2017 11:38:21 -0700 (PDT)
Received: by mail-lf0-x235.google.com with SMTP id z78so98191480lff.0 for <cfrg@irtf.org>; Wed, 05 Jul 2017 11:38:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=IEtX10uknXUUmHfb547Us78T5keHcPRrmU85yAoBAPo=; b=Qdi3trVC0QAfhfrUMJyXRWm0Z3lzcPQbcB/vujK8gZgAzekTjgDEpiaBjQcge7Bt/d JMxC8kPdPgp1TsoAPLYMtvlefhTFCDh7W5B7IlBpOGwznd9MLZqdyEBPhiGLm0ERLiVY pRM4AvzkyW2lZpPY64oVSi6Epl0K2Hhm1ep1yfT7L6uHy/dqpUPpUuz2r7uH0iRF1OAK 0P589pULNEoLgqPkILj0GHeyV7n5SXvL95wjwP17k+x0EV4cmtyoVLRT0+DPJv1n0fDc 33RkcpVKfTipOSVgy6DaL6w7hn3f5W4w/elaMUf0NLbJlp+kA49r3XXbd7KCCK+ylEZk 8ehA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=IEtX10uknXUUmHfb547Us78T5keHcPRrmU85yAoBAPo=; b=CwNLkh5F4rfx9pwS4bYadS2B5tlLU2JssYFtOdjmVRSj/rItHsadk9xcO9wMkuZzHi tU2ABYy6liO0K+NFvYV1b/TB+FgdmG7dHIuegbd3SaZSaG+dGycEbfqj7ODtUsjpeBNO VbJbHiUzNX/GGr1C61WR5b5WtRiDjUYtsS02v1C5ha9pFEkMldo3KoYWRX6NgmfVQ9EG AB8VA3AhdUEw1AiCBNS3Pp3J5A+3NhB3Hx6n3xWjP8DlJmyWAQZN6Ej3n6Z6N72Yj8ed 0UAsYkC8R3T4GUgq5MJT3NB4ueQNw6Zz1TT/dXNg/6UI+H5xeM+jTcX1vocD8tLGQmOL PTRw==
X-Gm-Message-State: AKS2vOwR61p0sNhnqj19wpXadK2GYqF5vCbKd8vs8HN7H/vSRJL44I8B EnjKz4TGgp7nKjiBLPDHsxAOVpBwsCaf
X-Received: by 10.46.82.199 with SMTP id n68mr12158438lje.99.1499279898840; Wed, 05 Jul 2017 11:38:18 -0700 (PDT)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.25.181.214 with HTTP; Wed, 5 Jul 2017 11:38:18 -0700 (PDT)
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 5 Jul 2017 14:38:18 -0400
X-Google-Sender-Auth: e4LArwlx7mQ3iyeQbSf5L1fBfzY
Message-ID: <CAMm+LwiDbjq7nENzvqKGmsQnz=y49nBSVhU0boddtbz3dJAHfw@mail.gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="001a113be372ca138d0553964dff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/V1JXfnf05uE88huYaQVKi7iZ6mY>
Subject: [Cfrg] Side channel attack and Edwards curves...
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jul 2017 18:38:26 -0000

http://thehackernews.com/2017/07/gnupg-libgcrypt-rsa-encryption.html?m=1

Just another side channel attack and not something that bothers me writing
reference code. But have we maybe put our eggs in the Montgomery ladder
basket when maybe we should have gone for 'randomly split the private key
into two parts, perform two separate multiplications with each part and add
the result'.

We can play the blinding game in Edwards or Montgomery but it is easier in
Edwards.

Anyone got code for adding points in compressed Montgomery?



Thoughts?