Re: [Cfrg] Mishandling twist attacks

"Lochter, Manfred" <manfred.lochter@bsi.bund.de> Mon, 01 December 2014 16:36 UTC

Return-Path: <manfred.lochter@bsi.bund.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 554E51A6EE7 for <cfrg@ietfa.amsl.com>; Mon, 1 Dec 2014 08:36:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.559
X-Spam-Level:
X-Spam-Status: No, score=-6.559 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4BZNXmtWv48p for <cfrg@ietfa.amsl.com>; Mon, 1 Dec 2014 08:36:09 -0800 (PST)
Received: from m1-bn.bund.de (m1-bn.bund.de [77.87.228.73]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D5E81A6F4C for <cfrg@irtf.org>; Mon, 1 Dec 2014 08:36:09 -0800 (PST)
Received: from m1.mfw.bn.ivbb.bund.de (localhost.mfw.bn.ivbb.bund.de [127.0.0.1]) by m1-bn.bund.de (8.14.5/8.14.5) with ESMTP id sB1Ga77P025357 for <cfrg@irtf.org>; Mon, 1 Dec 2014 17:36:07 +0100 (CET)
Received: (from localhost) by m1.mfw.bn.ivbb.bund.de (MSCAN) id 5/m1.mfw.bn.ivbb.bund.de/smtp-gw/mscan; Mon Dec 1 17:36:07 2014
X-P350-Id: 23e4c7924a3df1ae
X-Virus-Scanned: by amavisd-new at bsi.bund.de
From: "Lochter, Manfred" <manfred.lochter@bsi.bund.de>
Organization: BSI Bonn
To: cfrg@irtf.org
Date: Mon, 1 Dec 2014 17:35:48 +0100
User-Agent: KMail/1.9.10 (enterprise35 20140205.23bb19c)
References: <20141128014059.26622.qmail@cr.yp.to>
In-Reply-To: <20141128014059.26622.qmail@cr.yp.to>
X-KMail-QuotePrefix: >
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-ID: <201412011735.49243.manfred.lochter@bsi.bund.de>
X-AntiVirus: checked by Avira MailGate (version: 3.2.1.26; AVE: 8.3.26.26; VDF: 7.11.189.194; host: sgasmtp2.bsi.de); id=28850-LvAmwL
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/VFDzgQTm4dOQe3qvNNd2h4VvpT4
Subject: Re: [Cfrg] Mishandling twist attacks
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Dec 2014 16:36:12 -0000





_

>
> There's a long tradition of blaming the implementor for the resulting
> security failures: it's the implementor's fault for not writing
> constant-time code, for not checking for exceptional cases, etc.
>
> However, we've known for many years how to _change the crypto_ to avoid
> all of these implementation pitfalls. Specifically, we
>
>    
>
>    * always set the top bit of scalars so that an input-length-agnostic
>      variant of the Montgomery ladder doesn't create a timing leak.
>

On the other hand this countermeasure is quite dangerous, when applied during 
signature generation. It may leak parts of the ephemeral keys. Which in turn 
allows lattice attacks. (The most dangerous situation being SW which is used 
in an protected environment, where only timing attacks are seen as a 
danger. )

Manfred


-- 
Lochter, Manfred
--------------------------------------------
Bundesamt für Sicherheit in der Informationstechnik (BSI)
Referat K21
Godesberger Allee 185 -189
53175 Bonn

Postfach 20 03 63
53133 Bonn

Telefon: +49 (0)228 99 9582 5643
Telefax: +49 (0)228 99 10 9582 5643
E-Mail: manfred.lochter@bsi.bund.de
Internet:
www.bsi.bund.de
www.bsi-fuer-buerger.de