Re: [Cfrg] Mishandling twist attacks
"Lochter, Manfred" <manfred.lochter@bsi.bund.de> Mon, 01 December 2014 16:36 UTC
Return-Path: <manfred.lochter@bsi.bund.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 554E51A6EE7 for <cfrg@ietfa.amsl.com>; Mon, 1 Dec 2014 08:36:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.559
X-Spam-Level:
X-Spam-Status: No, score=-6.559 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4BZNXmtWv48p for <cfrg@ietfa.amsl.com>; Mon, 1 Dec 2014 08:36:09 -0800 (PST)
Received: from m1-bn.bund.de (m1-bn.bund.de [77.87.228.73]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D5E81A6F4C for <cfrg@irtf.org>; Mon, 1 Dec 2014 08:36:09 -0800 (PST)
Received: from m1.mfw.bn.ivbb.bund.de (localhost.mfw.bn.ivbb.bund.de [127.0.0.1]) by m1-bn.bund.de (8.14.5/8.14.5) with ESMTP id sB1Ga77P025357 for <cfrg@irtf.org>; Mon, 1 Dec 2014 17:36:07 +0100 (CET)
Received: (from localhost) by m1.mfw.bn.ivbb.bund.de (MSCAN) id 5/m1.mfw.bn.ivbb.bund.de/smtp-gw/mscan; Mon Dec 1 17:36:07 2014
X-P350-Id: 23e4c7924a3df1ae
X-Virus-Scanned: by amavisd-new at bsi.bund.de
From: "Lochter, Manfred" <manfred.lochter@bsi.bund.de>
Organization: BSI Bonn
To: cfrg@irtf.org
Date: Mon, 01 Dec 2014 17:35:48 +0100
User-Agent: KMail/1.9.10 (enterprise35 20140205.23bb19c)
References: <20141128014059.26622.qmail@cr.yp.to>
In-Reply-To: <20141128014059.26622.qmail@cr.yp.to>
X-KMail-QuotePrefix: >
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-ID: <201412011735.49243.manfred.lochter@bsi.bund.de>
X-AntiVirus: checked by Avira MailGate (version: 3.2.1.26; AVE: 8.3.26.26; VDF: 7.11.189.194; host: sgasmtp2.bsi.de); id=28850-LvAmwL
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/VFDzgQTm4dOQe3qvNNd2h4VvpT4
Subject: Re: [Cfrg] Mishandling twist attacks
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Dec 2014 16:36:12 -0000
_ > > There's a long tradition of blaming the implementor for the resulting > security failures: it's the implementor's fault for not writing > constant-time code, for not checking for exceptional cases, etc. > > However, we've known for many years how to _change the crypto_ to avoid > all of these implementation pitfalls. Specifically, we > > > > * always set the top bit of scalars so that an input-length-agnostic > variant of the Montgomery ladder doesn't create a timing leak. > On the other hand this countermeasure is quite dangerous, when applied during signature generation. It may leak parts of the ephemeral keys. Which in turn allows lattice attacks. (The most dangerous situation being SW which is used in an protected environment, where only timing attacks are seen as a danger. ) Manfred -- Lochter, Manfred -------------------------------------------- Bundesamt für Sicherheit in der Informationstechnik (BSI) Referat K21 Godesberger Allee 185 -189 53175 Bonn Postfach 20 03 63 53133 Bonn Telefon: +49 (0)228 99 9582 5643 Telefax: +49 (0)228 99 10 9582 5643 E-Mail: manfred.lochter@bsi.bund.de Internet: www.bsi.bund.de www.bsi-fuer-buerger.de
- Re: [Cfrg] Mishandling twist attacks Watson Ladd
- [Cfrg] Mishandling twist attacks D. J. Bernstein
- Re: [Cfrg] Mishandling twist attacks Michael Hamburg
- Re: [Cfrg] Mishandling twist attacks Alyssa Rowan
- Re: [Cfrg] Mishandling twist attacks Samuel Neves
- Re: [Cfrg] Mishandling twist attacks David Leon Gil
- Re: [Cfrg] Mishandling twist attacks D. J. Bernstein
- Re: [Cfrg] Mishandling twist attacks Ilari Liusvaara
- Re: [Cfrg] Mishandling twist attacks Lochter, Manfred
- Re: [Cfrg] Mishandling twist attacks D. J. Bernstein
- Re: [Cfrg] Mishandling twist attacks Lochter, Manfred
- Re: [Cfrg] Mishandling twist attacks Watson Ladd
- Re: [Cfrg] Mishandling twist attacks Lochter, Manfred
- Re: [Cfrg] Mishandling twist attacks Watson Ladd