IETF Logo Mail Archive

Re: [CFRG] Psychic Signatures

Mike Hamburg <mike@shiftleft.org> Sat, 23 April 2022 16:37 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78CF13A1576 for <cfrg@ietfa.amsl.com>; Sat, 23 Apr 2022 09:37:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=shiftleft.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 96g4giqq2zUp for <cfrg@ietfa.amsl.com>; Sat, 23 Apr 2022 09:36:58 -0700 (PDT)
Received: from wanderer.shiftleft.org (wanderer.shiftleft.org [45.79.68.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F5513A1578 for <Cfrg@irtf.org>; Sat, 23 Apr 2022 09:36:57 -0700 (PDT)
Received: from smtpclient.apple (unknown [IPv6:2601:647:5800:e580:4cca:2ac6:91e9:4ca4]) (Authenticated sender: mike) by wanderer.shiftleft.org (Postfix) with ESMTPSA id 16419401AC; Sat, 23 Apr 2022 16:36:56 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shiftleft.org; s=sldo; t=1650731816; bh=Lcu+DZbu5ejsmLGqp5J7j7T1wlXBz+0DZN5RLVHmVhM=; h=From:Subject:Date:References:Cc:In-Reply-To:To:From; b=QGrJAx2N8LB3eY1nGhuXgXxQhlrBMtBwOG3WmjteAaQ6qntDwI7dAxa/O6X+2lfT/ 1uRT6f5XsuW2vJRqKeDKc+BV8yiB+ueVZW/DGZMOzyq2xNDysXiiLKEbeOG0eNY3Vt u6Xq+L5GHwDGso9HdWUOXlRaOjmnl39idDzeOeSk=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Mike Hamburg <mike@shiftleft.org>
Mime-Version: 1.0 (1.0)
Date: Sat, 23 Apr 2022 09:36:54 -0700
Message-Id: <B680942B-51D1-484A-8D04-517E9F47CEFD@shiftleft.org>
References: <SY4PR01MB62511432E8453A12BC15F472EEF69@SY4PR01MB6251.ausprd01.prod.outlook.com>
Cc: Mehmet Adalier <madalier@antarateknik.com>, IRTF CFRG <Cfrg@irtf.org>
In-Reply-To: <SY4PR01MB62511432E8453A12BC15F472EEF69@SY4PR01MB6251.ausprd01.prod.outlook.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
X-Mailer: iPhone Mail (19E258)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Xrxu8xTiMiT1O6glSmxaLAO9Q88>
Subject: Re: [CFRG] Psychic Signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Apr 2022 16:37:05 -0000


> On Apr 23, 2022, at 03:58, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> 
> Mike Hamburg <mike@shiftleft.org> writes:
> 
>> As someone with experience in ECC implementation, this doesn’t make sense to
>> me, at least not in a typical deployment (prime-order curves with (x,y) both
>> given).
> 
> It doesn't surprise me too much.  Many years ago I did an informal poll of a
> number of embedded systems crypto users asking if they wanted RSA blinding, a
> fairly cheap operation compared to the rest of the RSA op, enabled by default
> rather than as something that had to be explicitly enabled by users,
> explaining the security impact (considerable) and the performance impact
> (relatively low).  The results are shown in the following bar graph:
> 
>  Should blinding be enabled by default?
> 
>  No: ##############################################################
>  Yes:
> 
> From the few people who responded to followup questions the thinking seemed to
> be "this causes overhead, overhead is bad, it's unlikely someone will try an
> attack like that anyway, so we'd rather not have it".
> 
> So yeah, skipping the validity checks doesn't surprise me.  OTOH if you just
> put them in there and don't tell anyone, no-one will complain.  Or even
> notice (so far).
> 
> Peter.

Yeah, that does make sense. I guess shoddy programming doesn’t surprise me — I’m sure I’ve done some myself — but saving 0.1% of the runtime isn’t a good reason at all.

In their defense, in many protocols you trust the other party’s public key to some degree before using it (having checked a cert or whatever), especially for ECDSA, so you might not think it’s security relevant to validate it.

ECDHE is of course much more dangerous, especially since it’s sometimes used for authenticated key exchange (as in eg Noise). 

— Mike

v2.23.0 | Report a Bug | By Email