IETF Logo Mail Archive

Re: [Cfrg] Poly1305 and timing attacks

Yoav Nir <ynir.ietf@gmail.com> Sun, 09 March 2014 22:00 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 552711A03A4 for <cfrg@ietfa.amsl.com>; Sun, 9 Mar 2014 15:00:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zjJeqwPv-HDq for <cfrg@ietfa.amsl.com>; Sun, 9 Mar 2014 15:00:10 -0700 (PDT)
Received: from mail-ea0-x232.google.com (mail-ea0-x232.google.com [IPv6:2a00:1450:4013:c01::232]) by ietfa.amsl.com (Postfix) with ESMTP id 4AE7E1A03A1 for <cfrg@irtf.org>; Sun, 9 Mar 2014 15:00:10 -0700 (PDT)
Received: by mail-ea0-f178.google.com with SMTP id a15so3433639eae.9 for <cfrg@irtf.org>; Sun, 09 Mar 2014 15:00:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=vwsSqJ3UhXVbUjGkvJODT1sbUvNEkLpsKUVIjLfgu1k=; b=b+sdUzwufRgx1J6hn5f4FAdAtgVuSAzkBVOFEL4eSCHogkHZjoyN+iO7x3NW73pfPF 8ftHueXU71kLJAqVKhhniBeBWe4cGXrh4eWAb9ENVoaZwnZ0A7q/m7cOtaswfci67tIC LeVSO8nl6iOkP0o7+TjI8wUtjFHwXKFrMSkS5zvsshhiwfNKAUdxmvTu9Kp/RCrAQXQ4 d6SXYAprPB36C1pDQE9lY41IGBw0d8XZ28QI8hwMEWtRFeMP51g5sCDs0LO6IfF90gh2 66z71BRXgFDrSDeEsKU6Zx7bsSBfnUm7HYk3anSA/Xkt1eJiqgCf/DFr7VkDCMFkzO2A PQtA==
X-Received: by 10.14.119.139 with SMTP id n11mr42257eeh.103.1394402404654; Sun, 09 Mar 2014 15:00:04 -0700 (PDT)
Received: from [192.168.1.102] (bzq-84-109-50-18.red.bezeqint.net. [84.109.50.18]) by mx.google.com with ESMTPSA id 46sm37226966ees.4.2014.03.09.15.00.03 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 09 Mar 2014 15:00:04 -0700 (PDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CACsn0ckrTB37jB4Apj7GxAZUjou_=RUj7j4dgFeWpqxS4HKq6Q@mail.gmail.com>
Date: Mon, 10 Mar 2014 00:00:03 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <CA0A4F63-89AB-4AC2-8955-E3C575E3B01C@gmail.com>
References: <CAGvU-a7Mpn9Wrie=QEftsZrojQAcwysnQgNt5BOjdr8ZRY08Zg@mail.gmail.com> <CACsn0ckrTB37jB4Apj7GxAZUjou_=RUj7j4dgFeWpqxS4HKq6Q@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/ZeaVI1o-iI9XY8nAUH0Yu2WvOcY
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Poly1305 and timing attacks
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Mar 2014 22:00:12 -0000

On Mar 9, 2014, at 6:45 PM, Watson Ladd <watsonbladd@gmail.com> wrote:

> 
> An implementation of Poly1305 that isn't constant time imposes a
> significant additional burden on callers to generate the entire key
> pseudorandomly, as opposed to changing the last part. In the AEAD or
> MAC as defined here that's okay.

Understood.

> The place where Poly1305 leaks information is likely in the polynomial
> evaluation. It is acceptable to have (r, s1), (r, s2) ... with r
> unchanging and the s generated pseudorandomly. But in an
> implementation which isn't constant time could eventually reveal r
> over multiple messages.

Agree. However, from what I have heard in both the IPsec and TLS working groups, there is little to no interest in the stand-alone versions of chacha20 and poly1305, only the AEAD combination, So I might divide the security considerations into stuff that is for poly1305 stand-alone, and other considerations for the AEAD, which can possibly be less onerous.

> For Poly1305 as used in this draft, I am very, very hesitant about
> approving any draft that says not-constant time is okay. However, if
> the entire keys are being generated pseudorandomly, then I think, if
> the side channel isn't gratuitously large, it's possibly safe. Saying
> anything more concrete would require a lot of painful analysis of what
> is leaked and how it can be used.
> 
> Personally, I don't understand why making the crypto not constant
> time, and thus open to attacks, simplifies the security
> considerations. It might make the job of the implementor easier, but
> it makes the job of the person who builds on top harder.

It makes the security considerations simpler because it makes all the talk about constant time implementations go away and eliminates the need for pointing people at how to accomplish this. I agree I probably can’t do this, as this implementation might later be used as part of a library for other things. It’s not generally good to instruct people on how to make an implementation with a warning label (that they will later ignore).

> Two sidenotes: IVs are not nonces, and there is a typo where "times
> might be great then 2^256 or less then 2^256”.

Yes, “sometimes” is a single word. 

> Sincerely,
> Watson Ladd
>> 
>> Thanks
>> 
>> Yoav
>> 
>> 
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>> 
> 
> 
> 
> -- 
> "Those who would give up Essential Liberty to purchase a little
> Temporary Safety deserve neither  Liberty nor Safety."
> -- Benjamin Franklin

v2.23.0 | Report a Bug | By Email