Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13

Björn Haase <bjoern.m.haase@web.de> Mon, 19 October 2020 09:26 UTC

Return-Path: <bjoern.m.haase@web.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC1153A0948 for <cfrg@ietfa.amsl.com>; Mon, 19 Oct 2020 02:26:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.446
X-Spam-Level:
X-Spam-Status: No, score=-0.446 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.247, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=web.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YktlM69EXzor for <cfrg@ietfa.amsl.com>; Mon, 19 Oct 2020 02:26:22 -0700 (PDT)
Received: from mout.web.de (mout.web.de [217.72.192.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7050A3A0922 for <cfrg@irtf.org>; Mon, 19 Oct 2020 02:26:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1603099577; bh=y93SqfjEnMgHzjRDJmp1Ynwg8DXAv4NVzWT6NJllWDM=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=FA8R3vKDp2lD7oSTTUdLu0N5RYUIBcjtqJovLQygSGYCQEw+xQp9MBZ6FHUftz/4Q UUrLCHEMBH9G43PwcsJ9RGWi/4huC94OEJJFJnhBGSdjbhhcftCHSJIh1jKBfo/CR6 eLH19yTfnO2DQd4ydG4o5FIzHo2z4nMbTjRfzyHo=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [192.168.178.21] ([109.90.104.251]) by smtp.web.de (mrweb102 [213.165.67.124]) with ESMTPSA (Nemesis) id 0MMmx9-1kVn8h48wJ-008aM7; Mon, 19 Oct 2020 11:26:17 +0200
To: Watson Ladd <watsonbladd@gmail.com>, cfrg <cfrg@irtf.org>
References: <CAMr0u6n0SVGpWkBc=ZLMoS-SQZta=TxbUZP13Pq=3QBxdMpUdg@mail.gmail.com> <46021e35-cb24-d372-13a9-9fb8e70c6a74@web.de> <CACsn0ckRcT1EHMQg2uS-aHuR0Ru8otWWQLmmL7q5VengHB8v4g@mail.gmail.com>
From: =?UTF-8?Q?Bj=c3=b6rn_Haase?= <bjoern.m.haase@web.de>
Message-ID: <633ecac9-a4dc-cf9c-0d6f-b3ead71994f5@web.de>
Date: Mon, 19 Oct 2020 11:26:09 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <CACsn0ckRcT1EHMQg2uS-aHuR0Ru8otWWQLmmL7q5VengHB8v4g@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:gWHgY7zDM5VkV5QTBZBaJNGFhm9fxBdBvHMevXCMuo11AUfJZ37 EAFiQI9I8FANwAaggI+MeVWEYfGbwfs9irOGba8wQI6LFVZ9ux+4fiHVAYiO3srSNxW2Qzy ZP9UjyTF8sET9SyG9TT6NeC9jPCHEyhViloS8e8xaOe9xa1qRheQ+1wJcQAuCqkQIEId2KI z0Y0en/JC98RgJqQUXjJw==
X-UI-Out-Filterresults: notjunk:1;V03:K0:XAJplJnZT0g=:uzWNZSW+hMDeScwUydMfOl mHVsrdirkJ0zlMxHlmRD8ba7w0n6ljXjHBZhPc8qOzDxfiyjPFjGuxuHhbsRsAJZk3v5s8oEt qh1dpEkhmlq6onz3NF2JOJuhrDsi3wyZqFkxlMbM6gLUeBhzEg2pkpEBIYqlwXsLKALIX9V20 n8eklaP35ESK7mUTuRyvrU/XF97D7An6xWzlWhX133wJrAhjwfEZcw4BfNPEuP/2KLk3/J5qn xTmHk3vOd5jE2uvfkrcbZwLTlrE/uZXmn1GxkiIYAPPb6xcNW3SCiBa8O9LqIBAUYgfMhhZr2 tsZcZGq4N76b5uWPfR5EroRYiGkF4OmSj4Mq3nOjYEe5rFOJoWuYWAnHvUjvDfNvzao/rsBjs P+a0wtDYXMJSKfAT1MuuCo7CRYtlFhv24wTk/ILA4zEj5M3fjvam8JqbZmO/ibdgoTP2Kf5kb lqpJZiUHXBf84lCjzyQIzVz/T+6VBI2xO0iSEQw1XA6gdoJl611TQDiGIzx4dcEn1/7eaRjiz V3jOOjcymAEwd9u9TX7a7/2mI4bqI6wd+wT1EMl006U4H3CR3AXBgZWP3vRury4p3q44/62Rx lPorRZszIcOmGqMv48dddUTOF2cePkc4KVY8JD8WLsHx+LfIUQ+FE3OtZaA4hrpt55O16Lr5/ ebC3b+SeX3V6TxZBy5vooj2z2Uu7F59Oz1DZwUv9QKcVn48isjCeT4ap2EhyWkmTjCzcH5Evn uZOpfHMpjD1hL0uXZCbgR/zhbXye4cguwyK8lBIq4BfWCOOh6jg8I48j7ZdhOtrfC1UgYzNAt mtwjcgWhzbmEgzJPu5RWNcTDcHc/qbwpo4QGbeGG9W91Bo7H0wl8or6qtyIZZwIekZ5bHdP70 mpV1VHXYHPoX/YmrRNXw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/_ltL3Gncv6gwOUylqsS339dWduA>
Subject: Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Oct 2020 09:26:24 -0000

Hi Watson,

 > On 19.10. 2020 Watson Ladd wrote:

>Thank you! I will add such a warning to the security section and
>advise the use of either reduction of a double length string or
>rejection sampling.

Indeed you are right. With my mind focused on "constant time" implementation all the time, I
did discard the cheap option of the rejection sampling too early. In fact, we won't
leak any useful information with rejection sampling even if it's not constant time.

On the other hand there is a non-negligible risk of leakage when reducing a double-length string (in addition to the code bloat).

Therefore I'd advocate to recommend rejection sampling only and not double-length-string reduction
(and this should also be the way to do for CPace on the short-Weierstrass curves).

Still there might worth pointing to the risk of a possible variable-time issue when re-using code from libraries that were written for conventional DH key exchange. I have seen implementations that just set the top-most bit of the secret scalar (loosing half a bit of security) during the sampling process in order to make sure that the windowed scalar multiplication algorithm runs in constant time.

If we have such a scalar multiplication algorithm with a uniformly sampled scalar, there is some risk
of getting a variable execution time behaviour...

Maybe some note in the security section in the form:

"Some scalar multiplication algorithms designed for conventional ECDH key exchange might not run in constant time when using uniformly sampled secret scalars. Implementations should verify this aspect."

could be worthwile.

Yours,

Björn