IETF Logo Mail Archive

Re: [Cfrg] Poly1305 and timing attacks

Watson Ladd <watsonbladd@gmail.com> Sun, 09 March 2014 16:45 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E77DF1A025E for <cfrg@ietfa.amsl.com>; Sun, 9 Mar 2014 09:45:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2a9MHU5VCfPM for <cfrg@ietfa.amsl.com>; Sun, 9 Mar 2014 09:45:24 -0700 (PDT)
Received: from mail-yh0-x22e.google.com (mail-yh0-x22e.google.com [IPv6:2607:f8b0:4002:c01::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 2AACE1A0268 for <cfrg@irtf.org>; Sun, 9 Mar 2014 09:45:24 -0700 (PDT)
Received: by mail-yh0-f46.google.com with SMTP id b6so3188675yha.5 for <cfrg@irtf.org>; Sun, 09 Mar 2014 09:45:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=KuKbcgRaclE7nbY0cFudge29evg9HtxxJMsusL2qxp0=; b=Lbyu2QgAEX9B6Mdcy3bur/WW5qpL/eVKLQdFhdgS8Czter5m/xDHc64V6ezQyNm7TG IY71EnCJAvXSEjYUHjYgjxL6xx3DAcg/rKgElTOssuBY8/p64813ETE1v5wjpadZbmih fIqiBMWknQGHsAnZi0ZKM2Y/JP1dGDS4NMeIr/tr/Iay/0ODb4jM6vgdKfR/bG4lCw1P NbmgscFt1irmCtkFvBS6HaXJHcTDUGowg4Dj/+kPRiZE0gklBUfDXWdiMOrs6I6744Yd jZJIipEe0kjfTyScAPjfZRr6uQl88ilxOPNfUsZ0fITZdFeniltVgl22kVrERoywZuTl hVyw==
MIME-Version: 1.0
X-Received: by 10.236.123.38 with SMTP id u26mr5904012yhh.93.1394383518694; Sun, 09 Mar 2014 09:45:18 -0700 (PDT)
Received: by 10.170.80.214 with HTTP; Sun, 9 Mar 2014 09:45:18 -0700 (PDT)
In-Reply-To: <CAGvU-a7Mpn9Wrie=QEftsZrojQAcwysnQgNt5BOjdr8ZRY08Zg@mail.gmail.com>
References: <CAGvU-a7Mpn9Wrie=QEftsZrojQAcwysnQgNt5BOjdr8ZRY08Zg@mail.gmail.com>
Date: Sun, 09 Mar 2014 09:45:18 -0700
Message-ID: <CACsn0ckrTB37jB4Apj7GxAZUjou_=RUj7j4dgFeWpqxS4HKq6Q@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/hWnw7o7BaX0zF8nuKXzZyCd316A
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Poly1305 and timing attacks
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Mar 2014 16:45:26 -0000

On Sun, Mar 9, 2014 at 7:56 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:
> Hi
>
> I mentioned this during the meeting, but there was no discussion on this
> subject there, so I thought I'd raise it here.
>
> I got a private message in response to draft-nir-cfrg-chacha20-poly1305 that
> questions the text about constant time implementations for Poly1305. The
> argument can be outlined as follows:
>
> Side channels in general and timing vulnerabilities in particular are bad
> because they reveal either parts of the plaintext they work on, or parts of
> the key that is used. However, Poly1305 works on the ciphertext that is sent
> on the wire anyway, so exposing that does not matter. Also, Poly1305
> requires a different one-time key for each invocation, so revealing some
> information about that one-time key doesn't matter, because it will not be
> used again. So in summary, timing attacks on Poly1305 don't matter.
>
> This argument is very attractive to me, because if it is valid, it makes the
> security considerations much simpler, and significantly reduces the
> complexity of implementing these algorithms (the "competent" vs "good" coder
> from slide 2).
>
> So can anyone on this list comment on this argument?

An implementation of Poly1305 that isn't constant time imposes a
significant additional burden on callers to generate the entire key
pseudorandomly, as opposed to changing the last part. In the AEAD or
MAC as defined here that's okay.

The place where Poly1305 leaks information is likely in the polynomial
evaluation. It is acceptable to have (r, s1), (r, s2) ... with r
unchanging and the s generated pseudorandomly. But in an
implementation which isn't constant time could eventually reveal r
over multiple messages.

For Poly1305 as used in this draft, I am very, very hesitant about
approving any draft that says not-constant time is okay. However, if
the entire keys are being generated pseudorandomly, then I think, if
the side channel isn't gratuitously large, it's possibly safe. Saying
anything more concrete would require a lot of painful analysis of what
is leaked and how it can be used.

Personally, I don't understand why making the crypto not constant
time, and thus open to attacks, simplifies the security
considerations. It might make the job of the implementor easier, but
it makes the job of the person who builds on top harder.

Two sidenotes: IVs are not nonces, and there is a typo where "times
might be great then 2^256 or less then 2^256".

Sincerely,
Watson Ladd
>
> Thanks
>
> Yoav
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email