Re: [Cfrg] A downside of deterministic DL signatures?

Dan Brown <dbrown@certicom.com> Fri, 01 August 2014 17:46 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5FF41B2883 for <cfrg@ietfa.amsl.com>; Fri, 1 Aug 2014 10:46:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4R4sbARCfdis for <cfrg@ietfa.amsl.com>; Fri, 1 Aug 2014 10:46:53 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id F1D091A028A for <cfrg@irtf.org>; Fri, 1 Aug 2014 10:46:52 -0700 (PDT)
Received: from xct108cnc.rim.net ([10.65.161.208]) by mhs210cnc.rim.net with ESMTP/TLS/AES128-SHA; 01 Aug 2014 13:46:50 -0400
Received: from XCT114CNC.rim.net (10.65.161.214) by XCT108CNC.rim.net (10.65.161.208) with Microsoft SMTP Server (TLS) id 14.3.174.1; Fri, 1 Aug 2014 13:46:49 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT114CNC.rim.net ([::1]) with mapi id 14.03.0174.001; Fri, 1 Aug 2014 13:46:49 -0400
From: Dan Brown <dbrown@certicom.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] A downside of deterministic DL signatures?
Thread-Index: Ac+rb+PUesNdwNFqRVehQhB5J3d3gQBEciMAAAyh2gAAE9xHAAAAfjaAAAfkJwAAIdFssA==
Date: Fri, 1 Aug 2014 17:46:47 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5CC6690@XMB116CNC.rim.net>
References: <20140729205846.6639765.71649.17355@certicom.com> <CAHOTMVJ4AirY+tRnVfwt1umgx=Q2xNwVTks6OoVNaV0gkKihOg@mail.gmail.com> <947D45A1-AF36-470B-8D50-7600FEF7FB30@shiftleft.org> <CAHOTMVJYr=S1fXXSYCHDJz2m6sn10uQ=ztXT7htW1m53qEZHog@mail.gmail.com> <53DA7B79.70709@fifthhorseman.net> <CAHOTMVKb8w2TeTpoZsMnJHtspp+xZrO-Ug7YpqUqW2Bc5itNmQ@mail.gmail.com>
In-Reply-To: <CAHOTMVKb8w2TeTpoZsMnJHtspp+xZrO-Ug7YpqUqW2Bc5itNmQ@mail.gmail.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.250]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0035_01CFAD8F.0A05BAF0"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/jU3q5zL5LOK_OZG631Bw-hSflwg
Subject: Re: [Cfrg] A downside of deterministic DL signatures?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Aug 2014 17:46:55 -0000

I was also asking if pre-computing kG is useful as a secondary side-channel 
countermeasure, which occurred to me upon skimming:



http://eprint.iacr.org/2011/232



As I understand the abstract of that paper, the implemented form Montgomery 
ladder was not constant time. This resulted in an exploitable side channel. 
They describe a simple fix.  But in the event of other possible side channels, 
such as those arising from bugs and underlying system quirks (whatever 
acceleration the system tries to provide), does it make sense to use some 
secondary independent side-channel countermeasures?  For example, does 
computing the ECDSA signature component kG at the start of the TLS handshake 
in parallel with other operations, such as the ECDHE computations and so on, 
have any potential help by blurring any timing information?



Best regards,



Dan





From: Tony Arcieri [mailto:bascule@gmail.com]
Sent: Thursday, July 31, 2014 5:09 PM
To: Daniel Kahn Gillmor
Cc: Michael Hamburg; Dan Brown; IRTF Crypto Forum Research Group
Subject: Re: [Cfrg] A downside of deterministic DL signatures?



On Thu, Jul 31, 2014 at 10:23 AM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> 
wrote:

neither of these required nationstate-level effort, and they date back

to 2008.



Okay, let me put it this way instead:



Collisions:



- Can be used to alter the content of individual messages

- This requires that the design of the hash function itself be broken



Bad nonces:



- Leak the private key which can then be used to forge as many messages as you 
wish

- Can be the result of bad RNGs/implementation errata even if the algorithm 
and the rest of its implementation is sound



Which is worse?



-- 
Tony Arcieri