IETF Logo Mail Archive

Re: [CFRG] Psychic Signatures

Mike Hamburg <mike@shiftleft.org> Mon, 25 April 2022 08:54 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 223413A1312 for <cfrg@ietfa.amsl.com>; Mon, 25 Apr 2022 01:54:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=shiftleft.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y-vK7YDSeamD for <cfrg@ietfa.amsl.com>; Mon, 25 Apr 2022 01:54:22 -0700 (PDT)
Received: from wanderer.shiftleft.org (wanderer.shiftleft.org [IPv6:2600:3c01::f03c:92ff:fec5:c23c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A00D3A130D for <cfrg@irtf.org>; Mon, 25 Apr 2022 01:54:21 -0700 (PDT)
Received: from smtpclient.apple (unknown [IPv6:2601:647:5800:e580:75c3:909:3ca7:690c]) (Authenticated sender: mike) by wanderer.shiftleft.org (Postfix) with ESMTPSA id 906DD41BED; Mon, 25 Apr 2022 08:54:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shiftleft.org; s=sldo; t=1650876859; bh=+2UK1wyx5GAiTsA24KOMpHnETdvPhapJhIme+qxkE20=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=JB2sMttQGPpLuUGB1kwKTwIY3B0KGemhYi06Gz6hJ+oalGsrjL8jtMaVQD8VdEHZa sII8IkA+8LylL3eMUPOEYYjBP/cyhhL2jaB7rgnLFNyUSGfAaG+8yChEM0mFrVmP98 s7hXUIolPZOUIvxIayyH0VPBrGf1+SyQ9qK0J8es=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\))
From: Mike Hamburg <mike@shiftleft.org>
In-Reply-To: <0c31c1cf-7976-936e-be03-b43f86a30786@bouncycastle.org>
Date: Mon, 25 Apr 2022 01:54:18 -0700
Cc: cfrg@irtf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <3CC6FBA1-F177-42F1-80CE-F5A114F78BCD@shiftleft.org>
References: <SY4PR01MB62519FEA53D39AABAF0BD0F4EEF49@SY4PR01MB6251.ausprd01.prod.outlook.com> <2CBA5AE5-DF84-4E9C-85DA-4DC38464710A@ericlagergren.com> <SY4PR01MB6251CA4D5F7C83FA564FD204EEF49@SY4PR01MB6251.ausprd01.prod.outlook.com> <2438a7cd-e0f7-685b-ad47-e9ba5995a5a0@mail.muni.cz> <87FFD633-DAF5-44B8-A2BF-55B547616560@dmjacobson.com> <SY4PR01MB62519B1EE1177740A9FE4C22EEF79@SY4PR01MB6251.ausprd01.prod.outlook.com> <3690036F-3BBD-4B73-A5B1-0007DFBD5346@antarateknik.com> <8AD748B7-8C0F-4254-8A15-78E36C524E12@shiftleft.org> <0c31c1cf-7976-936e-be03-b43f86a30786@bouncycastle.org>
To: Peter Dettman <peter.dettman@bouncycastle.org>
X-Mailer: Apple Mail (2.3696.80.82.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/kfAtjgLqlG6qdMMFTepvfIbIWDQ>
Subject: Re: [CFRG] Psychic Signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 08:54:27 -0000


> On Apr 25, 2022, at 12:26 AM, Peter Dettman <peter.dettman@bouncycastle.org> wrote:
> 
> On 4/22/2022 11:09 PM, Mike Hamburg wrote:
>> There is a cost in less common deployments.  If you have to check the order of the public key, because the curve has a cofactor, then this costs at least a Jacobi symbol but often much more.
> 
> At least this paper [1] proposes (in the context of a fault attack) that the full scalar multiplication shouldn't be skipped, even with cofactor 1. Note: this paper was apparently withdrawn from eprint (reasons unknown to me), but a title search will find copies elsewhere.
> 
> Regards,
> Pete Dettman
> 
> [1] "A new weak curve fault attack on ECIES: embedded point validation is not enough during decryption". https://eprint.iacr.org/2021/516


Their proposed countermeasure is to check that G is on the curve, and/or scalar masking, not to check the full scalar multiplication.  If you don’t have to check what subgroup you’re in, then even a very comprehensive on-curve check will be much cheaper than an entire extra scalar multiplication.

Also, I was assuming we were talking about embedded systems not designed to resist fault attacks, since the question is about validating the input at all.  If you’re aiming to resist fault or even side-channel attacks, input validation is a must (assuming there is such a thing as an invalid input).  To resist faults you're also checking several other things, possibly continuously or at many points throughout the operation.  Complexity and performance and area will suffer, but fault resistance is intrinsically hard and expensive.

Regards,
— Mike

v2.23.0 | Report a Bug | By Email