Re: [Cfrg] Side channel attack and Edwards curves...

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 05 July 2017 23:16 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5187A12EA95 for <cfrg@ietfa.amsl.com>; Wed, 5 Jul 2017 16:16:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.398
X-Spam-Level:
X-Spam-Status: No, score=-2.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M6bSHDP24JLP for <cfrg@ietfa.amsl.com>; Wed, 5 Jul 2017 16:16:27 -0700 (PDT)
Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EACDA129482 for <cfrg@irtf.org>; Wed, 5 Jul 2017 16:16:26 -0700 (PDT)
Received: by mail-lf0-x231.google.com with SMTP id t72so1897671lff.1 for <cfrg@irtf.org>; Wed, 05 Jul 2017 16:16:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=Qu6YhYtzmZUfwMeH0usRnfhb17q9DlJrPMt8IRv8bKE=; b=b1kl18wST3kUholQejM+hv3s+Qu04xKmHLH99t91jB5LC1F2Vy2CtA2zqmxnqmQgZI IePexXxBbiC9HI5je0vi02SFbmzEQvWXAzjGAuLKN1OU/ZARyNRqanc2peSlH9vo+kXj i8+Cy7MfVIqcAmM57IxEZahJxphrTqiM2tHPngJleNcIZDkFl7o3ZZTCWWqMc6lYjQnT fCOGw3MIJjDvbe7nToWpDSqWuBNfogoBpPY4DlaowTmfhXU21RJ2DcTR4CG8q5qPpAWP bcuAZnuwe2Cmq5eavLIT/C4g4RS7E1XQNeyLvEdbyLYRJxzFb0fLX1JiJDLYrzP1tfgW z7Lg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=Qu6YhYtzmZUfwMeH0usRnfhb17q9DlJrPMt8IRv8bKE=; b=K09sL4kVzI7fu/hh6eCSiTQnBrD0skLmraMZX2L7SXj96j3khKaTMKMIdqbfzbW437 1nI+7msom0hWziQssy8wAiyZNrp1aqYUL4XhZPyKxRI9K+ehSTErNEKnFn01ArI+WIfj IbsgeXkp0J9ReQ/dyo+BdfOxqGZKwn/PnpUgF0LZj+tA+Wkv5hoQvLR06SnyilQWcxgI 1dEJJigWd62VRAIlNeHsNi04OcGCRFldG1Gmuowp3SQMZcifbpHefZBgjZzP+HbxfqKw QbSc/KzmG0od71OwW9RDpSmeX1AmxkriMScwvM//mgQMGlkpkj4IKzddo7EDXnal9VoK KY6Q==
X-Gm-Message-State: AKS2vOxJ2fH4FG91pyhDWRIDx5gzBeOZ3TGfV3+OsseDjP5pUdwYNlaJ cPx3cyuzoE4OvTk/dF6aNK1RT0BGAg==
X-Received: by 10.46.77.84 with SMTP id a81mr14490174ljb.73.1499296585116; Wed, 05 Jul 2017 16:16:25 -0700 (PDT)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.25.181.214 with HTTP; Wed, 5 Jul 2017 16:16:24 -0700 (PDT)
In-Reply-To: <CAHOTMVLyB6+r6XX3z5ifi7Ey7Qpi1uiZDLsGREsWhgxjqotPxQ@mail.gmail.com>
References: <CAMm+LwiDbjq7nENzvqKGmsQnz=y49nBSVhU0boddtbz3dJAHfw@mail.gmail.com> <CAHOTMVLyB6+r6XX3z5ifi7Ey7Qpi1uiZDLsGREsWhgxjqotPxQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 5 Jul 2017 19:16:24 -0400
X-Google-Sender-Auth: _Y3NthpjCFcHaXIDh5iR3qjibJg
Message-ID: <CAMm+LwiKUJSOEZefABwwkF8H_p+_WTZNGzzrezjCncVZzLd_dA@mail.gmail.com>
To: Tony Arcieri <bascule@gmail.com>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="94eb2c1aac365e728705539a3061"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/lM0kLEW4N7-ZEM0p1lktbONaVbs>
Subject: Re: [Cfrg] Side channel attack and Edwards curves...
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jul 2017 23:16:29 -0000

On Wed, Jul 5, 2017 at 6:01 PM, Tony Arcieri <bascule@gmail.com> wrote:

> On Wed, Jul 5, 2017 at 11:38 AM, Phillip Hallam-Baker <
> phill@hallambaker.com> wrote:
>
>> Just another side channel attack and not something that bothers me
>> writing reference code. But have we maybe put our eggs in the Montgomery
>> ladder basket when maybe we should have gone for 'randomly split the
>> private key into two parts, perform two separate multiplications with each
>> part and add the result'.
>>
>
> I'm not sure why you're talking about Montgomery vs Edwards here. This is
> a Flush+Reload attack similar to:
>

​You can blind in either. But if you are going to blind then a lot of the
advantages of Montgomery start to collapse. because you have to do that add
stage.



> - "Just A Little Bit": https://eprint.iacr.org/2014/161.pdf
> - "Just A Little Bit More": https://eprint.iacr.org/2014/434.pdf
> - Cachebleed: https://eprint.iacr.org/2016/224.pdf
>
> If there was a conclusion I drew from these attacks, it's the need to
> include random values, as the security proofs say we should do.
>
> I will note that BoringSSL was not vulnerable to Cachebleed because they
> continued to use random blinding in addition to Intel's allegedly "constant
> time" RSA code. Though many are quick to dismiss it, random blinding seems
> to provide defenses against a multitude of attacks, not just cache timing
> but DPA as well.
>
> --
> Tony Arcieri
>