Re: [Cfrg] Poly1305 and timing attacks (clarification)
David Jacobson <dmjacobson@sbcglobal.net> Mon, 10 March 2014 15:32 UTC
Return-Path: <dmjacobson@sbcglobal.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 411871A0438 for <cfrg@ietfa.amsl.com>; Mon, 10 Mar 2014 08:32:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hteqkb1juWWW for <cfrg@ietfa.amsl.com>; Mon, 10 Mar 2014 08:32:20 -0700 (PDT)
Received: from nm6-vm5.access.bullet.mail.bf1.yahoo.com (nm6-vm5.access.bullet.mail.bf1.yahoo.com [216.109.114.148]) by ietfa.amsl.com (Postfix) with ESMTP id C7B4B1A01AD for <cfrg@irtf.org>; Mon, 10 Mar 2014 08:32:19 -0700 (PDT)
Received: from [66.196.81.156] by nm6.access.bullet.mail.bf1.yahoo.com with NNFMP; 10 Mar 2014 15:32:14 -0000
Received: from [98.138.104.97] by tm2.access.bullet.mail.bf1.yahoo.com with NNFMP; 10 Mar 2014 15:32:13 -0000
Received: from [127.0.0.1] by smtp117.sbc.mail.ne1.yahoo.com with NNFMP; 10 Mar 2014 15:32:13 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s1024; t=1394465533; bh=9fDa9lgLMyKYyOjvCKrMdNCH3Zf6DyPQ4/KGkhvtuB0=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type; b=QuBy7UnO2S0RPHyEd6/lKdDFBSEDzk/oyeHUKrzpudoPmxkGUS2f7mCbOJTiKP4oT/l6FDaVAsGLcScejxVq8kjdnVIC/diWY4AKJ7FyfPHfzYpSo8ArAJKQ5byyysxuq/V8ZqC5vWUrNrXcPUuadOxTaoO3L563Clv5wi6+wAs=
X-Yahoo-Newman-Id: 731579.62720.bm@smtp117.sbc.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: m_b3bHMVM1lHLatptuGTbFQMGzzJcmP0xh72mOCgA5uUzS6 ngA574cj9zOppmCDl2bmpcBQc2ZGTojrDxB5ZaXx02QqNQJ_e4Q6hxAqmkDz V84ZgnCj6_54z_PxDjX_qW2N9ImzlW2CtuTVs18P_eRlKmOCwPtrJTSeiaE8 tKWyuz66y5HcGY5YFxpdBEMxxuFdvp.7g36E6RfgS9IYeFyjVdc2iR2A99qn LznSEQ3eogfquNC.1688IHJjoP3po2qGH9WYe39.H6M3TbtvdH19XVgVhrlf uLt9Q.3XlhwJM92aalS4ppI.RGYxZxvyi5rKsTBaTPofCs6J.KC1Onr95iqd sz7Y.5hvEeBYXDiCS3rf9jRGgoVvycrMxZVRFQQBKIf_m1DqDKFfd0nTmr_q BnVVfoDYmmLQaAc6oBPIJdNAZVtkZ0HDoteZJNQ1aC3pncA0YKa_CterTEuZ ih0EmvpS6LKRq8BOYzqz0j1.9tjtm6uJjP7d7jWXdgyKAxUUP9C7gAaAfRJG WPKXObA2T0UOE33FO3yPIDnOgoSnPVYjLGyUcPmtKsKiN6KWUEz.ujDrOyrT JVstCoSohIFUmyEvq
X-Yahoo-SMTP: nOrmCa6swBAE50FabWnlVFUpgFVJ9Gbi__8U5mpvhtQq7tTV1g--
X-Rocket-Received: from [192.168.1.64] (dmjacobson@99.120.97.155 with plain [98.138.84.52]) by smtp117.sbc.mail.ne1.yahoo.com with SMTP; 10 Mar 2014 15:32:13 +0000 UTC
Message-ID: <531DDAFA.3030403@sbcglobal.net>
Date: Mon, 10 Mar 2014 08:32:10 -0700
From: David Jacobson <dmjacobson@sbcglobal.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Yoav Nir <ynir.ietf@gmail.com>, Watson Ladd <watsonbladd@gmail.com>
References: <CAGvU-a7Mpn9Wrie=QEftsZrojQAcwysnQgNt5BOjdr8ZRY08Zg@mail.gmail.com> <CACsn0ckrTB37jB4Apj7GxAZUjou_=RUj7j4dgFeWpqxS4HKq6Q@mail.gmail.com> <CA0A4F63-89AB-4AC2-8955-E3C575E3B01C@gmail.com> <CACsn0cmNA15ZM9S2s73oTtKGH5SujSef9_3ez12jzg934HW9ow@mail.gmail.com> <CAGvU-a4m+ZVw6Gsq-_hPX_aLTajKkHD31G++otx5B-xu1vJ78g@mail.gmail.com> <531DCE48.1010300@sbcglobal.net>
In-Reply-To: <531DCE48.1010300@sbcglobal.net>
Content-Type: multipart/alternative; boundary="------------020504000707060104030908"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/p1o0mv21knoQnCPvMzCjRNw9xlc
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Poly1305 and timing attacks (clarification)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Mar 2014 15:32:23 -0000
On 3/10/14 7:38 AM, David Jacobson wrote: > On 3/10/14 6:19 AM, Yoav Nir wrote: >> >> >> >> On Mon, Mar 10, 2014 at 12:48 AM, Watson Ladd <watsonbladd@gmail.com >> <mailto:watsonbladd@gmail.com>> wrote: >> >> On Sun, Mar 9, 2014 at 3:00 PM, Yoav Nir <ynir.ietf@gmail.com >> <mailto:ynir.ietf@gmail.com>> wrote: >> > >> > On Mar 9, 2014, at 6:45 PM, Watson Ladd <watsonbladd@gmail.com >> <mailto:watsonbladd@gmail.com>> wrote: >> <snipped agreement> >> > >> >> For Poly1305 as used in this draft, I am very, very hesitant about >> >> approving any draft that says not-constant time is okay. >> However, if >> >> the entire keys are being generated pseudorandomly, then I >> think, if >> >> the side channel isn't gratuitously large, it's possibly safe. >> Saying >> >> anything more concrete would require a lot of painful analysis >> of what >> >> is leaked and how it can be used. >> >> >> >> Personally, I don't understand why making the crypto not constant >> >> time, and thus open to attacks, simplifies the security >> >> considerations. It might make the job of the implementor >> easier, but >> >> it makes the job of the person who builds on top harder. >> > >> > It makes the security considerations simpler because it makes >> all the talk about constant time implementations go away and >> eliminates the need for pointing people at how to accomplish >> this. I agree I probably can't do this, as this implementation >> might later be used as part of a library for other things. It's >> not generally good to instruct people on how to make an >> implementation with a warning label (that they will later ignore). >> >> Well, I have to fundamentally disagree with this. A constant-time, >> constant-memory access, constant-control flow implementation is far >> more reassuring than one which doesn't have these properties. >> >> >> Hey, no need to pile it on. You've already convinced me that the text >> needs to stay. >> >> Do you have a reference I can point to on how to make the Poly1305 >> calculations constant-time? >> >> Yoav >> >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> http://www.irtf.org/mailman/listinfo/cfrg > I do want to disagree with this approach that everything should be > constant time. > > Sometimes the constant time approach is very onerous and inefficient. > > For example, the binary method of inversion in a prime modulus field > makes many data-dependent branches and the running time is not > constant. The constant time approach is to do a modular > exponentiation to the p-2 power, which is very expensive. But is is > really easy to compute b * inverse(b*x), where b is a randomly chosen > blinding value. > > In other cases it doesn't matter at all. > > For example (and I mentioned this just a couple of days ago) consider > the case of picking a random field element in a prime modulus field, > were the modulus p is public. Just pick random values less that the > smallest power of 2 >= p-1 Repeat until you have a value < p. That > doesn't run in constant time, but it is perfectly safe. The reason is > that all it does is at worst reveal something about random numbers > that you are not going to use. (Watson objected to this, but his > objection was based on the distinctly different problem of getting a > workable non-random value based on some other secret, as you might > want to do for k in ECDSA.) > > So in summary, I think it better to say that good crypto-engineering > practice requires the avoidance of data-dependent branches and array > indexes unless the data does not depend on any secret or is blinded. > This is a simple rule that doesn't require complicated analysis. > > --David Jacobson Before somebody else pounces on me and tries to generalize to demolishing my entire point, one more condition needs to be added. And that is that in things like the discard method where the generated value is going to be a secret, it is sensitive right from the beginning of its generation. Thus the generation and validation of a successful candidate must run in constant time. --David
- Re: [Cfrg] Poly1305 and timing attacks Paterson, Kenny
- [Cfrg] Poly1305 and timing attacks Yoav Nir
- Re: [Cfrg] Poly1305 and timing attacks Watson Ladd
- Re: [Cfrg] Poly1305 and timing attacks Yoav Nir
- Re: [Cfrg] Poly1305 and timing attacks Watson Ladd
- Re: [Cfrg] Poly1305 and timing attacks Yoav Nir
- Re: [Cfrg] Poly1305 and timing attacks David Jacobson
- Re: [Cfrg] Poly1305 and timing attacks (clarifica… David Jacobson
- Re: [Cfrg] Poly1305 and timing attacks Watson Ladd