[Cfrg] Side Channel Attacks Against Curve25519
Thomas Garcia <tgarcia.3141@gmail.com> Sun, 10 September 2017 07:12 UTC
Return-Path: <tgarcia.3141@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F3DF132F2C for <cfrg@ietfa.amsl.com>; Sun, 10 Sep 2017 00:12:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8XcOrwp8FTNl for <cfrg@ietfa.amsl.com>; Sun, 10 Sep 2017 00:12:32 -0700 (PDT)
Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDEE7132F2B for <cfrg@irtf.org>; Sun, 10 Sep 2017 00:12:31 -0700 (PDT)
Received: by mail-lf0-x231.google.com with SMTP id l196so12448564lfl.1 for <cfrg@irtf.org>; Sun, 10 Sep 2017 00:12:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=ifp2CRpWHHKC+NtGU7E6iFbxEwo60td68BPKNbbHtA4=; b=R4XPAbXe2adtLqh4k8onv3Uui5Jm+/EGCcYc9UqOeiprBd6fYMIA7eD+OJ18EFxxzX L2wjGakd7uTaZBlbsmSz68lykhRQDkqCyzuFfVj+VlHMqfftJMywXhlX3kZ2DWD8dA/O oy8iF62DCHSeIHnzOFom90d7M7c3IjnB87ReBp+izbGS+9X5opQepkEbl/XvkoY++1aP KhEHO4v4qgaX8dGeYTk6bHLCzyMTY3c0f0lKSWwgfco3M4AAAlaxwnXV4KFQMieNQ1b4 Xd6EmafVjbklvqkZMB/g5IwjKNzC9pEBvjcul5nXFuTxM0mm/xruK3pHnSEno6D7n+fX p6Bg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ifp2CRpWHHKC+NtGU7E6iFbxEwo60td68BPKNbbHtA4=; b=VLGfhzUDoK3TXCbQdxabagHeOA4cRM6755VanIt3RkZwxIRC5+AqtxSUk7d/ReKs0X DT6PQs4cwAEB/tkIMHNIvkBVEiJBtIQ20l2FYDocVaL8dg5GV2xEtMn00FAN875DHBa+ p8zSa4GZfrtdtW7iEU+sBVuJ/ZBSkOY5feiPaqcq8FoTp9yjJ+3c/CGF6LLaXdkUWKAE U9KamZeS1gAH0PiINrL0LN+B64f61V4m7ieNhHyVe9DaIJw8COP/MBeYjNscYxMqxu7c y99t/eHxgbvbBwWJaJy3+GaWesDMsW3PDM95vrazBaITeNzYtQ04aPF1VgWZjmsc7eyR InTg==
X-Gm-Message-State: AHPjjUgGr63+gEeWCVwXC19DYBDooOuFUwLrJuilIWyHXn/9NSRZtJln e03vR+7G7oIiDWOtGpSnAGR/S+Q2UmMA
X-Google-Smtp-Source: AOwi7QCqU4+C5ETUki0ipQKgOp35VE4g1573erk/3d3xyX0+jfpid+gQ3yBmprwyIR+sQNIuqPtbXwSlkyuJqul7Yj4=
X-Received: by 10.46.84.2 with SMTP id i2mr2824610ljb.60.1505027549483; Sun, 10 Sep 2017 00:12:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.15.74 with HTTP; Sun, 10 Sep 2017 00:12:28 -0700 (PDT)
From: Thomas Garcia <tgarcia.3141@gmail.com>
Date: Sun, 10 Sep 2017 08:12:28 +0100
Message-ID: <CAFTSWvdq8p3i20veq=GgHi_rnOS6Wv4dK1xQpJHaPS4r5e5-SQ@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="f403045fb99476d4cb0558d088b6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/rmlwSKOG-DqxStLWjfVUFA5c7kw>
Subject: [Cfrg] Side Channel Attacks Against Curve25519
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Sep 2017 07:12:33 -0000
Hello, According to [1], the libgcrypt implementation of curve25519 is based on bignum arithmetic which is not constant-time. A similar issue was raised in [2], regarding the Go implementation. [1] proposed solving this by rejecting small order inputs. But this recommendation is problematic [3]. As this issue seems to come up once in a while, I think it should be addressed. Good crypto should encourage proper implementation, in the sense that the simplest way of implementing it is the correct way (which isn't vulnerable to side channel attacks). Curve25519 was developed in accordance with that philosophy and the addition formulas are well implemented. Can something similar be done to encourage correct bignum arithmetic? Is it possible to choose the parameters, such as the prime, such that the simplest implementation will be less susceptible to side channel attacks? What I imagine is a prime which would normally have long computation times, but has a trick that enables simpler addition which is coincidentally constant time. Thanks, Thomas G. [1] - https://eprint.iacr.org/2017/806 [2] - https://moderncrypto.org/mail-archive/curves/2017/000930.html [3] - https://twitter.com/hashbreaker/status/902415565435830273
- [Cfrg] Side Channel Attacks Against Curve25519 Thomas Garcia
- Re: [Cfrg] Side Channel Attacks Against Curve25519 Ilari Liusvaara
- Re: [Cfrg] Side Channel Attacks D. J. Bernstein