Re: [Cfrg] Comments on side channel draft
Manuel Pégourié-Gonnard <mpg@elzevir.fr> Tue, 07 January 2014 13:07 UTC
Return-Path: <mpg@elzevir.fr>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 290731AE02B for <cfrg@ietfa.amsl.com>; Tue, 7 Jan 2014 05:07:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.788
X-Spam-Level:
X-Spam-Status: No, score=-1.788 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.538] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IgZyxd5kSXcC for <cfrg@ietfa.amsl.com>; Tue, 7 Jan 2014 05:07:30 -0800 (PST)
Received: from mordell.elzevir.fr (mordell.elzevir.fr [92.243.3.74]) by ietfa.amsl.com (Postfix) with ESMTP id 9510F1AE00F for <cfrg@irtf.org>; Tue, 7 Jan 2014 05:07:29 -0800 (PST)
Received: from thue.elzevir.fr (thue.elzevir.fr [88.165.216.11]) by mordell.elzevir.fr (Postfix) with ESMTPS id BA6D5161F5; Tue, 7 Jan 2014 14:07:19 +0100 (CET)
Received: from [10.102.195.184] (unknown [213.111.4.76]) by thue.elzevir.fr (Postfix) with ESMTPSA id 541F329871; Tue, 7 Jan 2014 14:07:15 +0100 (CET)
Message-ID: <52CBFBFF.5090602@elzevir.fr>
Date: Tue, 07 Jan 2014 14:07:11 +0100
From: Manuel Pégourié-Gonnard <mpg@elzevir.fr>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.1.1
MIME-Version: 1.0
To: Watson Ladd <watsonbladd@gmail.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <CACsn0cnG9O00FCHx8sjOb9bokC-FuuJ2owaPdJA_BerQZHGh1w@mail.gmail.com>
In-Reply-To: <CACsn0cnG9O00FCHx8sjOb9bokC-FuuJ2owaPdJA_BerQZHGh1w@mail.gmail.com>
X-Enigmail-Version: 1.6
OpenPGP: id=98EED379; url=https://elzevir.fr/gpg/mpg.asc
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [Cfrg] Comments on side channel draft
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jan 2014 13:07:32 -0000
Hi Watson, On 06/01/2014 22:03, Watson Ladd wrote: > http://datatracker.ietf.org/doc/draft-ladd-sidechannel/ > A few comments: 1. Concerning the attack model: In certain scenarios the power generated by individual operations can be effectively measured. This is a very difficult setting to work in, and will not be considered further in this document. But if someone leaves a multimeter in your machine room, watch out! I think the draft might mention that sometimes (smartcards, etc.) the attacker may also be able to inject faults at specific times, which is also a very difficult setting to work in, and will not be considered further in this document. For example, the counter-measure you mention later: Alternatively one uses a standard radix-k multiplication, but to load an entry from the table one reads through the entire table, using the following conditional load code: c=c*bit+a*(1-bit) or some varation thereof. is susceptible to a fault attack: if the attacker causes a corruption when we're reading one entry, the result of the operation will be incorrect if and only if it was the entry we're actually using, which reveals bits of the exponents. Of course, in most circumstances the attackers doesn't have this level of physical access, so this counter-measure is indeed useful as it protects against attacks that require a lesser level of access. 2. Concerning modular inverses: Modular inverses should always be computed through exponentiation: if this is not possible the binary Euclidean algorithm should be run for a constant number of steps, calculated as the number for the worst case. (For reference, the worst case is two consecutive Fibonacci numbers) Do you mean to imply that blinding isn't an option here? I may be mistaken, but I think the following should be OK for computing x^{-1} mod n: r = random(1.. n-1); xb = x * r; xib = inv_mov(xb, n); // using non-constant time Euclidean algorithm xi = xib * r; (Well, that's assuming n is prime. Otherwise the first line should be replaced with "pick r uniformly at random in (Z/nZ)*" obviously.) This is particularly convenient if x happens to be already randomized. 3. Concerning ladders, it might seem obvious, but it is probably useful to mention explicitly that the number of iterations must be fixed (that is, it must not depend on the most significant bit of the scalar). 4. A totally minor point: Freely usable implementations taking these precautions exist for P224, P256, Curve25519, Curve3617, and some GLS/GLV curves with endomorphisms. I didn't look at it very closely, but it seems to me that the 64-bits implementation of P521 in Openssl (crypto/ec/ecp_nistp521.c) qualifies too. 5. A more general question: I wonder if it could be appropriate to add, in an appendix, examples of real code in C and/or other languages for a reliable constant-time way to implement some common operations, as it is not always clear what is constant-time. For example, see the discussion in section 4 of this blog article [1]. The author basically argues that C code such as 'a = (b == c);' hides a branch. According to my experiments, this is not true with recent compilers for the x86 plaftorm (they will use the SETcc instruction rather than a conditional jump, probably because conditional jumps are bad for performance, but in this case it happens to be good for us). [1]: http://rdist.root.org/2010/01/07/timing-independent-array-comparison/ I did not test (yet) on other platforms and/or with other compilers, so it might indeed be true that 'a = (b == c);' hides a branch on some platforms with some compilers. It would be great for developpers to have a central, reliable source of information about such things, rather than having to test themselves, and maybe an appendix in this draft could be a good place for that. Manuel.
- [Cfrg] Comments on side channel draft Watson Ladd
- Re: [Cfrg] Comments on side channel draft David McGrew
- Re: [Cfrg] Comments on side channel draft Manuel Pégourié-Gonnard
- Re: [Cfrg] Comments on side channel draft Watson Ladd
- Re: [Cfrg] Comments on side channel draft Manuel Pégourié-Gonnard