Re: [Cfrg] Constant-time implementations

Watson Ladd <watsonbladd@gmail.com> Tue, 14 October 2014 15:05 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 523F41A88F3 for <cfrg@ietfa.amsl.com>; Tue, 14 Oct 2014 08:05:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8C3d9BQCjWMk for <cfrg@ietfa.amsl.com>; Tue, 14 Oct 2014 08:05:49 -0700 (PDT)
Received: from mail-yh0-x22a.google.com (mail-yh0-x22a.google.com [IPv6:2607:f8b0:4002:c01::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 179C11A88EE for <cfrg@irtf.org>; Tue, 14 Oct 2014 08:05:49 -0700 (PDT)
Received: by mail-yh0-f42.google.com with SMTP id t59so5129416yho.15 for <cfrg@irtf.org>; Tue, 14 Oct 2014 08:05:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=RxIY2O/Fx/iGKuSgzV2IqOAhGam4J4QLam2CZY24vGY=; b=kzCU6GVbgHfZOhLM9m8ecaVuCjymjKs4OXq83IkDOb8jvEvf7PofhqeoU12++gRtv8 foVmVx4wRcuwHqCVhoJN9UxcqO5J17pY8H1XUIig+u/2Uzfh9qDpwOTbjUTCAw6kYucl 8ZdazpqfDWiruIcqArYMOB7JFm/r4SvTg9IUZspGrkSJhg9BPa8AIFgHCMIWc2ZBruJk A+DV7O1dvGrOdJYREzIY7mHfThCrTqwDVVc3YeDoTVKuyVn2vlOcchaBoovWZckyPaKt QpIlvMSbuUXjMG4+hiuHeQFvJ92JWfju4DrWaJR96VCMRH4iJ1LPMm5g5O8/d17DQARx xaww==
MIME-Version: 1.0
X-Received: by 10.236.103.170 with SMTP id f30mr248066yhg.4.1413299147874; Tue, 14 Oct 2014 08:05:47 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Tue, 14 Oct 2014 08:05:47 -0700 (PDT)
In-Reply-To: <7421C78D-A667-419B-8576-DA837AF20188@gmail.com>
References: <20141014093640.24706.qmail@cr.yp.to> <543D21A0.3000109@sbcglobal.net> <CAMfhd9Wude6j+PAG3pyeEukEBy4U7Tv1nsUVbtLcpALYvL2jpA@mail.gmail.com> <7421C78D-A667-419B-8576-DA837AF20188@gmail.com>
Date: Tue, 14 Oct 2014 08:05:47 -0700
Message-ID: <CACsn0ckHg7J4juStobVHB=Em2MOXvXJTUCW3z=gGstmspY-c=A@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/y3I4EQ1fTYUpgX1KQf4xx_jt0nA
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Constant-time implementations
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 15:05:52 -0000

On Tue, Oct 14, 2014 at 6:49 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:
> Doesn’t it become better (or at least safer) at some point to set a timer before beginning the operation and then not use the results until the timer expires?
>
> Sure this has a cost in memory, but any fool can write an implementation with an upper bound on processing time, whereas true constant time is both hard and has a 20% overhead (according to DJB’s message upthread).

Any fool can download tweetnacl.c and get an implementation of
curve25519 that is constant-time. Likewise any fool can rip
implementations out of eBATS. We don't need custom implementations and
we certainly don't need people who can't write constant time code
doing crypto.

Furthermore, setting a timer doesn't deal with cache-based attacks. If
you want more speed than current proposals provide, let me interest
you in genus 2 Jacobians, endomorphisms, exotic uses of base change,
long before you get any benefit from removing timing-attack
resistance. Is Curve25519 really too slow?

Sincerely,
Watson Ladd
>
> Yoav
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin