Re: [openpgp] Review of crypto-refresh 07
Andrey Jivsov <openpgp@brainhub.org> Fri, 18 November 2022 03:45 UTC
Return-Path: <brainhubr@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55EEAC14F740 for <openpgp@ietfa.amsl.com>; Thu, 17 Nov 2022 19:45:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.396
X-Spam-Level:
X-Spam-Status: No, score=-1.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H32zHwYV63Nc for <openpgp@ietfa.amsl.com>; Thu, 17 Nov 2022 19:45:11 -0800 (PST)
Received: from mail-qv1-f43.google.com (mail-qv1-f43.google.com [209.85.219.43]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A865C14F72B for <openpgp@ietf.org>; Thu, 17 Nov 2022 19:45:11 -0800 (PST)
Received: by mail-qv1-f43.google.com with SMTP id s18so1007610qvo.9 for <openpgp@ietf.org>; Thu, 17 Nov 2022 19:45:11 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=FLiCVKYEmWxT7M7lYdPHqHPtC9Gvxx7FtU9Ce4oDOyU=; b=6vhpPvHzhaoeGocYMWjpaXC1eB5z7G1LmzXPFEDXgtX3pZ9pfz4gm/WHRpIYew6QSv Ws5jHZAfXYYNfhPt/JOQV68pJxRw2rjbobj66F0SockzFH104VHEv70smTWOJ6E3Axy7 4XutOw8RDgtY94mcEANc3uWmRbe8ejdZgzqG0V0wNBOBGNSgqAHqPC1DoYU55swCYkks g1lPTSnRaqHXqRW9CdTf06euTK4w9eLirNo3pjruutQsqOqAuBqftLkSQUlwK5Q1RGIJ v1ryOpK9XAc0+7sDvdf44/aLDljIObA8sOpOiZ0SJ27hLBFYG17E5bD6b8R2mG6Yu5Lh oqEw==
X-Gm-Message-State: ANoB5plRuTZBbgNHfJA4oK1Y1HruCzhkDabp6GIOR+hxrdYTqnyOTeOQ ZABRf6xx4WR+dwqb+HKy9sBJsCGfqu4=
X-Google-Smtp-Source: AA0mqf7ZmY+dl61AfqR6dP3NV2ZzlpCenv5TOTmviV5uKytKwYADQg8n5Ut/ZdTLSOU4wAnVZnqtZQ==
X-Received: by 2002:a0c:e30e:0:b0:4b1:9f75:561c with SMTP id s14-20020a0ce30e000000b004b19f75561cmr5258124qvl.120.1668743109929; Thu, 17 Nov 2022 19:45:09 -0800 (PST)
Received: from mail-qt1-f178.google.com (mail-qt1-f178.google.com. [209.85.160.178]) by smtp.gmail.com with ESMTPSA id c12-20020ac8054c000000b003995f6513b9sm1350384qth.95.2022.11.17.19.45.09 for <openpgp@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 17 Nov 2022 19:45:09 -0800 (PST)
Received: by mail-qt1-f178.google.com with SMTP id l2so2436117qtq.11 for <openpgp@ietf.org>; Thu, 17 Nov 2022 19:45:09 -0800 (PST)
X-Received: by 2002:ac8:5ed5:0:b0:3a4:f479:e147 with SMTP id s21-20020ac85ed5000000b003a4f479e147mr5225278qtx.243.1668743109365; Thu, 17 Nov 2022 19:45:09 -0800 (PST)
MIME-Version: 1.0
References: <9901f3c9-7944-e8a0-d2e5-a0aced7cbc3b@mtg.de> <CAAWw3RjhdOqrGxUv8EQBVMSTawYPHt9UO=of1fi52M2qE8TiFw@mail.gmail.com> <9d49e51a-e59f-657d-5630-a8b6c34fddc9@mtg.de>
In-Reply-To: <9d49e51a-e59f-657d-5630-a8b6c34fddc9@mtg.de>
From: Andrey Jivsov <openpgp@brainhub.org>
Date: Thu, 17 Nov 2022 19:44:57 -0800
X-Gmail-Original-Message-ID: <CAAWw3RjtzGShD0OuS8zP0USKFU0oWRtZ7EbiDxftLCCJeAd1Kw@mail.gmail.com>
Message-ID: <CAAWw3RjtzGShD0OuS8zP0USKFU0oWRtZ7EbiDxftLCCJeAd1Kw@mail.gmail.com>
To: Falko Strenzke <falko.strenzke@mtg.de>
Cc: openpgp@ietf.org
Content-Type: multipart/related; boundary="00000000000041f76705edb688d5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/aJHmNFvtlVSquhl-NJmfIteKyGc>
Subject: Re: [openpgp] Review of crypto-refresh 07
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Nov 2022 03:45:15 -0000
I wouldn't prohibit key generation. Instead, I would fix the method, with the understanding that we are unlikely to see these curves used in practice. I should have mentioned that such handling of "overflow" is currently one of two FIPS-approved methods to generate a key, and that's the one that OpenSSL uses. I think most SW uses it, and I believe gnupg is in this category too. See FIPS 186-4 sec. B.4.2 Key Pair Generation by Testing Candidates. It is natural to overlay on top of it a condition for when we overflow into the next byte with a private scalar, and reject this candidate. If software passes an input random buffer that already satisfies the property of not having the top bit set, by providing ceil(log2(p)) bits of input entropy, then there is no code to add in this case. So, this is simple and efficient change at the byte level, that generalizes to all curves. On Thu, Nov 17, 2022 at 4:57 AM Falko Strenzke <falko.strenzke@mtg.de> wrote: > Hi Andrey, > > I tend to recommend not to specify the tweaks you propose or any other > tweak to handle curves with this property, even though this would not be > per se a security problem. The problems that I see are: > > - enhanced complexity for implementations > - need for test vectors for this special case > - possibly increased difficulty for OpenPGP-based products to pass > security validations > > Further, I want to argue that the curves that are affected by this error > are mostly irrelevant to OpenPGP: > > - The curves that I listed are the only ones with this property that I am > aware of. Koblitz curves are generally hardly ever used, and the random > 160-bit curves can only be used for lightweight authentication. > - Probably new curves with this property could be created, if they follow > the "prime = sparse linear combination of powers of two" paradigm, as the > SECP curves do. But it seems no one has done this for a long time, and I > would not expect anyone will do this in the future. > > On this background it suffices in my opinion to require implementations to > gracefully reject these curves. However, that pertains only to key > generation, since, as far as I can see, the stored private key is the only > scalar that is affected. So it could be specified that > > 1. an implementation MUST NOT create keys for curves where the base point > order is represented in one more octet than p. > 2. an implementation SHOULD perform all other operations with such curves. > > The second point means that if an implementation ignores the first point > using one of the methods you propose or it receives a private from > elsewhere, it will still be interoperable with other implementations that > only need to perform the public operation with that curve. > > Regarding the second point it could still be discussed if performing > private operations should also be forbidden. > > Does that make sense? > > - Falko > Am 17.11.22 um 01:55 schrieb Andrey Jivsov: > > ## 9.2. ECC Curves for OpenPGP >> >> > The "Field Size (fsize)" column represents the field size of the group >> in number of octets, rounded up, such that [...] or scalars [...] for the >> curve can be represented in that many octets. >> >> The assumption that a scalar, i.e. a group element, always fits into an >> array long enough to hold a field element, is not correct: according to >> Hasse's theorem for Weierstraß GF( p ) curves, we find for the base point >> order N >> >> N ≤ p + 2 √p + 1 >> >> Thus, depending on the curve, scalars such as the private key can be one >> bit longer than the field size, and thus also need one more octet. >> secp160k1, secp160r1, secp160r2, and secp224k1 are examples of a domain >> parameter sets where the representation of N needs one more octet than p. >> I do not think that there is a need (or desire) to correct the OpenPGP >> specification in this point. I would not expect that the need arises to >> support any new elliptic curves, and the ones listed above most likely are >> not desired to be supported at all. >> But I think a note should be given in the quoted section (or another >> appropriate place) regarding this restriction, as an OpenPGP implementation >> may behave undefined when attempting to use it with any of the curves >> listed above (in an extension implementation of any kind). Implementations >> should be prepared to reject curves with this property for security reasons. >> > > The probability to hit this condition is at most 2^-80 for these new > curves. > > When this condition is known to occur, the key's security strength is only > 40 bits. In general, we don't need to special-case odd key values, as they > are expected to be within the key space. > > However, in this case there will need to be special processing due to the > overflow into the next 64-bit word (or a byte at least). This may result in > a side channel information, either due to time needed to process this new > condition, new code path, or even the key size on disk. > > For these reasons I think the best fix for this is to treat the overflow > of private value over log2(p) bits as an error. If detected, the key should > be regenerated. > > This error is an unfortunate side effect of supporting new ECC curves. > However, the error handling can be hidden inside the key generation routine > with e.g. a maximum loop count over key generation fixed at 2. > Specifically, if we detect this condition, generate again, and if this > fails, return a key generation error to the higher level. > > > -- > > *MTG AG* > Dr. Falko Strenzke > Executive System Architect > > Phone: +49 6151 8000 24 > E-Mail: falko.strenzke@mtg.de > Web: mtg.de <https://www.mtg.de> > > > *MTG Exhibitions 2022 – Let´s meet again!* > ------------------------------ > <https://www.itsa365.de/de-de/companies/m/mtg-ag> > > MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany > Commercial register: HRB 8901 > Register Court: Amtsgericht Darmstadt > Management Board: Jürgen Ruf (CEO), Tamer Kemeröz > Chairman of the Supervisory Board: Dr. Thomas Milde > > This email may contain confidential and/or privileged information. If you > are not the correct recipient or have received this email in error, > please inform the sender immediately and delete this email. Unauthorised > copying or distribution of this email is not permitted. > > Data protection information: Privacy policy > <https://www.mtg.de/en/privacy-policy> >
- [openpgp] Review of crypto-refresh 07 Falko Strenzke
- Re: [openpgp] Review of crypto-refresh 07 Paul Wouters
- Re: [openpgp] Review of crypto-refresh 07 Andrey Jivsov
- Re: [openpgp] Review of crypto-refresh 07 Falko Strenzke
- Re: [openpgp] Review of crypto-refresh 07 Falko Strenzke
- Re: [openpgp] Review of crypto-refresh 07 Andrey Jivsov
- Re: [openpgp] Review of crypto-refresh 07 Falko Strenzke