Re: [openpgp] Curve448 in ECDH

Paul Wouters <paul@nohats.ca> Sun, 28 February 2021 18:19 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2943B3A1A47 for <openpgp@ietfa.amsl.com>; Sun, 28 Feb 2021 10:19:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7kfpgipG8lh6 for <openpgp@ietfa.amsl.com>; Sun, 28 Feb 2021 10:19:38 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B00A23A1A46 for <openpgp@ietf.org>; Sun, 28 Feb 2021 10:19:38 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4DpWrT3Cz3zCZC; Sun, 28 Feb 2021 19:19:37 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1614536377; bh=RbKhSxxyc68XbIbW1YTo+iDYiQTJHzm/Ps3q/a5bjXg=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=idXzpVkuy98oFme+vc17iS7p/qKSJUNgNJdFyTXJ1e8Ymt/OheU62ZSASUP+oJVjb maStITVbYwNSRIOyFTdake1XIgrpMeP7y7OokbKAllJ/EqinOdhYIybTcI31Ur7TXg VRPOtva1GUhcZpZVbMD9TULwYJUhFiySiTY+x4ZQ=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id esziANpucjW1; Sun, 28 Feb 2021 19:19:36 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sun, 28 Feb 2021 19:19:36 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 401086029B62; Sun, 28 Feb 2021 13:19:35 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 37BCF66B1E; Sun, 28 Feb 2021 13:19:35 -0500 (EST)
Date: Sun, 28 Feb 2021 13:19:35 -0500 (EST)
From: Paul Wouters <paul@nohats.ca>
To: "brian m. carlson" <sandals@crustytoothpaste.net>
cc: openpgp@ietf.org
In-Reply-To: <YDvQG0Qif46wPlUT@camp.crustytoothpaste.net>
Message-ID: <77d23f6c-a7c4-f43d-f0ac-cb511dd284c5@nohats.ca>
References: <7d8bdda1-4e5c-6c10-f3cd-1d191fad595c@nohats.ca> <YDrX4NICW6a6TX32@camp.crustytoothpaste.net> <aa9c358f-8982-9d7e-6bf1-e974d6b2d41c@nohats.ca> <YDvQG0Qif46wPlUT@camp.crustytoothpaste.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/euFw9NPyqB1q92SqiUJ4Jzx8RSI>
Subject: Re: [openpgp] Curve448 in ECDH
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Feb 2021 18:19:41 -0000

On Sun, 28 Feb 2021, brian m. carlson wrote:

>> Is that a concern for openpgp ? openpgp is not an interactive protocol
>> where there is a server-client with possible MITM observing time spent?
>
> People definitely do use OpenPGP for interactive uses where constant
> time operations are relevant.  For example, when you create a commit by
> editing a file on GitHub, that commit will be signed by GitHub's private
> key, which is an online use.  This is hardly the only case where people
> sign online.

While this is online, there is no negotiation to monitor where you can
learn anything based on timing, as you don't get errors back to do
timing on?

> We've also seen cases where people do encryption and decryption online,
> such as by sending an encrypted message to an API and getting back an
> error or not depending on whether the message could be successfully
> decrypted.

This does seem to be a case where constant time matters. I was not
aware that openpgp was used in such ways.

> I agree that these are not the typical uses of OpenPGP, but people
> definitely do use it for online operations, and therefore, we need to
> properly consider them when we secure the protocol.

Sure, although if Curve448 has passed CFRG review, and other IETF
protocols are using it as well, I would think the algorithm would
be safe to use? And that constant time implementations will happen?
Especially since those other protocols like TLS or IKE would be much
more sensitive to this?

Paul