Re: [quicwg/base-drafts] Timing side-channel on key updates (#2792)

Kazuho Oku <> Mon, 17 June 2019 06:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D7725120106 for <>; Sun, 16 Jun 2019 23:24:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.391
X-Spam-Status: No, score=-6.391 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Konq0TJUtt8i for <>; Sun, 16 Jun 2019 23:24:21 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D8A6612000E for <>; Sun, 16 Jun 2019 23:24:20 -0700 (PDT)
Date: Sun, 16 Jun 2019 23:24:19 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1560752659; bh=U+wCkG+MEm68KQO1GvV55cxe5jhtrWc5fRplgVfp9EI=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=S2FKImfbDFAmqGZ0rc8sbxOKTIOX050552z+yBrsYk5fRMpfEQR0lq3pi9MgP1klw N1g2CWVK/h/a4g3pXQh5JdRMe5VIsU0KDMBHuY3JcdRKDuNU+OtGoX5xqwl2ann3po 7HsmastO/wD7uQEkNyJ2HPsGF09X/xCh3+2bgJuY=
From: Kazuho Oku <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/2792/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Timing side-channel on key updates (#2792)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d07321364196_71163febb80cd9685668b0"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 17 Jun 2019 06:24:23 -0000

@MikeBishop That certainly reduces the information being potentially exposed to the attacker every one bit per key update.

But no less than that for example when an attacker injects two packets slightly more frequent than every 3 PTO, with the only difference between the two packets being the value of the KEY_PHASE bit. In such an attack scenario, the attacker can tell which of the two packets caused the calculation of the updated key for every key update.

Admittedly, the leak is tiny; but I am not sure if it is tiny enough that we can ignore.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: