[saag] Twist Insecurity
Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 18 June 2015 17:37 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 146FA1B2AFB for <saag@ietfa.amsl.com>; Thu, 18 Jun 2015 10:37:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.79
X-Spam-Level:
X-Spam-Status: No, score=0.79 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pYciF5rvEZmm for <saag@ietfa.amsl.com>; Thu, 18 Jun 2015 10:37:19 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 083A21B2AFA for <saag@ietf.org>; Thu, 18 Jun 2015 10:37:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1434649039; x=1466185039; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=D/sTweC5qxhc1qlEpQ1h+2w43MbOZr6ZaYszEjka+q8=; b=uzdtPZNplaFYZfxsKhJPH8RYsqIlbMZu9euoZlg8M66no9zvqO4BdrI5 6WCriMgceoz5D+bpv6d+9UgQE9uMUNbuTnUAspiLqJHgHHaA7eQ5dad5e v2J2P4LOmVc4ajg98BHtpurWP9pbsSNn877CKy/uiXDp1gnkA5JccP2pT X1c1WxFOHTTwHJ96eb6rYDnSsR3DczxfWiaVQuTwTEB1BQMIP5MrvpkF5 a2RST3DNL59oGaSfAX02e0vJcCRchg+3Fg8MJ8BRQmF0pCkooBsAbqpMF exfqLMs9XpT1mwpqot1gX4gJXHUYs9s+z9zZ7HzKrNCxQfuildLbzyOe7 A==;
X-IronPort-AV: E=Sophos;i="5.13,640,1427713200"; d="scan'208";a="23606277"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.125 - Outgoing - Outgoing
Received: from uxchange10-fe3.uoa.auckland.ac.nz ([130.216.4.125]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 19 Jun 2015 05:37:17 +1200
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.151]) by uxchange10-fe3.UoA.auckland.ac.nz ([169.254.143.234]) with mapi id 14.03.0174.001; Fri, 19 Jun 2015 05:37:17 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "cfrg@irtf.org" <cfrg@irtf.org>, "saag@ietf.org" <saag@ietf.org>
Thread-Topic: Twist Insecurity
Thread-Index: AdCp7WtAMKFDOmz6TZ2ngjz8zBlMqQ==
Date: Thu, 18 Jun 2015 17:37:16 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73AB045C85@uxcn10-tdc05.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/eKkg2kFa8T_XIG_gYwmjg88EFQE>
Subject: [saag] Twist Insecurity
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2015 17:37:23 -0000
For those who haven't seen it yet, the following paper may be of interest: http://eprint.iacr.org/2015/577 Several authors suggest that the use of twist secure Elliptic Curves automatically leads to secure implementations. We argue that even for twist secure curves a point validation has to be performed. We illustrate this with examples where the security of EC-algorithms is strongly degraded, even for twist secure curves. We show that the usual blindig countermeasures against SCA are insufficient (actually they introduce weaknesses) if no point validation is performed, or if an attacker has access to certain intermediate points. In this case the overall security of the system is reduced to the length of the blinding parameter. We emphazise that our methods work even in the case of a very high identification error rate during the SCA-phase. Peter.
- [saag] Twist Insecurity Peter Gutmann