IETF Logo Mail Archive

Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS.

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Tue, 26 March 2019 13:20 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A1EC120004 for <spasm@ietfa.amsl.com>; Tue, 26 Mar 2019 06:20:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X71sFSSCrIqE for <spasm@ietfa.amsl.com>; Tue, 26 Mar 2019 06:20:08 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEEA5120003 for <spasm@ietf.org>; Tue, 26 Mar 2019 06:20:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8303; q=dns/txt; s=iport; t=1553606408; x=1554816008; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=cUQRWcjdtRPnYgiZGcrRhusfJmJBcQY0iuDOvW79uMA=; b=WcCeaNaKQmjE6b53OGEIUB7p5ppvKDnMHFX1ZcM0I0/0FzJ684hr5xVs TUXVv7j61cmIRQZOIyjJ4w9bewnfkwQ46oS713UK1C60URj0TfBv8o15p f55dC6dSiE1rO6lrsy7vb2lXo5rhDzYyQYfzFjGVJpN8UB6fjkMVBYu4O E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BCAAByJppc/5tdJa1kGQEBAQEBAQEBAQEBAQcBAQEBAQGBZYEPWCpogQMnCpdFgg2SRIdyDQEBI4RJAoUiIjgSAQEDAQEJAQMCbRwMhUoBAQEELVwCAQgWAS8yHQgCBAESCIMbJgFqZA+uRoQwAYV+BYEviGiCSheBQD+DdS4+iiUDimqGJ4dHjEEJAodhi1AhlAKIJIJ5hgaNLAIRFYEuNiGBVnAVgyeCExqIX4U/QTGPHYEfAQE
X-IronPort-AV: E=Sophos;i="5.60,271,1549929600"; d="scan'208,217";a="250558290"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Mar 2019 13:20:06 +0000
Received: from XCH-RTP-007.cisco.com (xch-rtp-007.cisco.com [64.101.220.147]) by rcdn-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id x2QDK6TW029442 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 26 Mar 2019 13:20:06 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-007.cisco.com (64.101.220.147) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 26 Mar 2019 09:20:05 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1473.003; Tue, 26 Mar 2019 09:20:05 -0400
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>, SPASM <spasm@ietf.org>
Thread-Topic: [lamps] Side-channel attack on multi-level trees and key generation of LMS.
Thread-Index: AQHU49VXPtCcAwv+dECjmnZztrzUW6Yd47nA
Date: Tue, 26 Mar 2019 13:20:05 +0000
Message-ID: <afb437b0d9e14a8097947a25d8422286@XCH-RTP-006.cisco.com>
References: <BN6PR14MB1106140408FFB08553DEAE98835F0@BN6PR14MB1106.namprd14.prod.outlook.com>, <D6AB5830-C69A-44CA-BD63-9B64F92C032E@vigilsec.com> <BN8PR09MB3604C9C7C8609430A58FD99EF35F0@BN8PR09MB3604.namprd09.prod.outlook.com>
In-Reply-To: <BN8PR09MB3604C9C7C8609430A58FD99EF35F0@BN8PR09MB3604.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.61.64.141]
Content-Type: multipart/alternative; boundary="_000_afb437b0d9e14a8097947a25d8422286XCHRTP006ciscocom_"
MIME-Version: 1.0
X-Outbound-SMTP-Client: 64.101.220.147, xch-rtp-007.cisco.com
X-Outbound-Node: rcdn-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/0N2czE66zORpOooIdiZZvqIpVO0>
Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS.
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 13:20:10 -0000

Irom: Spasm <spasm-bounces@ietf.org> On Behalf Of Dang, Quynh (Fed)
Sent: Tuesday, March 26, 2019 9:11 AM
To: SPASM <spasm@ietf.org>
Subject: [lamps] Side-channel attack on multi-level trees and key generation of LMS.


Hi all,



Here is the attack I mentioned at the meeting today: https://eprint.iacr.org/2018/674/20180713:140821.



This is a fault attack (that is, you try to make the signer miscompute something, and then use the miscomputed signature); a signer implementation could implement protections against this (of course, those protections are not free).



I just looked at the LMS's draft, the single tree with height 25 ( 2^25 signatures)  takes only 1.5 hours.



Clarification on this:

  *   The test used 15 cores (and so it used a total of circa 1 core-day)
  *   This was done with a W=8 parameter set.  This makes the signature shorter (1936 bytes in this case), however it does increase the key generation time; a W=4 parameter set would approximately double the signature size, while decreasing the key generation time by circa a factor of 8.





Regards,

Quynh.

v2.23.0 | Report a Bug | By Email