IETF Logo Mail Archive

Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS.

Russ Housley <housley@vigilsec.com> Wed, 27 March 2019 09:44 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1816E1202A7 for <spasm@ietfa.amsl.com>; Wed, 27 Mar 2019 02:44:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lhIIV_M-iIi8 for <spasm@ietfa.amsl.com>; Wed, 27 Mar 2019 02:44:27 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E180F12028F for <spasm@ietf.org>; Wed, 27 Mar 2019 02:44:26 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 9EE323009FB for <spasm@ietf.org>; Wed, 27 Mar 2019 05:26:08 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Upa9JhKO6TsG for <spasm@ietf.org>; Wed, 27 Mar 2019 05:26:06 -0400 (EDT)
Received: from dhcp-9482.meeting.ietf.org (dhcp-9482.meeting.ietf.org [31.133.148.130]) by mail.smeinc.net (Postfix) with ESMTPSA id 3FD2A300AB3; Wed, 27 Mar 2019 05:26:04 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <BAC88CE0-EC2C-4449-A418-7FA4CAAB376F@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E50A0CD6-B19A-4AB6-8FCE-31B86A67763B"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Wed, 27 Mar 2019 05:44:20 -0400
In-Reply-To: <BN8PR09MB3604324EF9D5BF4E9061F1B4F35F0@BN8PR09MB3604.namprd09.prod.outlook.com>
Cc: SPASM <spasm@ietf.org>
To: "Dang, Quynh (Fed)" <quynh.dang=40nist.gov@dmarc.ietf.org>
References: <BN6PR14MB1106140408FFB08553DEAE98835F0@BN6PR14MB1106.namprd14.prod.outlook.com> <D6AB5830-C69A-44CA-BD63-9B64F92C032E@vigilsec.com> <BN8PR09MB3604C9C7C8609430A58FD99EF35F0@BN8PR09MB3604.namprd09.prod.outlook.com> <afb437b0d9e14a8097947a25d8422286@XCH-RTP-006.cisco.com> <BN8PR09MB3604324EF9D5BF4E9061F1B4F35F0@BN8PR09MB3604.namprd09.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/s93yFnrJC2SUx-unpKR7vvXGH4U>
Subject: Re: [lamps] Side-channel attack on multi-level trees and key generation of LMS.
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2019 09:44:29 -0000

This was discussed briefly in the SUIT WG today, and it was observed that a small tree of providing 32 signatures is acceptable in many cases, and the last update can be reserved for installing a new trust anchor for a new tree.

Russ


> On Mar 26, 2019, at 10:03 AM, Dang, Quynh (Fed) <quynh.dang=40nist.gov@dmarc.ietf.org> wrote:
> 
> The only downside of 1 level tree is its key generation time comparing to multi-level trees. In situations ( such as a code signing application) where 1, 2 or 3 etc... hours of a key generation time is not a problem, then using a big 1 level tree seems better than using a multi-level tree. 
> 
> Therefore,  some bigger height numbers for 1-level tree may be desired.
> 
> Quynh. 
> From: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com <mailto:sfluhrer@cisco.com>>
> Sent: Tuesday, March 26, 2019 9:20:05 AM
> To: Dang, Quynh (Fed); SPASM
> Subject: RE: [lamps] Side-channel attack on multi-level trees and key generation of LMS.
>  
> Irom: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> On Behalf Of Dang, Quynh (Fed)
> Sent: Tuesday, March 26, 2019 9:11 AM
> To: SPASM <spasm@ietf.org <mailto:spasm@ietf.org>>
> Subject: [lamps] Side-channel attack on multi-level trees and key generation of LMS.
>  
> Hi all,
>  
> Here is the attack I mentioned at the meeting today: https://eprint.iacr.org/2018/674/20180713:140821 <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Feprint.iacr.org%2F2018%2F674%2F20180713%3A140821&data=02%7C01%7Cquynh.dang%40nist.gov%7C17afe62f6ae74a858cbf08d6b1edc737%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636892032138187826&sdata=9u3pPjSd5ErMGIiBVoyV%2BjwwRyreeZJm4U7ONsQPU5w%3D&reserved=0>.
>  
> This is a fault attack (that is, you try to make the signer miscompute something, and then use the miscomputed signature); a signer implementation could implement protections against this (of course, those protections are not free).
>  
> I just looked at the LMS's draft, the single tree with height 25 ( 2^25 signatures)  takes only 1.5 hours.
>  
> Clarification on this:
> The test used 15 cores (and so it used a total of circa 1 core-day)
> This was done with a W=8 parameter set.  This makes the signature shorter (1936 bytes in this case), however it does increase the key generation time; a W=4 parameter set would approximately double the signature size, while decreasing the key generation time by circa a factor of 8.
>  
>  
> Regards,
> Quynh. 
>  
>  
>  
>  
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org>
> https://www.ietf.org/mailman/listinfo/spasm <https://www.ietf.org/mailman/listinfo/spasm>

v2.23.0 | Report a Bug | By Email