[TLS] Re: [EXTERNAL] Consensus Call: -rfc8446bis PRs #1360
"D. J. Bernstein" <djb@cr.yp.to> Mon, 09 September 2024 12:49 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6325EC14F609 for <tls@ietfa.amsl.com>; Mon, 9 Sep 2024 05:49:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.206
X-Spam-Level:
X-Spam-Status: No, score=-4.206 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p1v5L2FZPfjI for <tls@ietfa.amsl.com>; Mon, 9 Sep 2024 05:49:19 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id 254ADC14EB19 for <tls@ietf.org>; Mon, 9 Sep 2024 05:49:18 -0700 (PDT)
Received: (qmail 30085 invoked by uid 1010); 9 Sep 2024 12:49:18 -0000
Received: from unknown (unknown) by unknown with QMTP; 9 Sep 2024 12:49:18 -0000
Received: (qmail 382987 invoked by uid 1000); 9 Sep 2024 12:49:08 -0000
Date: Mon, 09 Sep 2024 12:49:08 -0000
Message-ID: <20240909124908.382985.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: tls@ietf.org
Mail-Followup-To: tls@ietf.org
In-Reply-To: <38371548-711b-40ea-bc5a-e23f3b04118c@redhat.com>
Message-ID-Hash: APE4KXYIQL5BJPSUUO7TWCQN23G2I5EX
X-Message-ID-Hash: APE4KXYIQL5BJPSUUO7TWCQN23G2I5EX
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: [EXTERNAL] Consensus Call: -rfc8446bis PRs #1360
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/R6Cyob9M1RDwA-FDiZ8rp3xhdDU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Alicja Kario writes: > We haven't actually performed > an attack in which we extracted the private key. [ ... ] > In practice, what we've shown is that the implementation is _likely_ > vulnerable to microarchitectural side-channel attacks. The top of Appendix A of https://cr.yp.to/papers.html#safecurves distinguishes "demo" ("an attack has been demonstrated") from "vulnerability" ("analysis indicates that an attack should work"). The Firefox entry in the list says "vulnerability". Actually carrying out an attack would upgrade it to "demo". > And I'm pretty sure that the implementation of Ed25519 in > https://github.com/tlsfuzzer/python-ecdsa is also vulnerable to the > same class of attacks because of the super-leaky implementation of > arbitrary precision arithmetic it's using. Indeed, one can't expect any cryptosystem to be able to survive the timing leaks from Python integers! But wait. EdDSA has another trick up its sleeve that might sometimes save the day even in this horrifying situation. The EdDSA hash is double-length, and an implementation designed for simplicity won't reduce the hash mod the group order. Here's why this matters for people evaluating attack costs. Remember that, in ECDSA, by far the easiest timing variability to exploit is the correlation between faster scalarmult and smaller nonces _mod the group order_. If nonces _aren't_ reduced then what one instead expects to see is a correlation between faster scalarmult and smaller double-length nonces---which isn't useful per se for the attacker. The Minerva team originally claimed to break ECDSA and EdDSA in libgcrypt. Two days later the team withdrew the EdDSA part of this claim. https://blog.cr.yp.to/20191024-eddsa.html traces how this boiled down to EdDSA's double-length hash, and also quotes how I had predicted this scenario five years earlier. Could it be that there's also no reduction mod the group order in the python-ecdsa implementation? To be clear, I assume that enough work will break libgcrypt---the nonce length is just the simplest attack target, and we should be much more proactive than just saying that the simplest attack doesn't work. The same blog post says "We have to throw away variable-time crypto code _without_ waiting for attacks to be demonstrated". But people who _are_ in the disaster scenario of deploying variable-time arithmetic will still have EdDSA making attacks harder on average than ECDSA does. ---D. J. Bernstein
- [TLS]Consensus Call: -rfc8446bis PRs #1360 Sean Turner
- [TLS] Re: [EXTERNAL] Consensus Call: -rfc8446bis … D. J. Bernstein
- [TLS] Re: [EXTERNAL] Consensus Call: -rfc8446bis … D. J. Bernstein
- [TLS]Re: [EXTERNAL] Consensus Call: -rfc8446bis P… Andrei Popov
- [TLS]Re: [EXTERNAL] Consensus Call: -rfc8446bis P… Peter Gutmann
- [TLS]Re: Consensus Call: -rfc8446bis PRs #1360 Russ Housley
- [TLS]Re: [EXTERNAL] Consensus Call: -rfc8446bis P… Salz, Rich
- [TLS]Re: [EXTERNAL] Consensus Call: -rfc8446bis P… Richard Barnes
- [TLS]Re: [EXTERNAL] Consensus Call: -rfc8446bis P… David Adrian
- [TLS] Re: Consensus Call: -rfc8446bis PRs #1360 Sean Turner
- [TLS] Re: [TLS]Re: [EXTERNAL] Consensus Call: -rf… Eric Rescorla
- [TLS] Re: [TLS]Re: [EXTERNAL] Consensus Call: -rf… D. J. Bernstein
- [TLS] Re: [TLS]Re: [EXTERNAL] Consensus Call: -rf… John Mattsson
- [TLS] Re: [TLS]Re: [EXTERNAL] Consensus Call: -rf… Watson Ladd
- [TLS] Re: [TLS]Re: [EXTERNAL] Consensus Call: -rf… D. J. Bernstein
- [TLS] Re: [EXTERNAL] Consensus Call: -rfc8446bis … Alicja Kario
- [TLS] Re: [EXTERNAL] Consensus Call: -rfc8446bis … Alicja Kario
- [TLS] Re: Consensus Call: -rfc8446bis PRs #1360 Sean Turner
- [TLS] Re: Consensus Call: -rfc8446bis PRs #1360 Stephen Farrell
- [TLS] Re: Consensus Call: -rfc8446bis PRs #1360 Eric Rescorla