Minerva: Practically exploitable side-channel leakage in ECDSA implementations(minerva.crocs.fi.muni.cz) |
Minerva: Practically exploitable side-channel leakage in ECDSA implementations(minerva.crocs.fi.muni.cz) |
https://wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_...
I understand that most people just take the ref10 code from supercop, but if I were to try to implement ed25519 from the paper (https://ed25519.cr.yp.to/papers.html), what is the chance I would do something like what libgcrypt did, or equally bad?
Basically, is ed25519 secure because everyone uses a known secure implementation or because it is engineered to be genuinely hard to implement incorrectly from the paper? (I know it's both, but is it mostly one or the other?)
1 - They special cased the point at infinity and this short-circuit allowed to count leading zeros.
However, if you were starting with some Short-Weierstrass EC code in your library, then you might be inclined to skip all the scalar multiplication specific stuff in the Ed25519 paper, just take some (incomplete) Edwards formulas, take some general scalar multiplication algo (or even reuse the one you have for Short-Weierstrass, like libgcrypt) and end up with a vulnerable EdDSA (if your ECDSA was).
The short-circuiting in the addition formulas is necessary if incomplete formulas are used. Either that is done, or the scalar multiplication algorithm has to explicitly find out the bit-length and start so that the point at infinity is not input into them ever.
> The attack required 11000 signatures
For a smartcard, this seems rather impractical in the real world. My Nitrokey has 1938 total signs after a month of usage, signing every git commit to our company repository and using it to authenticate over ssh (gpg-agent)
It is quite a conservative estimate, we didn't want to claim something our PoC couldn't deliver. Also, it is with minimal attack runtime, as in, after you have those signatures and timings it takes a few minutes to get the private key. There is a trade-off where you can get around some of the noise and thus need less signatures if you just throw more computation resources at it.
https://www.securetechalliance.org/athenas-idprotect-smart-c...
2. People need to use ECDSA for same reason they need to use RSA: compatibility. In particular, EdDSA webpki certificates will likely never happen (https://cabforum.org/pipermail/servercert-wg/2019-June/00087...).
For new designs: basically just use libsodium.
For SSH: Ed25519 or 2048 bit RSA.
We can get into the weeds about which specific cryptographic primitives are fine in isolation, but that misses the point — the ones that were fine 5-10 years ago are still more or less fine — the problems for developers and end-users generally stem from accidental misuse of cryptographic primitives in designing systems incorporating cryptographic primitives as a component. Sure, don't use DES, DSA, or MD5/SHA1; strong primitives are only necessary, not sufficient.
Check out libhydrogen from the same author. The API contains less footguns (like nonces).
https://www.nccgroup.trust/us/about-us/newsroom-and-events/b...
* ECDSA with secp-256 or ed25519 curves
* RSA >= 2048 bits. Performance takes a steep dive at 4096bits unfortunately
What people don't understand is that your implementation needs to be selected against your attack surface. If your attack surface includes hardening against side channels, your implementation selection needs to take that into account.
https://latacora.singles/2018/04/03/cryptographic-right-answ...
On a glance none of those recommendations have become invalid in the passing 18 months or so.
Thank you for the explanation!
In https://minerva.crocs.fi.muni.cz/#details-reasons and in your comment you're describing two bad ways to do scalarmult, but you do not show side-by-side the correct way (e.g. what ref10 does). Can you describe it in a sentence or two?
One of the main points in the root causes discussion is that without complete formulas you are almost always going to leak the bit-length, so the only way to not be vulnerable in that case is to fix the bit-length to a constant value. This cannot be done naively by simply setting the high bit, because this would introduce bias in the nonces which would be exploitable even without measuring the duration, a much worse attack! However it can be done via the method suggested by Brumley & Tuveri in https://eprint.iacr.org/2011/232 where you add a multiple of the curve order to the scalar to fix its bit-length. This means the distribution of the nonce modulo the order remains the same (uniform, no bias) yet the bit-length used in scalarmult as a loop bound is constant.
Then there's some much more general concerns about the NIST curves themselve. These concerns come down to that a) we don't really know how they were generated (there are some numbers in the paper that just "appear out of nowhere") and b) that they've been created by the NSA. But there's no concrete proof of any backdooring and it seems relatively implausible, as no method is known that would explain how that backdooring would work. I guess most people familiar with the facts don't believe they are backdoored.