whoops (residues in a finite field)
Travis H.
solinym at gmail.com
Mon Dec 19 04:41:43 EST 2005
Schneier mentions whooping values (whoops? I don't know the precise
term) in doing modular arithmetic. I was wondering what people
thought of this.
Basically if you've got a huge finite field, and do arithmetic on it,
the whoop values are the residues in a much smaller field that is
unknown to the end-user (attacker). Basically you use arithmetic
relations on the whoops to double-check the larger bignum values
you're using. He says no mpi/modular arithmetic libraries that he
knows of use this technique, but it sounds intriguing.
The idea is that if an attacker exploits a bug in the modexp routines
or what have you, you catch it by checking the whoops, instead of
having a silent failure. Exactly what you would do in that case, I'm
not sure... he suggests terminating silently, but that too is kind of
a sign to the attacker. Perhaps you could continue the computations
with totally random inputs... but this sounds wrong to me too. I am
reminded of some very evil advice I heard from a security guy, who
said if you can't respond in a reasonable amount of time that you
might want to tell the user that they had entered an invalid password
or something to that effect, so that the percieved performance problem
is minimized. Lie to the users? Remind me to not use that guy's
software. I'll take correct over fast any day.
--
http://www.lightconsulting.com/~travis/ -><- P=NP if (P=0 or N=1)
"My love for mathematics is like 1/x as x approaches 0."
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list