[Cryptography] We need a new encryption algorithm competition.
Nico Williams
nico at cryptonector.com
Wed Mar 19 22:53:40 EDT 2014
On Wed, Mar 19, 2014 at 10:11:48PM -0400, Jerry Leichter wrote:
> On Mar 19, 2014, at 5:02 PM, Nico Williams <nico at cryptonector.com> wrote:
> > Eh, this is if you know the one bit of the plaintext encrypted with
> > RSA, but that plaintext is generally a randomly chosen key for a
> > symmetric cryptosystem used to protect the real plaintext of the
> > message....
> Hmm. A day or so back, I sent one message explaining why MITM was a
> meaningless concept in one usage of DH, and got the response "but DH
> is vulnerable to MITM". Here, I described an attack explaining why
> you want to use asymmetric crypto such as RSA to establish a key for a
> symmetric crypto system, rather than directly encrypting semantically
> meaningful information ... and the response is that the attack isn't
> relevant because we use RSA to encrypt keys for symmetric
> cryptosystems.
>
> Either my writing has become very unclear, or some of my
> correspondents aren't bothering to read what I wrote before responding
> with canned repetitions of well-known cryptographic principles,
> whether they are relevant to the situation at hand or not.
>
> So for this one, let me repeat myself: The Goldwasser/Micali/Tong
Fair snark; we're retreading. This particular issue does not affect
CurveCP. Ian's comment/question was:
| Personally, I buy the argument because I wrestle with the iceberg, but
| there is one counter-argument which holds me short of the conclusion,
| which is side-channel attacks. Many side-channel attacks are conducted
| where repeated access to the PK pair is possible, and the latter model
| reduces that possibility a lot.
which is a reference, IIUHC, to whether the implementation (of whatever
the PK cryptosystem be) is susceptible to side-channel attacks (usually
by not being constant-time). That would certainly be a problem, but it
shouldn't be a problem for DJB's curves (I suppose one can implement
them in non-constant time ways, but one shouldn't...).
(For example:
http://www.gossamer-threads.com/lists/openssh/dev/56607
claims that the curve25519 donna implementation is not constant-time,
therefore it's not safe to use it for anything other than key exchange
with ephemeral keys. Clearly, if the first assertion is correct, then
the latter follows.
The curve25519 donna implementation page claims it's constant-time
though, and DJB's implementation is.)
My point to Ian is that security considerations abound, and there's no
need to frown on PK in general, or CurveCP in particular, over his
concern about PK key pair reuse. After all, non-constant-time AES
implementations are as fatal to security as non-constant-time PK (RSA,
DH, ECDH, ...) implementations can be. Instead what one has to do is
use the cryptosystems correctly and use appropriate implementations.
Perhaps Ian has a *different* problem in mind than leakage via time
differentials.
Nico
--
More information about the cryptography
mailing list