Follow

Somehow brilliant and awful at the same time.

From a new paper by Koblitz on failures of security proofs :

"

A particularly bothersome feature of side-channel attacks is that a countermeasure taken to reduce risk from one type of side-channel leakage might increase vulnerability to other types of attacks. A common recommendation to avoid timing and power-consumption attacks is to introduce ...

(1/n)

He comes down hard on people trying to avoid the ROM:

"In [225] we commented that the generic group model is farther removed from reality than the random oracle model. A well-designed hash function has no perceptible structural feature that could ever be exploited by an adversary. In contrast, the groups used in cryptography all have structural elements that could possibly be of use in some kind of attack. ...

"

(3/n)

"

... For example, the group in DSA is a subgroup of the nonzero residues mod p. Elliptic curve groups over a binary field have subsets of points whose x-coordinate is represented by a low-degree polynomial. The generic group assumption in such cases is very strong, since it says that no adversary will ever find a way to use these features."

This is actually only an excerpt of a whole section talking about this issue.

I'm reminded of the amusing fact that Brown "proved" ECDSA is ...

(4/n)

... strongly unforgeable (SUF-CMA) in the generic group model, waving aside the unfortunate fact that it is in fact demonstrably not strongly unforgeable since you just have to flip the sign of s :)

(5/n)

waxwing@waxwing@x0f.org...

dummy steps so that operations with a 0-bit of the secret key are indistinguishable from operations with a 1-bit.

However, the use of dummy steps may enable an induced-fault adversary to detect the location of the 0-bits because an induced fault during a dummy step will not affect the output, while a fault induced during a necessary operation will."

https://eprint.iacr.org/2019/1336.pdf

(paper is really interesting so far...)

(2/n?)