--- Log opened Fri Oct 25 00:00:45 2019 00:07 < sipa> what? 00:07 < sipa> i've never heard that 00:08 < sipa> and i wouldn't be surprised if picking an odd k would actually leak your private key over time 00:11 < elichai2> https://blog.cr.yp.to/20191024-eddsa.html 00:11 < elichai2> Still reading 00:13 < elichai2> It's weird. Most of his math sounds like he talks about a multiplicative group, but his examples are on EC 00:13 < gmaxwell> thats talking about discrete log in the multiplicative group of Zp 00:14 < gmaxwell> where the nonce can't divide the group order, for ecc people work in a prime (sub)group. 00:19 < elichai2> It's confusing when he's going back and fourth between Zp and EC 00:22 < gmaxwell> He's writing an awful lot of text to make a relatively simple point. The NSA groups have P's where using an especially naieve algorithim for picking the nonce (which also happens to be what NSA recommended using) results in almost a half bit of bias right out of the gate. 00:22 < gmaxwell> The lattice attack itself doesn't really touch EC, it's just operations with integers. 00:24 < gmaxwell> [As far as we go, in secp256k1 the group order is so close to a power of two that a totally stupid algo results in neglgible bias, ... and in libsecp256k1 we rejection sample in any case, because we're not idiots.] 00:26 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 00:26 < gmaxwell> I don't know why DJB keeps writing like this, 00:26 < gmaxwell> "Software for X25519, Ed25519, etc. does everything the typical user needs, is much simpler than traditional software aiming at the same security goals, and would gain very little in simplicity from using variable-time algorithms. " 00:28 < gmaxwell> this is extremely misleading. every one of his own ed25519 implementations include variable time implementations. every one, yet in the surrounding text he describes the mere presence of variable time code as a liability. 00:28 < elichai2> If the Minerva attack doesn't work on EC why is he talking so much about ecdsa VS eddsa? 00:28 < gmaxwell> this sort of crud actively misleads people, and doesn't nothing to enhance the otherwise fine points he makes. 00:29 < gmaxwell> elichai2: these biased nonces are totally oblivious to the ecc stuff, they just run entirely on scalars. 00:30 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Ping timeout: 252 seconds] 00:31 < gmaxwell> like I tell you a bunch of s values where you know s = k + xe in Z_p for some unknown constant x random known e's and random unknown k where all the k are < 1/2 P (note that <1/2 is something that doesn't make much sense in a field!) 00:31 < gmaxwell> no ECC mentioned in that problem statement, yet thats also what a timing attack against a shitty ECC signature implementation gives you, because from timing you can identify signatures with smaller k's. 00:32 < gmaxwell> And then using a latice basis reduction given all those s' you can find x. 00:34 < gmaxwell> (he mentions the term I would use for this problem, "hidden-number problem") 00:45 < gmaxwell> funny that the Minerva people claimed to have exploited it against the gcrypt eddsa implementation while all they really did was notice that the timing was suspicious. 00:45 < gmaxwell> Though not that uncommon for academic work. 00:49 < gmaxwell> though it's funny that libgcrypt was saved only because it did something extremely pants on head stupid. (it manages to multiply G by a 512 bit k ... and leaks k's size but size it's using an oversized exponent the size of k after the effective modular reduction by the group is unrelated ... for the low price of making libgcrypt pretty much a full 2x slower at siging) 00:49 < sipa> haha 00:55 < gmaxwell> DJB claims to have anticipated this 'save'.... I was about to write that I find that hard to believe that anyone would expect you to use 512 bit exponent with a 256 bit group.... but in fact he kinda actually did: He was defending exp ladders that can't handle an infinity, and effectively suggesting that you set the highest bit like he did with x25519 (which would result in a total break for HNP) but 00:55 < gmaxwell> then use a 512 bit value so you're still uniform. 00:55 < gmaxwell> Which like, I think deserves the LukeJr prize for dogmatic adherence to a prior position. 00:56 < gmaxwell> I can't figure out why he'd argue this, whatever slowdown his group law would get from handling infinities can't be as bad as doubling the execution time. 00:59 < gmaxwell> unfortunately, it looks like DJB didn't respond to someone wtfing him on the list. :) ... probably because the first part of it was stupid (claimed that it wasn't obviously safe). 02:01 -!- jonatack [~jon@2a01:e35:8aba:8220:6627:dad:d967:649d] has quit [Ping timeout: 264 seconds] 02:33 < elichai2> " Which like, I think deserves the LukeJr prize for dogmatic adherence to a prior position." Looool 02:49 < gmaxwell> (to be clear, I respect Luke's ability to hold his ground even if at times it can sometimes be frustrating!) 02:50 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 02:54 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Ping timeout: 245 seconds] 03:03 -!- jonatack [~jon@213.152.161.234] has joined #secp256k1 04:06 -!- roconnor [~roconnor@host-104-157-204-21.dyn.295.ca] has joined #secp256k1 05:27 -!- jonatack [~jon@213.152.161.234] has quit [Ping timeout: 268 seconds] 05:54 -!- jonatack [~jon@37.164.227.124] has joined #secp256k1 06:23 -!- roconnor [~roconnor@host-104-157-204-21.dyn.295.ca] has quit [Ping timeout: 240 seconds] 06:40 -!- jonatack [~jon@37.164.227.124] has quit [Read error: Connection reset by peer] 06:40 -!- jonatack [~jon@37.164.227.124] has joined #secp256k1 06:42 -!- jonatack [~jon@37.164.227.124] has quit [Read error: Connection reset by peer] 08:45 -!- andytoshi [~apoelstra@wpsoftware.net] has joined #secp256k1 08:45 -!- andytoshi [~apoelstra@wpsoftware.net] has quit [Changing host] 08:45 -!- andytoshi [~apoelstra@unaffiliated/andytoshi] has joined #secp256k1 08:53 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 08:57 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Ping timeout: 264 seconds] 09:33 -!- Honthe [~Honthe@s91904421.blix.com] has joined #secp256k1 09:49 -!- jonatack [~jon@2a01:e35:8aba:8220:6627:dad:d967:649d] has joined #secp256k1 10:51 < midnightmagic> And annoyingly (or impressively I suppose) in deep retrospect he is often more right than people expected, too. 11:02 -!- roconnor [~roconnor@host-104-157-204-21.dyn.295.ca] has joined #secp256k1 11:04 -!- sipa [~pw@gateway/tor-sasl/sipa1024] has quit [Ping timeout: 260 seconds] 11:11 -!- sipa [~pw@gateway/tor-sasl/sipa1024] has joined #secp256k1 12:00 -!- belcher [~belcher@unaffiliated/belcher] has quit [Ping timeout: 240 seconds] 12:02 -!- belcher [~belcher@unaffiliated/belcher] has joined #secp256k1 12:42 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 12:42 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Read error: Connection reset by peer] 12:43 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 12:44 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Read error: Connection reset by peer] 12:44 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 12:45 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Read error: Connection reset by peer] 12:46 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 12:47 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Read error: Connection reset by peer] 12:47 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 12:48 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Read error: Connection reset by peer] 12:49 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 12:49 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Read error: Connection reset by peer] 12:49 -!- belcher [~belcher@unaffiliated/belcher] has quit [Quit: Leaving] 12:50 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 12:51 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Read error: Connection reset by peer] 12:51 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 12:52 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Read error: Connection reset by peer] 12:53 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 17:46 -!- roconnor [~roconnor@host-104-157-204-21.dyn.295.ca] has quit [Ping timeout: 265 seconds] 20:09 -!- roconnor [~roconnor@host-104-157-204-21.dyn.295.ca] has joined #secp256k1 20:26 -!- roconnor [~roconnor@host-104-157-204-21.dyn.295.ca] has quit [Quit: Konversation terminated!] 21:35 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Remote host closed the connection] 21:35 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 21:40 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Ping timeout: 240 seconds] 22:46 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 23:08 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Remote host closed the connection] 23:08 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 23:09 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Remote host closed the connection] 23:09 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 23:10 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Remote host closed the connection] 23:10 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 23:10 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Remote host closed the connection] 23:43 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 23:50 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Ping timeout: 250 seconds] --- Log closed Sat Oct 26 00:00:45 2019