The cr.yp.to microblog: 2021.05.04 06:56:37

2021.05.04 06:56:37 (1389443827006545922) from Daniel J. Bernstein, replying to "Luca De Feo (@luca_defeo)" (1389333197180260358):

The crazy leap from "DH is secure" to "every protocol is secure" certainly causes real-world failures. This doesn't mean there's anything controversial about the security of DH. It also doesn't at all support the claim of SIKE's extra complications being easy/cheap to protect.

2021.05.04 07:06:27 (1389446302136635395) from Daniel J. Bernstein:

As for proofs, https://eprint.iacr.org/1999/007 proves (pre-quantum) DH CCA security under a standard-model assumption that has resisted extensive cryptanalysis for typical curves and hash functions. Saying the assumption follows from DDH in the ROM is wildly understating how solid it is.

2021.05.04 07:16:34 (1389448848662163458) from Daniel J. Bernstein:

Adding timing attacks into the picture makes ECDH security much more fragile, although doable. Adding more side channels turns it into "typical deployments are breakable at low cost". SIKE is more complicated, with more side-channel attack targets, and needs more investigation.

2021.05.04 07:26:27 (1389451334282219524) from Daniel J. Bernstein:

Structurally, the vagueness in the middle part of "SIKE => reminiscent of ECC => cheap/easy to protect against side channels" is also problematic, since for each example of SIKE side-channel risks one then gets side-tracked into discussing the extent to which it's an ECC example.

2021.05.04 07:33:35 (1389453128576114689) from Daniel J. Bernstein:

How expensive is it to protect SIKE against low-cost or medium-cost side channels? We don't know. Could be more expensive than for competitors; could be less. The necessary analysis is in its infancy. Trying to claim that this supports a "case for SIKE" today is unjustifiable.

2021.05.04 07:38:49 (1389454447005237248) from Daniel J. Bernstein:

Having this flimsy side-channel argument in a "case for SIKE" document also distracts attention from arguments that are clear and quantified and justified, such as the fact that the best attack known against SIKE's proposed parameters is 1990s-vintage vOW golden-collision search.

Context

2021.05.03 12:56:32 (1389172012665516037) from "Luca De Feo (@luca_defeo)":

2. Even if you don't care about assumptions, you must test for group membership to protect against invalid point attacks. This requires constant-time comparisons, which are as easy to botch as they were in the SIKE code. I really don't see a difference between ECC and SIKE here.

2021.05.03 13:21:44 (1389178354859798530) from Daniel J. Bernstein, replying to "Luca De Feo (@luca_defeo)" (1389172012665516037):

One of the ways ECDH has improved over the years is moving to curves+encodings where this KEM (and, more broadly, ECDH NIKE) is secure _without_ any checks for invalid points. Also, hashed DH doesn't need a gap assumption except for writing theory papers. Pairings don't break it.

2021.05.03 23:37:01 (1389333197180260358) from "Luca De Feo (@luca_defeo)":

I believe you express 2 controversial opinions here: 1. "Well designed curves are secure without point validation". It is known this leads to subtle failures, e.g.: https://www.getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.html 2. "Hashed DH doesn't need a [CCA proof]". Do I have to explain why this is controversial?