Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [STDS-802-11] 11-19/1173r9-- mitigating side channel and timing attacks

--- This message came from the IEEE 802.11 Working Group Reflector ---

Hi Dan:

 

      Thanks for your updated “SAE with SSWU”  proposal,  I have a few questions and comments :

 

       Q1:  I have noticed you updated the PT generation from previous version with:

           

           PT(m) := SSWU(h1(m)) + SSWU(h2(m))  (1),

     rather

         PT(m) := SWU(h1(m)) + h2(m) * G     (2) ,

Which was in your previous version of submission.  I would assume equation (1) can be expanded as:

 

     PT(m) := SSWU(h1(m)) + SSWU(h2(m)) = SWU(h1(m))+ h1(m)*G + SWU(h2(m))+h2(m)*G, with SSWU denotes Brier’s simplified SWU construction, where both the addition are the points addition on the curve.  There are two observations:

 

i)                    Equation (1) involves 3 points additions vs 1 point addition in Equation (2),  hence overhead is my concern.

ii)                  From indistinguishability point of view, equation (1) is essentially equivalent to (2) in terms of the  Random Oracle Encodings.

 

My question is any particular reasons to update the PT generation from (2) to (1)? From my perspective, equation (1) doesn’t provide any enhancement from (1) in indistinguishability.

 

     Q2: Related to Q1, I think equation (1) is another type of  simple hash to curve construction in Brier’s paper, but he admits that using construction (similar to equation (1)) convert to SWU wouldn’t be that simple (equation (1) is more suitable for Icart’s function ( Page 3 of Brier’s paper). 

 

     Q3: I am yet on the same page of PWE generation needs to be ROM (Random Oracle Model) proof.  My understanding is the PWE generation is merely a function of mapping a arbitrary bit string to a curve point, then the SAE  (Dragonfly) protocol part provides the ROM proof. SSWU generation is proved to be ROM encoding in Brier’s paper.  In another words, should there be simpler solution than the SWU? i.e the naïve encoding by H(m)*G which is also running in constant time and efficient.

 

 

Thanks

Rob

 

 

 

 

   

 

  

    

 

                     

 

        

 

From: Harkins, Daniel [mailto:daniel.harkins@xxxxxxx]
Sent: Friday, August 2, 2019 2:02 PM
To: STDS-802-11@xxxxxxxxxxxxxxxxx
Subject: [STDS-802-11] 11-19/1173r9-- mitigating side channel and timing attacks

 

--- This message came from the IEEE 802.11 Working Group Reflector ---

 

  Hello,

 

  I have updated 11-19/1173 to do the "Simplified SWU" method of hashing to a curve. This supports

all the curves possible with SAE and is more efficient that the previous version. It can be implemented

in constant time which will mitigate the side channel and timing attacks described in the recent

"Dragonblood" paper. In addition, it mitigates a group downgrade attack (also described in that paper).

 

      https://mentor.ieee.org/802.11/dcn/19/11-19-1173-09-000m-pwe-in-constant-time.docx

 

  Please take a look. I have implemented this so I know it works. The question is, though, is this

specified in a clear enough way for others to implement.

 

  regards,

 

  Dan.

 

 

To unsubscribe from the STDS-802-11 list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11&A=1

To unsubscribe from the STDS-802-11 list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11&A=1