MIME-Version: 1.0
References: <CAH5Bsr3EtFpecXPG07so1KA0sre9Cy-XPv=BADBgUe4M7kuxFg@mail.gmail.com>
 <143g8W700TxSwkQM6rPf7NfRYcaVJoBqYLfR99gwtb-kBfL76EK556d4U8aNyEVRz5bp1eFzApLwPMSnhwAnK5m_htjqVREn5yZxXRCORiU=@wuille.net>
In-Reply-To: <143g8W700TxSwkQM6rPf7NfRYcaVJoBqYLfR99gwtb-kBfL76EK556d4U8aNyEVRz5bp1eFzApLwPMSnhwAnK5m_htjqVREn5yZxXRCORiU=@wuille.net>
From: Lloyd Fournier <lloyd.fourn@gmail.com>
Date: Thu, 26 Mar 2020 02:07:48 +1100
Message-ID: <CAH5Bsr2jgBHHTNEECC5OPZW6RjsEvto3mg0doTyWkrHCU-rdVw@mail.gmail.com>
To: Pieter Wuille <bitcoin-dev@wuille.net>
Content-Type: multipart/alternative; boundary="000000000000cec3a205a1af3c30"
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Mitigating Differential Power Analysis in BIP-340
Precedence: list

--000000000000cec3a205a1af3c30
Content-Type: text/plain; charset="UTF-8"

Hi Pieter,

Thanks for the detailed response.


> /secret key/secret keyI'll try to summarize the discussion we had that led
> to this choice, but most of it is on
> https://github.com/sipa/bips/issues/195 if you want the details.


Ahh I can't believe I missed that github issue while searching. I guess I
started reading a paper on DPA and got carried away. I can see you got to
where I was and then went much further including some empirical analysis.
Nice. I agree with the conclusion that xor is more robust than just hashing
randomness in the same block as the secret key.


> Let me first try to address what I think you're overlooking: in a
> BIP32/Taproot like scenario, the private key that goes into the signing
> algorithm functions as *both* secret and known to the attacker. That is to
> say, there is a master secret s, and signing key x that goes into the hash
> is x=s+a (mod n) for some value a that the attacker knows, and can modify
> (he cannot control it directly, but he may be able to grind it to have a
> structure he likes). I believe that means that feeding x to a hash directly
> itself is already a problem, regardless of what else goes into the hash -
> interactions between bits inside the hash operation that all come from x
> itself can leak bit-level information of x.  XORing (or any other simple
> mix operation that does not expose bit-level information) into the private
> key before giving it to a hash function seems like it would address this.
>

This is an subtle point that I didn't cross my mind. My gut feeling is
there isn't even a computational argument to made that what I was
suggesting is secure against DPA in that setting. DPA seems to be a PITA. A
footnote in the BIP with a citation for DPA (the ed25519 one from the issue
is good) and a hint about why you should avoid hashing Bitcoin secret keys
altogether would be good. This brings us to the next point.

It also assumes that somehow the computation of x itself is immune from
> leaks (something you pointed out in a previous e-mail, I noticed).
>

From my reading of the HMAC papers it seems you might be able to vary the
BIP32 child index derivation to do this attack. Just thinking about it now,
these attacks seem far fetched just because in order for it to be useful
you need to have physical access to the device and to be able to accurately
measure power consumption in high resolution (which I guess you can't do
from a typical USB bus from corrupted software). Then you also need to get
the user to do lots of signing or derivation with their device. I guess a
malicious cable with some way of exfiltrating power consumption could do it.


> I'm happy for any input you may have here. In particular, the recent
> discussions around the interactions between anti-covert channel protection,
> randomness, and the ability to spot check hardware devices may mean we
> should revise the advice to consider not adding randomness unless such a
> anti-covert channel scheme is used.
>

My only comment here is that there will end up being more than one way to
do it and I think what you and your collaborators have put forward is at a
local optimum of design (now that I understand it). Thanks and well done!
It won't be the right optimum for everyone. To me, it seems like a good
place to start. If you develop a decent nonce exfiltration protected
signing protocol later then I don't see why HW wallets wouldn't compete for
favour amongst the community by implementing and updating their devices to
conform to it.

LL

--000000000000cec3a205a1af3c30
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_quote"><div>Hi Pieter,</div><div><br><=
/div><div>Thanks for the detailed response.</div><div>=C2=A0</div><blockquo=
te class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px =
solid rgb(204,204,204);padding-left:1ex">/secret key/secret keyI&#39;ll try=
 to summarize the discussion we had that led to this choice, but most of it=
 is on <a href=3D"https://github.com/sipa/bips/issues/195" rel=3D"noreferre=
r" target=3D"_blank">https://github.com/sipa/bips/issues/195</a> if you wan=
t the details.</blockquote><div><br></div><div>Ahh I can&#39;t believe I mi=
ssed that github issue while searching. I guess I started reading a paper o=
n DPA and got carried away. I can see you got to where I was and then went =
much further including some empirical analysis. Nice. I agree with the conc=
lusion that xor is more robust than just hashing randomness in the same blo=
ck as the secret key.</div><div>=C2=A0</div><blockquote class=3D"gmail_quot=
e" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204)=
;padding-left:1ex">
Let me first try to address what I think you&#39;re overlooking: in a BIP32=
/Taproot like scenario, the private key that goes into the signing algorith=
m functions as *both* secret and known to the attacker. That is to say, the=
re is a master secret s, and signing key x that goes into the hash is x=3Ds=
+a (mod n) for some value a that the attacker knows, and can modify (he can=
not control it directly, but he may be able to grind it to have a structure=
 he likes). I believe that means that feeding x to a hash directly itself i=
s already a problem, regardless of what else goes into the hash - interacti=
ons between bits inside the hash operation that all come from x itself can =
leak bit-level information of x.=C2=A0 XORing (or any other simple mix oper=
ation that does not expose bit-level information) into the private key befo=
re giving it to a hash function seems like it would address this.<br></bloc=
kquote><div><br></div><div>This is an subtle point that I didn&#39;t cross =
my mind. My gut feeling is there isn&#39;t even a computational argument to=
 made that what I was suggesting is secure against DPA in that setting. DPA=
 seems to be a PITA. A footnote in the BIP with a citation for DPA (the ed2=
5519 one from the issue is good) and a hint about why you should avoid hash=
ing Bitcoin secret keys altogether would be good. This brings us to the nex=
t point.</div><div><br></div><blockquote class=3D"gmail_quote" style=3D"mar=
gin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1=
ex">It also assumes that somehow the computation of x itself is immune from=
 leaks (something you pointed out in a previous e-mail, I noticed).<br></bl=
ockquote><div><br></div><div>From my reading of the HMAC papers it seems yo=
u might be able to vary the BIP32 child index derivation to do this attack.=
 Just thinking about it now, these attacks seem far fetched just because in=
 order for it to be useful you need to have physical access to the device a=
nd to be able to accurately measure power consumption in high resolution (w=
hich I guess you can&#39;t do from a typical USB bus from corrupted softwar=
e). Then you also need to get the user to do lots of signing or derivation =
with their device. I guess a malicious cable with some way of exfiltrating =
power consumption could do it.</div><div>=C2=A0</div><blockquote class=3D"g=
mail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204=
,204,204);padding-left:1ex">
I&#39;m happy for any input you may have here. In particular, the recent di=
scussions around the interactions between anti-covert channel protection, r=
andomness, and the ability to spot check hardware devices may mean we shoul=
d revise the advice to consider not adding randomness unless such a anti-co=
vert channel scheme is used.<br></blockquote><div>=C2=A0</div><div>My only =
comment here is that there will end up being more than one way to do it and=
 I think what you and your collaborators have put forward is at a local opt=
imum of design (now that I understand it). Thanks and well done! It won&#39=
;t be the right optimum for everyone. To me, it seems like a good place to =
start. If you develop a decent nonce exfiltration protected signing protoco=
l later then I don&#39;t see why HW wallets wouldn&#39;t compete for favour=
 amongst the community by implementing and updating their devices to confor=
m to it.</div><div><br></div><div>LL</div><div>=C2=A0</div></div></div>

--000000000000cec3a205a1af3c30--