Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Speculation
Re: Gold collapsing. Bitcoin UP.
by
sickpig
on 28/12/2014, 23:52:57 UTC
Quote from: Peter R on December 23, 2014, 11:29:24 PM
Quote from: sickpig on December 23, 2014, 10:27:00 PM
Quote from: cypherdoc on December 23, 2014, 06:24:34 PM
what is "constant time"?

Improved signing security

For 0.10 the security of signing against unusual attacks has been improved by making the signatures constant time and deterministic.

This change is a result of switching signing to use libsecp256k1 instead of OpenSSL. Libsecp256k1 is a cryptographic library optimized for the curve Bitcoin uses which was created by Bitcoin Core developer Pieter Wuille.

There exist attacks[1] against most ECC implementations where an attacker on shared virtual machine hardware could extract a private key if they could cause a target to sign using the same key hundreds of times. While using shared hosts and reusing keys are inadvisable for other reasons, it's a better practice to avoid the exposure.

OpenSSL has code in their source repository for derandomization and reduction in timing leaks, and we've eagerly wanted to use it for a long time but this functionality has still not made its way into a released version of OpenSSL. Libsecp256k1 achieves significantly stronger protection: As far as we're aware this is the only deployed implementation of constant time signing for the curve Bitcoin uses and we have reason to believe that libsecp256k1 is better tested and more thoroughly reviewed than the implementation in OpenSSL.

[1] https://eprint.iacr.org/2014/161.pdf

A countermeasure against

http://en.m.wikipedia.org/wiki/Timing_attack

?

Although I can't think of a practical scenario where a typical user would ever be exposed to this, yes, the concern is side-channel attacks (e.g., a timing attack):

( ... cut a lot of helpful links, quote and explanations ... )

I think deterministic signatures are much more important than constant-time signatures (there's been a non-trivial amount of funds lost due to the repeat k-value problem but I doubt a single satoshi has ever been lost due to a genuine side-channel attack).  Someone like gmaxwell could comment better on the practical risks here…

I concur with all you said. I think that Pieter Wuille took a chance to snap in this "constant time" thing while writing libsecp256k1. What seems weird to me is that they don't mention the main advantage of replacing OpenSSL with such "custom made" signing tool: speed.

Quoting a gmaxwell's email to the bitocoin-development mailing list (related to the headers-first sync feature):

Quote from: gmaxwell
(I'm using 295k as the target here because after that point ecdsa
dominates, and then your 6+x faster libsecp256k makes more of a
difference)
(bold is mine)