IETF Logo Mail Archive

Re: [Cfrg] testability of signature input/output parameters

Mike Hamburg <mike@shiftleft.org> Thu, 04 June 2015 17:13 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F324F1A1A60 for <cfrg@ietfa.amsl.com>; Thu, 4 Jun 2015 10:13:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.555
X-Spam-Level: *
X-Spam-Status: No, score=1.555 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uAvDyPfLzl9H for <cfrg@ietfa.amsl.com>; Thu, 4 Jun 2015 10:13:06 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BEBA1A1A5D for <cfrg@irtf.org>; Thu, 4 Jun 2015 10:13:06 -0700 (PDT)
Received: from [192.168.1.102] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 4D20A3A9C4; Thu, 4 Jun 2015 10:11:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1433437874; bh=1cvfXyj4n3P8ZyHd0Zd1p2U+/1IqTux04aQJyt8Pvdg=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=B6E/gtoxV4fhKGMNHeVsUCKoK98lry6DMQpJLGCM/Jf4sKk/NJOg7W55fmM/ANgdY MIISzC5DUoIipm7Prdq4MVLMQl8pHnAs9KPrYTa4e0+VogE7s/VLt+r9M9Khd9i+fA w1SxzqzBfANDkCsDb4Rox31VF0/WgyxXX/mSRhrg=
Message-ID: <5570871E.7090907@shiftleft.org>
Date: Thu, 04 Jun 2015 10:13:02 -0700
From: Mike Hamburg <mike@shiftleft.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Rene Struik <rstruik.ext@gmail.com>, Taylor R Campbell <campbell+cfrg@mumble.net>
References: <20150604163716.8D164605E8@jupiter.mumble.net> <55708413.6010404@gmail.com>
In-Reply-To: <55708413.6010404@gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/0YFyCPpX4xhKoWgg9VabQeRtBIw>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] testability of signature input/output parameters
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jun 2015 17:13:09 -0000

Rene,

Your quibble is true for any testing scheme.  Public test vectors in a 
spec aren't for proving that a piece of software is free of hidden 
faults.  They are for software authors checking that their 
honestly-written software does at least roughly the right thing, at 
least some fraction of the time.  An evaluator can also use their own 
test vectors to defeat a "CFRG lookup table", but that still does not 
prove the absence of backdoors.

Obviously the coverage you get from this varies by primitive, so AES is 
more testable than signing.  Fine.  But specifying deterministic 
signatures still improves testability, to a degree that will be useful 
in the real world.

-- Mike

On 06/04/2015 10:00 AM, Rene Struik wrote:
> This only verifies that the implementation outputs behavior consistent 
> with what is written in the spec. It does not verify correctness for 
> any other input or for a non-exposed signing key {an implementation 
> could simply include a table look-up for "CFRG test vectors" and do 
> its own thing otherwise (and you would not catch this...)}. This 
> illustrates the limited value of such tests. Comparing test results 
> with a handful of printed values in a spec is *not* the same as 
> validating the proper functioning of an implementation module.
>
> On 6/4/2015 12:38 PM, Taylor R Campbell wrote:
>>     Date: Thu, 04 Jun 2015 11:24:18 -0400
>>     From: Rene Struik <rstruik.ext@gmail.com>
>>
>>     Well, neither do deterministic signatures seem to help here: if one
>>     presumes k=f(m,d) and indeed finds that, for fixed public 
>> signature key,
>>     repeats of message m produce the same signature, this does not
>>     necessarily imply that f depends on private parameter d (for all one
>>     knows, k could only depend on public parameter m). This can only be
>>     detected if one prints the private parameter d in the spec. However,
>>     this does not say anything about behavior with 
>> "non-printed-in-the-spec"
>>     parameters.
>>
>> How do you write a test vector for signing without including the
>> signing key?
>>
>> For a deterministic scheme, test vectors of the form
>>
>> (secret key, message, signature)
>>
>> verify correctness of the complete signing operation.
>
>>
>> For a nondeterministic scheme, test vectors of the form
>>
>> (secret key, message, nonce, signature)
>>
>> verify only correctness of the deterministic part of the signing
>> operation, and cannot verify correctness of nonce generation. For
>> RSASSA-PSS, `nonce' generation is inconsequential for security; for
>> ECDSA, nonce generation makes or breaks it.
>
>

v2.23.0 | Report a Bug | By Email