IETF Logo Mail Archive

Re: [Cfrg] Handling invalid points

Natanael <natanael.l@gmail.com> Sat, 22 November 2014 08:00 UTC

Return-Path: <natanael.l@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 890F31A00B6 for <cfrg@ietfa.amsl.com>; Sat, 22 Nov 2014 00:00:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kleTa9QXOTrk for <cfrg@ietfa.amsl.com>; Sat, 22 Nov 2014 00:00:57 -0800 (PST)
Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06CBA1A00B1 for <cfrg@irtf.org>; Sat, 22 Nov 2014 00:00:57 -0800 (PST)
Received: by mail-wg0-f50.google.com with SMTP id k14so8239982wgh.23 for <cfrg@irtf.org>; Sat, 22 Nov 2014 00:00:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=PcYVaYm344xhnUzNDIY1ATUnxl7jHV7oQuQKFi6F6BY=; b=Guxeuk7gUrJxIvZmbW/YwCogBkpAT3QYaXqrxP6tPUQH/nHtopSATci6t7loL9ptq5 U9FFclZUKThygMd2O3RyU6vv5bmRL4t58duPseU7hPdYQM/fXYAZTxp5jD87nopdhx5B f1/93YDA8Y92beWI2UeBAqyfpjOhb4/Xx3xvZWC1QIPeyc0XQnDly5ARDY8wnl9bVxK3 ZHvnDs9bDhnGnISSIkVfpgT8jHnWs3PtJDYrw796kW3Fldo15Rrd2hYMKX3tk4PcF535 qda31leW8l7VfMjXYjN4YkijhsB+kwdiSAfnbJpuiXpZcaEEIzb047okOePv6UnLF7cH XRqg==
MIME-Version: 1.0
X-Received: by 10.180.187.67 with SMTP id fq3mr3704133wic.37.1416643255541; Sat, 22 Nov 2014 00:00:55 -0800 (PST)
Received: by 10.194.92.176 with HTTP; Sat, 22 Nov 2014 00:00:55 -0800 (PST)
Received: by 10.194.92.176 with HTTP; Sat, 22 Nov 2014 00:00:55 -0800 (PST)
In-Reply-To: <5C83990C-D144-44AC-A5F9-944E499A6F2E@shiftleft.org>
References: <20141121231233.18473.qmail@cr.yp.to> <5C83990C-D144-44AC-A5F9-944E499A6F2E@shiftleft.org>
Date: Sat, 22 Nov 2014 09:00:55 +0100
Message-ID: <CAAt2M1_J3mVxFCd44kg4dcprb3NANdE6W+mg6AycZHd0HicAgQ@mail.gmail.com>
From: Natanael <natanael.l@gmail.com>
To: Michael Hamburg <mike@shiftleft.org>
Content-Type: multipart/alternative; boundary="001a11c38070052b4605086df612"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/1T4o4_UEKxUdG-PL3v1ale76IJA
Cc: cfrg@irtf.org, "D. J. Bernstein" <djb@cr.yp.to>
Subject: Re: [Cfrg] Handling invalid points
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Nov 2014 08:00:59 -0000

Den 22 nov 2014 01:57 skrev "Michael Hamburg" <mike@shiftleft.org>:

> 3)
>
> Another form of “attack” would be to cause two implementations to produce
> different results for a supposedly deterministic computation, eg a
signature
> check.  For example, in the Ed25519 paper, you specify:

[...]

> In both these systems, implementations are allowed to differ when given
inputs
> that are wrong by a small-order amount.  There are more ways to specify
this
> sort of laxness with cofactored curves, though behavior should be
testable by
> vectors if the specification goes one way or the other.
>
> Again, it’s not clear that this constitutes an attack, but it is
something to
> consider when deploying such a system.

The type of attacks that come to mind are consensus breaking attacks,
rather than pure cryptographic attacks.

Making some people believe everybody had received a valid order while some
will believe they were sent a bogus one which they reject (insider
sabotage?) over some broadcast medium. Would be detectable after the fact,
but could cause enough damage to be worth it for the attacker before then.

In the worst case scenario you could frame somebody this way if you know
the implementation they use right now will respond in one way but will soon
be updated/replaced to behave in the other way, and in which his superiors
already use the latter method. This provides for a very slim attack window,
but the risk is real.
You can make the verification fail, which he later would be unable to prove
after the change when he is asked why he didn't follow orders.
Or vice versa, make him follow an order that the software used by the
superiors will reject the signature on. Again, a claim he can't prove after
the change.

Also, for cryptocurrencies you could cause a fork between clients using
different signature verification implementations, making one side believe
the blockchain with a certain transaction to be invalid while the other
side doesn't.

v2.23.0 | Report a Bug | By Email