[Cfrg] 8032(PureEdDSA) question

Dan Brown <danibrown@blackberry.com> Fri, 21 December 2018 16:15 UTC

Return-Path: <danibrown@blackberry.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E6D8130E1E for <cfrg@ietfa.amsl.com>; Fri, 21 Dec 2018 08:15:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dITtUaFBLlj7 for <cfrg@ietfa.amsl.com>; Fri, 21 Dec 2018 08:15:53 -0800 (PST)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76641130E1A for <cfrg@irtf.org>; Fri, 21 Dec 2018 08:15:52 -0800 (PST)
Received: from xct106cnc.rim.net ([10.65.161.206]) by mhs215cnc.rim.net with ESMTP/TLS/DHE-RSA-AES256-SHA; 21 Dec 2018 11:15:51 -0500
Received: from XCT115CNC.rim.net (10.65.161.215) by XCT106CNC.rim.net (10.65.161.206) with Microsoft SMTP Server (TLS) id 14.3.408.0; Fri, 21 Dec 2018 11:15:51 -0500
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT115CNC.rim.net ([::1]) with mapi id 14.03.0415.000; Fri, 21 Dec 2018 11:15:50 -0500
From: Dan Brown <danibrown@blackberry.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: 8032(PureEdDSA) question
Thread-Index: AdSZPq1RgkzFAKpvQk2MNF2QfrDzSA==
Date: Fri, 21 Dec 2018 16:15:49 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF501D57D41@XMB116CNC.rim.net>
Accept-Language: en-US, en-CA
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0202_01D4991E.864DC7E0"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/1Y5YaPK5sLiGW0P2TImyybSAKDk>
Subject: [Cfrg] 8032(PureEdDSA) question
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Dec 2018 16:15:57 -0000

Hi CFRG,

A pedantic question about RFC 8032 claim (and any similar claims about 
PureEdDSA):

"The collision resilience property means EdDSA is secure even if it is 
feasible to compute collisions for the hash function."

This claim fairly advertises a defense in depth against a security collapse in 
the hash.  Fine!  But shouldn't it also very clearly delimit this defense?  As 
it stands now, it seems like slight exaggeration, because "even if it is 
feasible to compute collisions" is rather open-ended.

My suggestion would be *either* to amend the main claims as

"The collision resilience property means EdDSA is secure even if it is 
feasible to compute collisions for the hash function, provided the hash 
remains at least  <XYZ-secure> ",

for some value of <XYZ-secure>.

As I recall, <XYZ-secure> should include things like prefix 2nd preimage 
resistance (to prevent some forgeries, and maybe to make security proofs work 
...) and pseudorandom (to protect r generation).  I forget the details, but I 
think that there is also a loose consensus on what <XYZ-secure> would be.

Either the amendment above, *or* just point out the well-known hash-collision 
attack on HashEdDSA, but then not promise anything about PureEdDSA, letting 
silence (on the latter) speak louder than words (imprecise promises).  This 
might entail more changes to the document.

An amendment could be an erratum (though I am unfamiliar with the 
process/purpose of errata).  Moreover, any future RFCs on PureEdDSA might 
address also try to this issue.  Academically, could I be reminded what the 
consensus on <XYZ-secure> is (if any)?

Of course, perhaps, contrary to my opinion, there is also consensus that 
adding a proviso is unnecessary (due to limitation of "collision" being 
self-sufficient and implicit as a delimiter)?

Best regards,

Dan

PS  More details:

There are some security proofs for Schnorr signatures, which surely apply to 
EdDSA (whether one likes provable security or not).  I once looked at this 
issue, but now I mostly forgot those details, but they probably provide some 
help on stating part of what should go into <XYZ-secure>.  I can probably 
review this to find some phrasing.

Usually there is gap between proofs and reasonable intuition: so <XYZ-secure> 
might reasonably include less stringent hash security than what the security 
proofs offers.

***

Next I elaborate on my concern about delimiting collision attacks, with a 
speculative example.  The phrase

"... feasible to compute collisions for the hash function"

conditionally hypothesizes some unknown collision algorithm.  Since it enters 
into hypothetical territory and persuasion of the reader of security in this 
territory, the reader might be forgiven for thinking it claims that PureEdDSA 
is safe against a very strong hash collision attack like the following:

An adversary might know a set of L (say 2^50) message extensions M1,...ML, 
such that H(X,M1),...,H(X,ML) is likely to contain to contain a collision, for 
any choice of X and without M1,..,ML depending on X (though which messages 
collide may somehow depend on X).

I don't know enough about collision attacks (e.g., on MD5 and SHA1) to say how 
unlikely such an attack is, though I can see that it is very strong attack.

Of course, this attack is *also* a (weak) attack on H(X,-) as pseudorandom 
function (with secret X).

For PureECDSA, with its deterministic signature generation, this hash attacker 
could then ask a signer to sign each of M1,...,ML.  One of these is likely to 
collide giving the same r value in the signature.  The r collision enables the 
adversary to recover the signing key s, and then forge arbitrarily many 
messages.

Of course, this is very high-cost forgery, since 2^50 signatures is excessive. 
So, it may be rated as a low impact on security.

Also, I don't think that this strong hash collision attack would imply an 
attack on random r version of EdDSA signing.  To be clear, I am *not at all* 
saying that this hypothetical attack is more likely than a fumbled 
implementation of random r, or that it justifies random r.  The point here 
concerns only a reader's state of mind.  Some reader might contemplate the 
security of PureEdDSA by focusing at attacking the verifier, ignoring the 
issue of how signatures are generated.  This reader then mistakenly concludes 
that PureEdDSA is safe in the presence of this strong hash collision attack, 
because this hash attack does not lead to a forgery (if one ignores how the 
signer generates r).

Anyway, this remote risk seems easily and well-resolved by adding some kind of 
"pseudorandom" property for the hash into <XYZ-secure>.  This delimitation 
would clearly rule out such a strong collision attack (without relying on, for 
example, the fuzziness of the meaning of feasible).

I think that the pseudorandom qualities of H have been put forward in various 
places (including CFRG) as very reasonable defense to PureEdDSA's method of 
generating r.   So, I don't think there is any controversy that pseudorandom H 
defeats such an attack.  There may be some question on how to formulate the 
pseudorandom property - the example above shows a weak pseudorandom attack 
leads to a weak forgery.

(Again: I expect the main the controversy might be whether it is necessary to 
spell out the adversarial limitations in a proviso, or whether everything I am 
saying is made 100% implicit by use of the work "collision".)

***

8032 also says

"One of the parameters of the EdDSA algorithm is the "prehash" function.  This 
may be the identity function, ..."

Which might be worth amending as  "... The prehash (but not the hash) may be 
the identity function, ...".

Because, if the prehash were (absurdly) replaced by an identity function, 
things go quite awry.

As with the <XYZ-secure> amendment , an alternative amendment might also be 
possible by saying much less, not mentioning the identity function at all. 
(Replacing a hash function by identity function is playing with fire: great 
for exposition to dramatically make a point, but not so cool for a standard.)