IETF Logo Mail Archive

Re: [Cfrg] A downside of deterministic DL signatures?

Michael Hamburg <mike@shiftleft.org> Thu, 31 July 2014 07:40 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AE211A038A for <cfrg@ietfa.amsl.com>; Thu, 31 Jul 2014 00:40:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.755
X-Spam-Level: **
X-Spam-Status: No, score=2.755 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, J_CHICKENPOX_12=0.6, J_CHICKENPOX_42=0.6, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4yPAOhNEZCGl for <cfrg@ietfa.amsl.com>; Thu, 31 Jul 2014 00:40:24 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11D871A0382 for <cfrg@irtf.org>; Thu, 31 Jul 2014 00:40:24 -0700 (PDT)
Received: from [192.168.1.124] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 30A583AA12; Thu, 31 Jul 2014 00:40:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1406792405; bh=FOMkEPdXWoGL7lsSgUxQbQjeAP5hpyCj4q5rvtEvYPU=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=EiHJsq1p1eNeurqPW8qnsH3rDD3QYgeoYPnB7sd3ph7+XO6A5Xw+TQ88QR+ASuWJc pa81XtYpmGH6MWwIOXHgjj95igUHpHS5+71MUUoKpw1tEpRszhfTqbc5DHCmQJzEFf D6W4vMfKcOJvOsX/sZVnutsHN6mE43WQetCfm3dw=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1971.5\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <CAHOTMVJ4AirY+tRnVfwt1umgx=Q2xNwVTks6OoVNaV0gkKihOg@mail.gmail.com>
Date: Thu, 31 Jul 2014 00:40:18 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <947D45A1-AF36-470B-8D50-7600FEF7FB30@shiftleft.org>
References: <20140729205846.6639765.71649.17355@certicom.com> <CAHOTMVJ4AirY+tRnVfwt1umgx=Q2xNwVTks6OoVNaV0gkKihOg@mail.gmail.com>
To: Tony Arcieri <bascule@gmail.com>
X-Mailer: Apple Mail (2.1971.5)
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/35T-4sY-QRhpZFNj9kXx9UQr4bE
Cc: Dan Brown <dbrown@certicom.com>, IRTF Crypto Forum Research Group <cfrg@irtf.org>
Subject: Re: [Cfrg] A downside of deterministic DL signatures?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jul 2014 07:40:25 -0000

> On Jul 30, 2014, at 6:38 PM, Tony Arcieri <bascule@gmail.com> wrote:
> From a technical perspective, yes. From an objective perspective: it is extremely dangerous and has lead to multiple key compromises *in practice*, including the PS3 master key.

Indeed.  But collision attacks have also broken signature schemes *in practice*, for example the Flame malware.

You can have any two of determinism, one-pass signatures, and protection from collision attacks.  So far as I know, you can’t have all three, at least not with a Schnorr scheme.  Please correct me if I’m wrong.

The collision protection comes from the order things are passed to the hash function during signing/verification and deterministic nonce generation (i.e. H(pk || nonce || message) resp HMAC(sk, message)), so if we are going to have it in a given scheme, it will be a mandatory part of the spec.

Determinism isn’t part of the verification algorithm or the message format.  It just affects nonce generation.  So it could be a SHOULD, or it could be a MUST if the committee feels strongly that it should be required.

If it’s a MUST, it follows that implementors MUST NOT provide a streaming API for signatures.  This means that they can’t sign messages that come in on a pipe without unbounded buffering, and they can’t sign messages that don’t fit in the memory of your (possibly constrained) device.

Should a signature scheme declare that it MUST NOT be implemented with a streaming API, even though it’s possible to do that securely?  Or should we drop protection from collision attacks?  How much confidence do you have in SHA3?  Or am I missing a way to get all of these?

— Mike

v2.29.0 | Report a Bug | By Email | System Status