Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
"D. J. Bernstein" <djb@cr.yp.to> Tue, 05 May 2015 15:23 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DEA41A886B for <cfrg@ietfa.amsl.com>; Tue, 5 May 2015 08:23:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.896
X-Spam-Level: **
X-Spam-Status: No, score=2.896 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7c8A668RDXp7 for <cfrg@ietfa.amsl.com>; Tue, 5 May 2015 08:23:10 -0700 (PDT)
Received: from calvin.win.tue.nl (calvin.win.tue.nl [131.155.70.11]) by ietfa.amsl.com (Postfix) with SMTP id 20FC71A1BE7 for <cfrg@irtf.org>; Tue, 5 May 2015 08:23:07 -0700 (PDT)
Received: (qmail 22382 invoked by uid 1017); 5 May 2015 15:23:26 -0000
Received: from unknown (unknown) by unknown with QMTP; 5 May 2015 15:23:26 -0000
Received: (qmail 31925 invoked by uid 1000); 5 May 2015 15:22:58 -0000
Date: Tue, 05 May 2015 15:22:58 -0000
Message-ID: <20150505152258.31923.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5DCAEDC@XMB116CNC.rim.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/6vSjL1PMwzbca1bs_NJEWBnR644>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2015 15:23:13 -0000
Dan Brown writes: > 2. Hindsight patching > --------------------- > De-randomization is a hindsight patch, even assuming we've determined > a correct cause. Let's go back to the videotape. 1991: NIST proposes DSA. Later, after a CPSR lawsuit, NIST admits NSA authorship of DSA: https://epic.org/crypto/dss/new_nist_nsa_revelations.html 1992: Rivest criticizes several aspects of DSA, including DSA's use of randomness generation during signing: "Signing with DSS requires the generation and use of random numbers (the k values). ... The poor user is given enough rope with which to hang himself---something a standard should not do." https://people.csail.mit.edu/rivest/pubs/RHAL92.pdf 1994: NIST standardizes DSA. 1997: Barwood echoes the randomness criticism and, as a solution, proposes deterministic generation of k: "The normal (i.e. IEEE P1363) way of implementing digital signatures using an elliptic curve seems to call (at least implicitly) for the generation of true random integers. Generating true random integers is difficult to do in a safe portable way, so I propose a method that does not require any true random input. ... What I suggest is that a prng is used to generate k, keyed with d (the private key), and seeded with e (the message digest)." https://groups.google.com/forum/#!original/sci.crypt/SalLSLBBTe4/xtYNGDe6irIJ 1997: Wigley independently proposes the same solution in more generality: "I was thinking last night about an implementation of digital signatures - re: the requirement for a truly random number in DSA / NR / most other algo's. Why not derive the random number from the message to be signed therefore removing the need for a hardware rng (smartcards) or a complex and potentially fallible software attempt." https://groups.google.com/forum/#!original/sci.crypt/3g8DnnEkv5A/iZqTyLxF2qYJ 1997: Naccache, M'Raihi, and Levy-dit-Vehel independently file a patent application on the same idea. (They abandon the application in 2003.) 1998: M'Raihi, Naccache, Pointcheval, and Vaudenay manage to stretch the idea into an entire SAC paper: "In this paper, we present a simple method for generating random-based signatures when random number generators are either unavailable or of suspected quality (malicious or accidental). ... Suffice it to say that one should replace each session's random number by a digest of the keys (secret and public) and the signed message." https://www.di.ens.fr/users/pointche/Documents/Papers/1998_sac.pdf 2010: Bushing, Marcan, Segher, and Sven ("failOverflow") announce that they have recovered the Sony PlayStation 3 signing key, thanks to Sony's reuse of a single k for many signatures. https://www.youtube.com/watch?v=PR9tFXz4Quc Of course, the 1997 proposals from Barwood, Wigley, Naccache, M'Raihi, Levy-dit-Vehel, Pointcheval, and Vaudenay would have stopped this 2010 attack. Can you please explain why you call this "hindsight patching"? > The secret s SHOULD be new, but MAY be old. With your proposal, the "poor user is given enough rope with which to hang himself---something a standard should not do". What stops the user from choosing a constant s, producing a predictable k and revealing the signing key? It's not enough to _tell_ people that k has security consequences--- something that has been said again and again since the original ElGamal paper in 1985. What actually works is having standard _test vectors_ that eliminate the bad implementations. By agreeing on a deterministic way to generate k, with no additional inputs, we allow every common mistake in k generation to be caught by test vectors. I don't mean to suggest that _every_ k-generation function is safe. On the contrary: generating a constant k, as Sony did, is of course very bad; generating k biased mod the group order is bad; etc. The designer needs to specify a k-generation function that's secure _and_ that actually ends up being tested in implementations. Failure to do this is tantamount to allowing _every_ function that implementors come up with; instead of having _one_ function to carefully review for security problems, we're faced with a neverending list of implementation-specific functions. The same principles apply to "entropy pools". Having each library make up its own mechanism to combine multiple entropy sources is a recipe for disaster. What we need is a specified, security-reviewed, deterministic, tested mechanism to combine multiple entropy sources---centralized in the operating system (even better, the hypervisor, when there is one) to maximize the chance that good entropy sources are actually used and to minimize the number of lines of code to review. Obviously the system does ultimately rely on having some good entropy source, and testing entropy sources is a quite different problem with a long history of failures, even in cryptographic products "certified" by the U.S., Canadian, and German governments: http://smartfacts.cr.yp.to But the fact that there's a hard problem in one corner of the crypto ecosystem doesn't mean that we should give up on solving the problem. Our best chance of solving this problem starts by isolating it--- eliminating it from every other part of the ecosystem. > 3a.... More side channels? No. Unprotected implementations of standard _randomized_ DSA are well known to be broken by side-channel attacks. It's important to protect all secrets---including k, which is used for scalar multiplication, and the long-term secret, which is used for arithmetic mod the group order. Standard defenses include blinding of each secret bit (splitting b into r and r+b), blinding mod the group order (replacing k with k+rp), etc.; these defenses work for deterministic signing systems too. The bigger picture is that crypto is constantly mixing secret data with public data. Side-channel defenses take responsibility for protecting this. We know how to defend, e.g., computing an authenticator of a potentially forged message---even if the same message is repeated any number of times. This is also what we're doing in computing k. A carefully managed internal PRNG _can_ be cheaper to protect than this computation, but this cost improvement is quite small compared to the overall cost of a signature unit. An implementor desperate to take this approach will find that the resulting signatures, despite violating the deterministic standard (and failing standard signing tests), are fully interoperable---CFRG is not proposing that _verifiers_ track signatures of the same message and enforce repetition constraints. > 3b... Re-use keys more often, why not always? > 3c.... De-randomized signing key? > 3d.... Increased failure to erase ephemerals? > 3e.... Replay attacks on encryption? > 3f.... Loss of forward secrecy? Here you're speculating that an implementor might draw dumb conclusions from the k definition and, as a result, misimplement something else. Sure, anything is possible, but intelligent risk management requires sensibly evaluating the _likelihood_ and _impact_ of bad events. The chance of an implementor reusing k as Sony did, or generating k that's slightly too short, is obviously much higher than the chance of all of the scenarios that you postulate, and the impact---forgery of arbitrary messages under this public key---is no less disastrous than the impact of any of your scenarios. > given a sequence of signatures under a public key, one can detect > repeated messages, even if the repeated message are secret and > unguessable, and therefore impossible to verify. Sure. Standard signature caching (e.g., DNSSEC saves signatures) also has this effect. Many RSA signature systems are also deterministic. You speculate that there are some protocols that need non-deterministic signatures for some vague reason; those protocols will already have to be quite careful in their selection of signature systems. This is obviously far less important than the disastrous consequences of poor k generation for typical real-world applications of signatures. > 3h.... Provable security: more assumptions to prove unforgeability > What is the effect of de-randomization on the security proofs of > unforgeability? First of all, to give proper credit, this purely theoretical issue was adequately analyzed by Olson in 1997: https://groups.google.com/forum/#!original/sci.crypt/3g8DnnEkv5A/TXTyOg9jgvUJ The solution to all of the theoretical problems, as mentioned by Olson, is to have one discrete-log key and one message-hash key. Ed25519 uses a KDF (normally SHA-512) to derive these two separate keys from a master signing key. You say that "an implementer who is likely to reuse an ephemeral may be just as likely to choose the alternative key poorly". But these objects have totally different levels of fragility from a security perspective. Choosing a slightly biased k is a disaster; choosing a slightly biased message-hash key (or discrete-log key) is irrelevant. Repeating k is a disaster; I have no idea what "poor" choice of message-hash key you think would be analogous to this. Sure, a _guessable_ message-hash key is as disastrous as a guessable k, but the equal problems in this extreme case don't imply equal problems in other cases. > Of course, we may well already need PRFs for privacy, but I wouldn't > want to some fault in a PRF, e.g. AES, carry over into authentication. The modern trend is to rely on the security of ciphers, notably AES, not just for _encrypting_ every message but also for _authenticating_ every message. Do you think this is a problem? The community has been subjecting ciphers to massive scrutiny for many years. The security standard is very high: we imagine that the attackers can freely choose all inputs and see all outputs, and that the attackers automatically win if they can find _any_ pattern, even though this isn't enough to break typical applications. The best possible security, within various real-world performance constraints, is systematically analyzed. Worrisome cipher structures are identified and avoided. Is it still possible that an attacker will find some shocking break of AES? Yes, it's possible. Is it conceivable that generating k's with a modern cipher will produce k's so biased as to allow forged signatures? Yes, it's conceivable. But is it reasonable to say that this wildly speculative horror story has the same probability as another equally disastrous Sony-style implementation screwup? No, it isn't. ---Dan
- [Cfrg] Elliptic Curves - signature scheme: random… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Stephen Farrell
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Salz, Rich
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Paul Hoffman
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andy Lutomirski
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Jacobson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Alyssa Rowan
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Yoav Nir
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… James Cloos
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Jacobson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Damien Miller
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Jacobson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Adam Langley
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Daniel Kahn Gillmor
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Parkinson, Sean
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Paul Lambert
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Olafur Gudmundsson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Russ Housley
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Brian Smith
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Sean Turner
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Leon Gil
- [Cfrg] Summary of the poll: Elliptic Curves - sig… Alexey Melnikov