Re: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA Digital Signature Algorithms

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Wed, 26 September 2012 03:03 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEFA621F8609 for <cfrg@ietfa.amsl.com>; Tue, 25 Sep 2012 20:03:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nN-5er1aZ1UT for <cfrg@ietfa.amsl.com>; Tue, 25 Sep 2012 20:03:39 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id 0B44721F850C for <cfrg@irtf.org>; Tue, 25 Sep 2012 20:03:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7883; q=dns/txt; s=iport; t=1348628619; x=1349838219; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=JQzB0uLMOrufJllGb5qbbQ26oat22VHXqpLbesDLoP8=; b=l3+i8ZFU66LW6hDqFAep/lJMl9ldcqjzRBqpKogVhz9DhOGSA93BT+Tl 4nrvP4624Upmuq18Z8XI3XY9zeUXoNbSf+EuKdzeo99dCINlHgXJuKTBw /oZeJmv0Yw5GRcbDiYalaQxegBkwffVpowhww914XUQMsZ/RPERpISGVg A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgAFAPVvYlCtJV2b/2dsb2JhbABFgku8bIEIgiABAQEEDAYBChAsIBACAQgRBAEBCx0HMhQJCAIEAQ0FCBqHY5likWWOQIsahSlgA5I1kXCBaYJaDYIX
X-IronPort-AV: E=Sophos; i="4.80,487,1344211200"; d="scan'208,217"; a="125105265"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-1.cisco.com with ESMTP; 26 Sep 2012 03:03:38 +0000
Received: from xhc-rcd-x13.cisco.com (xhc-rcd-x13.cisco.com [173.37.183.87]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id q8Q33cwK002955 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 26 Sep 2012 03:03:38 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.159]) by xhc-rcd-x13.cisco.com ([173.37.183.87]) with mapi id 14.02.0298.004; Tue, 25 Sep 2012 22:03:37 -0500
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "David W. Kravitz" <dkravitz@trustcentral.com>, "'Dan Brown'" <dbrown@certicom.com>, "'Igoe, Kevin M.'" <kmigoe@nsa.gov>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA Digital Signature Algorithms
Thread-Index: AQJZjD1WbN3mB22kfgMwgvHZe2e5lAHYBuGklmuTzgCAB1BZIIAAagSAgAAdzwCAAEEmgIABMZGAgAAW7oCAAFRaEA==
Date: Wed, 26 Sep 2012 03:03:36 +0000
Message-ID: <A113ACFD9DF8B04F96395BDEACB34042136CAF@xmb-rcd-x04.cisco.com>
References: <CC7768A9.EDA64%mcgrew@cisco.com> <9745FE04-5A2C-4D38-9D34-AFF3A2EC54C6@callas.org> <002801cd96b7$b7c38c80$274aa580$@trustcentral.com> <3C4AAD4B5304AB44A6BA85173B4675CA17687160@MSMR-GH1-UEA03.corp.nsa.gov> <000601cd9a69$897d3460$9c779d20$@trustcentral.com> <3C4AAD4B5304AB44A6BA85173B4675CA176901BE@MSMR-GH1-UEA03.corp.nsa.gov> <002901cd9a99$070dc870$15295950$@trustcentral.com> <810C31990B57ED40B2062BA10D43FBF50BA17E@XMB111CNC.rim.net> <001801cd9b3d$40f6aa30$c2e3fe90$@trustcentral.com>
In-Reply-To: <001801cd9b3d$40f6aa30$c2e3fe90$@trustcentral.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.32.244.82]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19208.004
x-tm-as-result: No--28.213500-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/alternative; boundary="_000_A113ACFD9DF8B04F96395BDEACB34042136CAFxmbrcdx04ciscocom_"
MIME-Version: 1.0
Cc: "john.kelsey@nist.gov" <john.kelsey@nist.gov>, "David McGrew \(mcgrew\)" <mcgrew@cisco.com>, "lily.chen@nist.gov" <lily.chen@nist.gov>
Subject: Re: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA Digital Signature Algorithms
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2012 03:03:41 -0000


From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf Of David W. Kravitz
Sent: Tuesday, September 25, 2012 12:46 PM
To: 'Dan Brown'; 'Igoe, Kevin M.'; cfrg@irtf.org
Cc: john.kelsey@nist.gov; David McGrew (mcgrew); lily.chen@nist.gov
Subject: Re: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA Digital Signature Algorithms

Hi Dan and all,

I can actually see a potential non- anonymity-related downside of the feature of having the same signature per message (which unlike the anonymity issue applies equally to DSA and ECDSA): If a system is configured so as to reject duplicate signatures as potential fraudulent replays, legitimate duplicates could also be rejected. Such a system configuration might be more than hypothetical, in that (as far as I know) an adversary without knowledge of the private key 'x' cannot feasibly generate additional distinct DSA/ECDSA signatures that are not in the set of signatures for that message that the adversary already has available.

That last part is false for ECDSA; if (r, s) is a valid signature for a message H and public key PK, then (r, n-s) is also a valid signature for the message H and public key PK (where n is the order of the curve).