[Cfrg] Signature malleability
Bryan Ford <brynosaurus@gmail.com> Sat, 21 May 2016 11:52 UTC
Return-Path: <brynosaurus@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAFC812B02F; Sat, 21 May 2016 04:52:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i-zPZg_Cl1Pj; Sat, 21 May 2016 04:51:59 -0700 (PDT)
Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40F1612D11B; Sat, 21 May 2016 04:51:58 -0700 (PDT)
Received: by mail-wm0-x231.google.com with SMTP id n129so15708143wmn.1; Sat, 21 May 2016 04:51:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:subject:message-id:date:to:mime-version; bh=/eySLs7KjP5NadDrrV8h0vEikKBPAc93z8uxVoNElCc=; b=WBH4glQhOgyHmcpSvOzjbHTYo0uH1OmMJ//XtEemNdrUeptgrhvXYHwILZLTFDpXyN DD38JTTp8MVleHErQ4ToAtc5ITaIG2OxZKBl1sTclXNjqguXnoZBYR0zeqtIt1DkFMGz D+fW/D84JYoz9DFoyHz879IkECfEe/kd6+Y8XqEaIGpT5iuUDZOU9FqxBYAAhCYC5X0Z Kt8m8vXGwv/3FmUK+WSzDAtvHg1creGqrWyJWUYNoZqFvxCTDQYH3ebYO6IWwNiBQTvJ c0LNUX+O+gqBqUSPjQInJjV47i/7RlvmNxjJGnvO9VK02yOAbddlVlVEavZuzvNq2i3y fHXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:message-id:date:to:mime-version; bh=/eySLs7KjP5NadDrrV8h0vEikKBPAc93z8uxVoNElCc=; b=eoV0k3hL+i6vccRSx8PUZgBgdaBrVAb6CW80BTBlAKmKM4n/uoI5RtoIx38zL6tO/f PZ4/chQJrRx4hfPSgPMCPblH2gyQ31zSmXS8BvgA+RaksO0k6ssrOBEYywDBQ7aiYQUX pMK77NVcqOQi1n+UR7sW3l4uWfJKViX0zDAC78IkLfPFJdcghfNQs/PoNYF5fOIjslns zt9I8ddaX410mhyGi2+h9W2+AjUpUJFCenhVGVqasxuhjN2Qb6u5CM9M02w+P7HIuIaN i3zHUI+vh2v4OCYVZ1OtlTrjHOe0qKo/vxDjlH/Nl4gVT+heZYBFcXIi6BXDCWn3C1V7 WIsA==
X-Gm-Message-State: AOPr4FVU9E0BdZrrwGGq57RtE5EauQlHuBgydT05A/Fiib43sQ+1HeCGF8JpvFm2TQgQqQ==
X-Received: by 10.194.115.39 with SMTP id jl7mr8591803wjb.81.1463831516568; Sat, 21 May 2016 04:51:56 -0700 (PDT)
Received: from [172.20.10.2] (239.225.197.178.dynamic.wless.zhbmb00p-cgnat.res.cust.swisscom.ch. [178.197.225.239]) by smtp.gmail.com with ESMTPSA id d79sm3026782wmi.23.2016.05.21.04.51.54 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 21 May 2016 04:51:54 -0700 (PDT)
From: Bryan Ford <brynosaurus@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_C71A2F9D-6323-426F-B013-3F89F1B5D81C"; protocol="application/pkcs7-signature"; micalg="sha1"
Message-Id: <D87FC0F0-AF53-4BE5-A320-9F9F88DBE873@gmail.com>
Date: Sat, 21 May 2016 13:51:53 +0200
To: cfrg@ietf.org, draft-irtf-cfrg-eddsa.all@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/K9L_kZXs8JXj6UOy5SfgafKepbQ>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Subject: [Cfrg] Signature malleability
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 May 2016 11:52:02 -0000
Hmmm, has the topic of signature malleability been discussed or decided on? If so, I don’t see evidence of that in the eddsa draft. The basic issue is whether an attacker can take a valid signature, for which the attacker doesn’t know the private key, and produce a differently-encoded signature (on the same message) that also validates correctly. Plain, classic Ed25519 signatures are (slightly) malleable, because there are several 32-byte encodings of S values that are equal modulo L (the group order), and the Ed25519 verifier traditionally doesn’t bother to check that S < L in the input signature. But the current libsodium implementation of Ed25519, for example, *does* check that S < L and reject signatures for which this doesn’t hold, thereby ensuring that an attacker can’t fiddle with S without invalidating the signature. While “normal” well-behaved Ed25519 signing implementations as far as I know always produce S < L, libsodium’s added check in principle risks rejecting signatures that in principle might be legitimate according to the Ed25519 standard and that earlier verifiers would have accepted. This risk is presumably reflected in the “#ifndef ED25519_COMPAT” conditional compilation in the libsodium code. Signature malleability was a contributor to the security problem of transaction malleability in Bitcoin; see https://en.bitcoin.it/wiki/Transaction_Malleability for example. Non-malleability is of course not traditionally a formally expected property for signing schemes to have, and the original Ed25519 obviously was not formally “broken” just because it was malleable. But given that the basic purpose of signatures is to protect from malicious changes to any part of the signed content, it seems like an easy and understandable mistake for people to assume that “non-malleability of signed content” extends to “non-malleability of the signature itself”, or to an expectation of non-malleability of a combined “content + signature” blob. In retrospect, Bitcoin at least seems to illustrate the reality of that particular pitfall, and I don’t know if there are other relevant historical examples. A careful reading of the verification text of the current draft seems to *suggest* implicitly that S is supposed to be verified to be < L: for example, section 3.4 “Verify” says: To verify a PureEdDSA signature ENC(R) || ENC(S) on a message M under a public key ENC(A), proceed as follows. Parse the inputs so that A and R are elements of E, and S is a member of the set {0, 1, ..., L-1 }. […] Sections 5.1.7 and 5.2.7 seem to “suggest” this even a bit more clearly: 1. To verify a signature on a message M using public key A, first split the signature into two 32-octet halves. Decode the first half as a point R, and the second half as an integer S, in the range 0 <= s < L. Decode the public key A as point A'. If any of the decodings fails, the signature is invalid. A reader who is paying attention sufficiently well perhaps “should” read this as saying the verifier should ensure that s < L, and reject the signature if it is not. But on the other hand, in the current phrasing a reader could be forgiven for accidentally overlooking this, since it’s still not a completely, explicitly stated as required. And indeed, I can find no such check in the Python reference code in section 6: s = int.from_bytes(signature[32:], "little") h = sha512_modq(Rs + public + msg) sB = point_mul(s, G) The draft presumably needs to be clarified one way or another with respect to whether such an S < L check is allowed (MAY), recommended (SHOULD), or required (MUST). Probably MUST would in principle be best from a conservative security-robustness perspective. The caveat is that, as mentioned above, this behavior risks breaking backward compatibility by rejecting signatures that “could in principle” have been generated by old Ed25519 implementations whose signatures would traditionally have been considered acceptable. So for that reason (and perhaps only that reason?), perhaps a SHOULD would be better, with an explicit statement as to when the SHOULD might be disobeyed (namely “if needed for backward compatibility with old Ed25519 signatures”). What do you think? Bryan
- [Cfrg] Signature malleability Bryan Ford
- Re: [Cfrg] Signature malleability Ilari Liusvaara