IETF Logo Mail Archive

Re: [Cfrg] Signature proposal

Dan Brown <dbrown@certicom.com> Mon, 29 June 2015 17:06 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CED311B2BAA for <cfrg@ietfa.amsl.com>; Mon, 29 Jun 2015 10:06:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AolFcevRefWt for <cfrg@ietfa.amsl.com>; Mon, 29 Jun 2015 10:06:21 -0700 (PDT)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) by ietfa.amsl.com (Postfix) with ESMTP id AD5061B2B9F for <cfrg@irtf.org>; Mon, 29 Jun 2015 10:06:05 -0700 (PDT)
Received: from xct107cnc.rim.net ([10.65.161.207]) by mhs214cnc.rim.net with ESMTP/TLS/AES128-SHA; 29 Jun 2015 13:06:05 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT107CNC.rim.net ([fe80::b815:71ef:9f8f:e07c%16]) with mapi id 14.03.0210.002; Mon, 29 Jun 2015 13:06:04 -0400
From: Dan Brown <dbrown@certicom.com>
To: "'mike@shiftleft.org'" <mike@shiftleft.org>
Thread-Topic: [Cfrg] Signature proposal
Thread-Index: AQHQrOZBAdD6/uAXFkyKCNMv3Pw4yJ3DqqjwgABSkwD//8EnkA==
Date: Mon, 29 Jun 2015 17:06:04 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5E0195A@XMB116CNC.rim.net>
References: <20150622122321.GA28986@LK-Perkele-VII> <810C31990B57ED40B2062BA10D43FBF5E018E0@XMB116CNC.rim.net> <9DCF0DC7-08AA-484E-AFFA-B31117A3BB80@shiftleft.org>
In-Reply-To: <9DCF0DC7-08AA-484E-AFFA-B31117A3BB80@shiftleft.org>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.251]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0030_01D0B26C.5AAD3FE0"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/QfALSDKI6PuvSedpCSUZ1z7pMzQ>
Cc: "'cfrg@irtf.org'" <cfrg@irtf.org>
Subject: Re: [Cfrg] Signature proposal
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2015 17:06:23 -0000

> -----Original Message-----
> From: Michael Hamburg
> 
> I believe that this would compromise the signing key, at least if the two hashes
> are used with the same curve and the length difference is small.  However, I’m
> not aware of any two deployed hash functions where one is a truncation of
> another; in particular, SHA512/n have different IVs.  So this would only happen
> if you truncate the same hash to two difference lengths, or use a variable-
> output-length hash with two different output lengths.
> 
[DB] Thanks for checking this.

Also, I did some after-post fact-checking and found that SHA-384 and SHA-224 do indeed use different IVs than SHA-512 and SHA-256.  Sorry for forgetting that crucial fact.

Good catch about the small difference in output length. Yes, I forgot to mention that the attacker has to guess the truncated bits to find a linear relation.  So, truncation from 512 down to 256 would defeat the attack.

I've since noticed that some (old?) versions of HMAC do allow truncation. Because I've suggested trying to avoid extension attacks on prefixed-hashing with SHA-1/2 to generated ephemeral secrets, I will look further into the impact of using HMAC as a PRF for this task.  I think it's just better to go with SHA-3, but an alternative is mandate no truncation to be used in the generation of the ephemeral key.

v2.23.0 | Report a Bug | By Email