Re: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA Digital Signature Algorithms
"David W. Kravitz" <dkravitz@trustcentral.com> Mon, 24 September 2012 15:31 UTC
Return-Path: <dkravitz@trustcentral.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 078EB21F87AD for <cfrg@ietfa.amsl.com>; Mon, 24 Sep 2012 08:31:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.998
X-Spam-Level:
X-Spam-Status: No, score=-0.998 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_42=0.6]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nG-13qwjBtJ9 for <cfrg@ietfa.amsl.com>; Mon, 24 Sep 2012 08:31:27 -0700 (PDT)
Received: from vms173007pub.verizon.net (vms173007pub.verizon.net [206.46.173.7]) by ietfa.amsl.com (Postfix) with ESMTP id CA72C21F860B for <cfrg@irtf.org>; Mon, 24 Sep 2012 08:31:26 -0700 (PDT)
Received: from hatemtlaptop ([unknown] [173.66.52.63]) by vms173007.mailsrvcs.net (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009)) with ESMTPA id <0MAV001V91QRH00D@vms173007.mailsrvcs.net> for cfrg@irtf.org; Mon, 24 Sep 2012 10:30:34 -0500 (CDT)
From: "David W. Kravitz" <dkravitz@trustcentral.com>
To: "'Igoe, Kevin M.'" <kmigoe@nsa.gov>, cfrg@irtf.org
References: <CC7768A9.EDA64%mcgrew@cisco.com> <9745FE04-5A2C-4D38-9D34-AFF3A2EC54C6@callas.org> <002801cd96b7$b7c38c80$274aa580$@trustcentral.com> <3C4AAD4B5304AB44A6BA85173B4675CA17687160@MSMR-GH1-UEA03.corp.nsa.gov>
In-reply-to: <3C4AAD4B5304AB44A6BA85173B4675CA17687160@MSMR-GH1-UEA03.corp.nsa.gov>
Date: Mon, 24 Sep 2012 11:30:27 -0400
Message-id: <000601cd9a69$897d3460$9c779d20$@trustcentral.com>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="----=_NextPart_000_0007_01CD9A48.026FDA20"
X-Mailer: Microsoft Outlook 14.0
Thread-index: AQJZjD1WbN3mB22kfgMwgvHZe2e5lAHYBuGkAN83IhkCSTqTvpZZpIgw
Content-language: en-us
Cc: john.kelsey@nist.gov, mcgrew@cisco.com
Subject: Re: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA Digital Signature Algorithms
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Sep 2012 15:31:31 -0000
Kevin, One effect of the use of "internal state" is the prevention of HMAC_DRBG from producing repeat outputs, where "HMAC_DRBG Internal State" is defined in section 10.1.2.1 of SP 800-90A. By stating that "Note that we instantiate a new HMAC_DRBG instance for each signature generation process," the draft is indicating that internal state is not carried over (which is what I meant by "null"). Consequently, given a repeat message 'm' (i.e., repeat seed (= x || H(m) )), the output repeats. While this is not a problem in this particular application, it violates a fundamental property of a good DRBG. Furthermore, with regard to the next-output-bits-given-previous-output-bits- uncertainty property of a good DRBG, if the output for a single message 'm' becomes known, all other outputs are not only distinguishable from the output of a truly random function, but are actually computable. This is due to the "double use" of the private key 'x' for generation of 'k' and for generation of 's' from 'k'. Since we don't require the use of a DRBG in this (EC)DSA application, we can use HMAC directly (with 'x' as the HMAC key, and H(m)||Counter as the HMAC'ed data, where Counter is used in conjunction with FIPS PUB 186-3 B.2.1 or B.2.2). Note that the use of deterministic generation of 'k' (whether done as in the current draft, or the suggested simplified version, or based on a block cipher instead of HMAC) has an additional potential non-repudiation advantage not previously explicitly mentioned: It could make it more difficult to plausibly disavow signatures on the basis of leakage of 'x' due to low entropy 'k'. Thanks, David From: Igoe, Kevin M. [mailto:kmigoe@nsa.gov] Sent: Monday, September 24, 2012 10:21 AM To: 'David W. Kravitz'; cfrg@irtf.org Cc: john.kelsey@nist.gov; mcgrew@cisco.com Subject: RE: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA Digital Signature Algorithms David: I'm having a hard time parsing the last two sentences of the first paragraph. Would you be kind enough to rephrase them for me? 1) As far as I can see this draft instantiates the HMAC_DRBG using the seed (= x || H(M) ) in precisely the correct manner. I miss where they have strayed from the standard. 2) I'm not sure what you mean by "null internal state". Clearly I am misinterpreting what you are trying to say. From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf Of David W. Kravitz Sent: Wednesday, September 19, 2012 6:40 PM To: cfrg@irtf.org Cc: john.kelsey@nist.gov; mcgrew@cisco.com Subject: Re: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA Digital Signature Algorithms Hi all, Comments below. Thanks, Jon Callas, David W. Kravitz, and Phil Zimmermann The required security attributes for the safe use of HMAC in this draft are more nuanced than the description currently conveys. Consider the following two excerpts of the draft from the Security Considerations (section 5): "Security relies on whether the generation of 'k' is indistinguishable from the output of a Random Oracle. Roughly speaking, HMAC_DRBG is secure in that role as long as HMAC behaves as a PRF (Pseudo-Random Function)." "One remaining issue with deterministic (EC)DSA, as presented in this document, is the "double use" of the private key 'x', both as private key in the signature generation algorithm itself, and as input to the HMAC_DRBG-based pseudo-random oracle for producing the 'k' value. This requires HMAC_DRBG to keep on being a random oracle, even when the public key (which is computed from 'x') is also known. Given the lack of common structure between HMAC and discrete logarithm, this seems a reasonable assumption." Any discussion in the literature of "random oracle" is typically with respect to "a publicly accessible random function" (as, for example, in "Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology," by U. Maurer, R. Renner, and C. Holenstein, ftp://ftp.inf.ethz.ch/pub/crypto/publications/MaReHo04.pdf). But as HMAC_DRBG is specified in the draft document (with null internal state per "Note that we instantiate a new HMAC_DRBG instance for each signature generation process," and "double use" of the private key 'x'), given any single output of HMAC_DRBG, all other outputs are completely distinguishable from the output of an arbitrary truly random function. In other words, given a single 'k' value that was generated using HMAC_DRBG as specified, any other 'k' value(s) recovered from 's' by using 'r', 'H(m)' and the no-longer-private value of 'x' can be determined as having been generated using HMAC_DRBG as specified. Note that even if no values of 'k' are disclosed, the use of null internal state would be problematic in an application relying on a DRBG where repeated outputs are unacceptable. So, given that neither (pseudo-)random oracle nor the next-output-bits-given-previous-output-bits- uncertainty property of DRBG is achieved within the context of the actual (EC)DSA application, we can use a simpler formulation here. An example of such is HMAC('x', H(m)||Counter), where Counter is reinitialized for each signature generation process instance and potential bias is addressed by deriving 'k' using a single Counter value as in [FIPS PUB 186-3] B.2.2 (Per-Message Secret Number Generation by Testing Candidates), or multiple Counter values are used as in B.2.1 (Per-Message Secret Number Generation Using Extra Random Bits). Note that in the case where multiple entities have knowledge of 'x' (which may complicate non-repudiation), deterministic generation of 'k' has the effect that the potential subliminal/covert channel is replaced by a MAC property. That is, any entity with knowledge of 'x' can verify the integrity of 'm' using 's' while ignoring both the transmitted value of 'r', and 'y' or 'U' (where y = g^x mod p in DSA or U = xG in ECDSA). It might also be prudent to indicate in the Security Considerations section that the use of wholly deterministic generation of 'k', while not adversely affecting the security of (EC)DSA itself and enabling an implementation to be safely tested using dummy values of 'x', may have a deleterious effect against resistance to side-channel attacks such as DPA (as opposed to "masking" using a true RNG). From: "David McGrew (mcgrew)" <mcgrew@cisco.com> Subject: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA Digital Signature Algorithms Date: September 13, 2012 7:40:41 AM PDT To: "cfrg@irtf.org" <cfrg@irtf.org> Hi, Thomas has updated his individual submission on deterministic [EC]DSA. I think this is useful work that deserves to move forward to RFC, and that the research group should support it (based on my own opinion and the positive feedback on the list regarding version -00). Please take a look at the draft if you have an opinion on digital signatures, and let Thomas know if you have constructive criticism. Verification of the test cases, and review of the security considerations, would be especially helpful. Thanks, David <http://tools.ietf.org/html/draft-pornin-deterministic-dsa-01> _______________________________________________ Cfrg mailing list Cfrg@irtf.org http://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] call for review: Deterministic Usage of DS… David McGrew (mcgrew)
- Re: [Cfrg] call for review: Deterministic Usage o… David W. Kravitz
- Re: [Cfrg] call for review: Deterministic Usage o… Igoe, Kevin M.
- Re: [Cfrg] call for review: Deterministic Usage o… David W. Kravitz
- Re: [Cfrg] call for review: Deterministic Usage o… Igoe, Kevin M.
- Re: [Cfrg] call for review: Deterministic Usage o… Blumenthal, Uri - 0668 - MITLL
- Re: [Cfrg] call for review: Deterministic Usage o… Dan Brown
- Re: [Cfrg] call for review: Deterministic Usage o… David W. Kravitz
- Re: [Cfrg] call for review: Deterministic Usage o… David W. Kravitz
- Re: [Cfrg] call for review: Deterministic Usage o… Dan Brown
- Re: [Cfrg] call for review: Deterministic Usage o… David W. Kravitz
- Re: [Cfrg] call for review: Deterministic Usage o… David W. Kravitz
- Re: [Cfrg] call for review: Deterministic Usage o… Dan Brown
- Re: [Cfrg] call for review: Deterministic Usage o… Scott Fluhrer (sfluhrer)
- Re: [Cfrg] call for review: Deterministic Usage o… David W. Kravitz
- Re: [Cfrg] call for review: Deterministic Usage o… David W. Kravitz