Re: [Cfrg] Why hash verifier's key?
Dan Brown <dbrown@certicom.com> Sun, 02 August 2015 02:16 UTC
Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86AC71A882A for <cfrg@ietfa.amsl.com>; Sat, 1 Aug 2015 19:16:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.1
X-Spam-Level:
X-Spam-Status: No, score=0.1 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MQsG8UyBjvfC for <cfrg@ietfa.amsl.com>; Sat, 1 Aug 2015 19:16:23 -0700 (PDT)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) by ietfa.amsl.com (Postfix) with ESMTP id 7F34E1A8829 for <cfrg@irtf.org>; Sat, 1 Aug 2015 19:16:23 -0700 (PDT)
Received: from xct107cnc.rim.net ([10.65.161.207]) by mhs214cnc.rim.net with ESMTP/TLS/AES128-SHA; 01 Aug 2015 22:16:21 -0400
Received: from XCT116CNC.rim.net (10.65.161.216) by XCT107CNC.rim.net (10.65.161.207) with Microsoft SMTP Server (TLS) id 14.3.210.2; Sat, 1 Aug 2015 22:16:20 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT116CNC.rim.net ([::1]) with mapi id 14.03.0210.002; Sat, 1 Aug 2015 22:16:19 -0400
From: Dan Brown <dbrown@certicom.com>
To: "D. J. Bernstein" <djb@cr.yp.to>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Why hash verifier's key?
Thread-Index: AdDMyTgISjSg1sDHSDKi2hQ/xGCx3Q==
Date: Sun, 02 Aug 2015 02:16:19 +0000
Message-ID: <20150802021617.5333071.28434.5435@certicom.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="utf-8"
Content-ID: <962735BF8472004892EA90E900040456@rim.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/W8MjOLUk1zJJcdv_g3sdIqS4zEw>
Subject: Re: [Cfrg] Why hash verifier's key?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Aug 2015 02:16:25 -0000
I think there's a similar random self-reduction for some kinds of ECDSA forgeries, but not Schnorr or ECDSA_CFRG or ECDSA with hashed public key. Chances are I'm wrong, again, but before I forget I'll sketch it out. Goal: forge M under public key A. Use: 1 of n forger. choose messages M_1, ..., M_n. choose public keys A_j = H(M_j)/H(M) A run 1 of n forger: ask it to forge M_j under A_j for some j. Obtain forgery (r_j,s_j) of M_j under A_j for some j. Output (r,s)=(r_j,s_j H(M)/H(M_j)) as forgery of M under A. I doubt this reduction would work for existential or chosen-message 1 of n forgery. the 1 of n forger might somehow fail if M_j and A_j are correlated as above. So, we have to posit a 1 of n forger that never fails. Original Message From: D. J. Bernstein Sent: Saturday, August 1, 2015 7:03 PM To: cfrg@irtf.org Subject: Re: [Cfrg] Why hash verifier's key? Context: EdDSA computes H(R,A,M) where A is the public key, instead of Schnorr's H(R,M). The original Ed25519 paper says that this is "an inexpensive way to alleviate concerns that several public keys could be attacked simultaneously". Dan Brown writes: > Could one the EdDSA proposers more formally expand on what these > "concerns" might be? Is it clear that an attack against N keys can't succeed---i.e., find at least one of the keys---with probability N times higher than an attack against 1 key? There are real attacks of this type. For example, if N users encrypt the same counter with N AES-128 keys (a perfectly normal situation with many modes---we don't want to blame the mode developers for doing something simple and deterministic), then a well-known attack finds one of the keys in time just 2^128/N with high probability. This turns into a serious threat as N grows. This is why I recommend 256-bit secret keys; it's also why EdDSA systematically avoids guessable 128-bit secrets. For discrete logs the situation is better. There's a very strong "random self-reduction" (the strongest type of "worst-case-to-average-case reduction", stronger than in lattice-based crypto) guaranteeing that an attack against N discrete logs can't have higher success probability than an attack against 1 discrete log. However, forging a signature could be easier than computing a discrete log, and forging signatures against one of N keys could be N times more likely than that. There's extensive security analysis regarding the first concern, but where's the security analysis regarding the second concern? Inserting the public key A into the hash alleviates this concern---this doesn't mean that it necessarily resolves the concern completely, but it's similar to defenses that have been shown to work in other contexts. The way that this type of insertion would show up in a hypothetical generic-hash proof would be to force an attacker computing hashes to commit to one key being attacked by each hash computation. Without the public key, there's only a commitment to R, and it's not at all clear that R is tied tightly enough to the public key to avoid the same loss factor of N. > Does inclusion of the verifier's public key in the hash precludes > derivation of the verifier's public key from the signature? It has this anonymity effect, yes, as pointed out by Ransom. However, there are other ways to achieve the same effect with only slightly higher cost; see Section 2.5 of the Elligator paper. This isn't the big reason to insert the public key into the hash. > On the other hand, being able to recover the public key from a > signature might have some other advantages. For example, one could > compress certificate chain by omitting the issuer's public keys. The current situation is that there are very large gaps between (1) the actual amount of data needed to send safe certificate chains, (2) the bandwidth used by TLS to send certificate chains, and (3) the total bandwidth used by TLS. The huge gap between #2 and #3 is the obvious explanation for why the gap between #1 and #2 has been allowed to persist. My experience is that protocols that send much less data, and that pay more attention to the overhead of signatures, start by removing the massive redundancy of constantly sending the same public keys with the same certificates---so their "chains" are just single signatures, and then the type of tweak you're talking about doesn't save space. Pintsov--Vanstone message recovery _does_ still save space, but unfortunately is still patented (7249259) until September 2019. ---Dan _______________________________________________ Cfrg mailing list Cfrg@irtf.org http://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Why hash verifier's key? Dan Brown
- Re: [Cfrg] Why hash verifier's key? Michael Hamburg
- Re: [Cfrg] Why hash verifier's key? D. J. Bernstein
- Re: [Cfrg] Why hash verifier's key? Dan Brown