IETF Logo Mail Archive

Re: [Cfrg] Why hash verifier's key?

Dan Brown <dbrown@certicom.com> Sun, 02 August 2015 02:16 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86AC71A882A for <cfrg@ietfa.amsl.com>; Sat, 1 Aug 2015 19:16:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.1
X-Spam-Level:
X-Spam-Status: No, score=0.1 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MQsG8UyBjvfC for <cfrg@ietfa.amsl.com>; Sat, 1 Aug 2015 19:16:23 -0700 (PDT)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) by ietfa.amsl.com (Postfix) with ESMTP id 7F34E1A8829 for <cfrg@irtf.org>; Sat, 1 Aug 2015 19:16:23 -0700 (PDT)
Received: from xct107cnc.rim.net ([10.65.161.207]) by mhs214cnc.rim.net with ESMTP/TLS/AES128-SHA; 01 Aug 2015 22:16:21 -0400
Received: from XCT116CNC.rim.net (10.65.161.216) by XCT107CNC.rim.net (10.65.161.207) with Microsoft SMTP Server (TLS) id 14.3.210.2; Sat, 1 Aug 2015 22:16:20 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT116CNC.rim.net ([::1]) with mapi id 14.03.0210.002; Sat, 1 Aug 2015 22:16:19 -0400
From: Dan Brown <dbrown@certicom.com>
To: "D. J. Bernstein" <djb@cr.yp.to>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Why hash verifier's key?
Thread-Index: AdDMyTgISjSg1sDHSDKi2hQ/xGCx3Q==
Date: Sun, 02 Aug 2015 02:16:19 +0000
Message-ID: <20150802021617.5333071.28434.5435@certicom.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="utf-8"
Content-ID: <962735BF8472004892EA90E900040456@rim.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/W8MjOLUk1zJJcdv_g3sdIqS4zEw>
Subject: Re: [Cfrg] Why hash verifier's key?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Aug 2015 02:16:25 -0000

I think there's a similar random self-reduction for some kinds of ECDSA forgeries, but not Schnorr or ECDSA_CFRG or ECDSA with hashed public key. Chances are I'm wrong, again, but before I forget I'll sketch it out.
‎
‎Goal: forge M under public key A.
Use: 1 of n forger.

choose messages M_1, ..., ‎M_n.
choose public keys A_j = H(M_j)/H(M) A
run 1 of n forger: ask it to forge M_j under A_j for some j.
Obtain for‎gery (r_j,s_j) of M_j under A_j for some j.
Output (r,s)=(r_j,s_j H(M)/H(M_j)) as forgery of M under A.

I doubt this reduction would work for existential or chosen-message 1 of n forgery.‎
‎
‎the 1 of n forger might somehow fail if M_j and A_j are correlated as above. So, we have to posit a 1 of n forger that never fails.
‎
  Original Message  
From: D. J. Bernstein
Sent: Saturday, August 1, 2015 7:03 PM
To: cfrg@irtf.org
Subject: Re: [Cfrg] Why hash verifier's key?

Context: EdDSA computes H(R,A,M) where A is the public key, instead of
Schnorr's H(R,M). The original Ed25519 paper says that this is "an
inexpensive way to alleviate concerns that several public keys could be
attacked simultaneously".

Dan Brown writes:
> Could one the EdDSA proposers more formally expand on what these
> "concerns" might be?

Is it clear that an attack against N keys can't succeed---i.e., find at
least one of the keys---with probability N times higher than an attack
against 1 key?

There are real attacks of this type. For example, if N users encrypt the
same counter with N AES-128 keys (a perfectly normal situation with many
modes---we don't want to blame the mode developers for doing something
simple and deterministic), then a well-known attack finds one of the
keys in time just 2^128/N with high probability. This turns into a
serious threat as N grows. This is why I recommend 256-bit secret keys;
it's also why EdDSA systematically avoids guessable 128-bit secrets.

For discrete logs the situation is better. There's a very strong "random
self-reduction" (the strongest type of "worst-case-to-average-case
reduction", stronger than in lattice-based crypto) guaranteeing that an
attack against N discrete logs can't have higher success probability
than an attack against 1 discrete log.

However, forging a signature could be easier than computing a discrete
log, and forging signatures against one of N keys could be N times more
likely than that. There's extensive security analysis regarding the
first concern, but where's the security analysis regarding the second
concern?

Inserting the public key A into the hash alleviates this concern---this
doesn't mean that it necessarily resolves the concern completely, but
it's similar to defenses that have been shown to work in other contexts.
The way that this type of insertion would show up in a hypothetical
generic-hash proof would be to force an attacker computing hashes to
commit to one key being attacked by each hash computation. Without the
public key, there's only a commitment to R, and it's not at all clear
that R is tied tightly enough to the public key to avoid the same loss
factor of N.

> Does inclusion of the verifier's public key in the hash precludes
> derivation of the verifier's public key from the signature?

It has this anonymity effect, yes, as pointed out by Ransom. However,
there are other ways to achieve the same effect with only slightly
higher cost; see Section 2.5 of the Elligator paper. This isn't the big
reason to insert the public key into the hash.

> On the other hand, being able to recover the public key from a
> signature might have some other advantages. For example, one could
> compress certificate chain by omitting the issuer's public keys.

The current situation is that there are very large gaps between

(1) the actual amount of data needed to send safe certificate chains,
(2) the bandwidth used by TLS to send certificate chains, and
(3) the total bandwidth used by TLS.

The huge gap between #2 and #3 is the obvious explanation for why the
gap between #1 and #2 has been allowed to persist.

My experience is that protocols that send much less data, and that pay
more attention to the overhead of signatures, start by removing the
massive redundancy of constantly sending the same public keys with the
same certificates---so their "chains" are just single signatures, and
then the type of tweak you're talking about doesn't save space.
Pintsov--Vanstone message recovery _does_ still save space, but
unfortunately is still patented (7249259) until September 2019.

---Dan

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email