IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)

Andrey Jivsov <crypto@brainhub.org> Tue, 12 May 2015 00:18 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A94D61B2A99 for <cfrg@ietfa.amsl.com>; Mon, 11 May 2015 17:18:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CjFFs8I18Khv for <cfrg@ietfa.amsl.com>; Mon, 11 May 2015 17:18:04 -0700 (PDT)
Received: from resqmta-po-01v.sys.comcast.net (resqmta-po-01v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:160]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91E091B2A98 for <cfrg@irtf.org>; Mon, 11 May 2015 17:18:04 -0700 (PDT)
Received: from resomta-po-03v.sys.comcast.net ([96.114.154.227]) by resqmta-po-01v.sys.comcast.net with comcast id SoHo1q0024ueUHc01oJ39g; Tue, 12 May 2015 00:18:03 +0000
Received: from [IPv6:::1] ([71.202.164.227]) by resomta-po-03v.sys.comcast.net with comcast id SoJ21q00J4uhcbK01oJ3yr; Tue, 12 May 2015 00:18:03 +0000
Message-ID: <555146BA.9060906@brainhub.org>
Date: Mon, 11 May 2015 17:18:02 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: cfrg@irtf.org
References: <20150511152314.GG7287@localhost> <20150511200213.18468.qmail@cr.yp.to> <20150511202605.GK7287@localhost>
In-Reply-To: <20150511202605.GK7287@localhost>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1431389883; bh=ofeyCX4Ch6mSXBcLhRlTkk9q40chyAzKJS2HcfotNZI=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=KVrI7KmRZ81o0HmU0fiOLq4deidNUPkpiuuNMOZygK7O6EKYAwz8i5Tf56dg0d8dC aMMszL8dTbuIl8PsUNcGYc6ZkJbFx0NviYWAKpLztxJION0zcvd2+RcwexIdjp02t7 bV3zGihRb9zCgfxgZFDXDu16bh+M5PkVMGn2FasDFCZOITriz0UdgN5WgUoXK30ANl 9FSX3KUfjNP9Of9rfLazVzC5QIQY5nNYAhhzDjia7Um0NXo/LKt3rihJZh34vYdSzC PtcSwgc1iy+PXWpT/lNzU9FQ+rIe4WwAGn+ouEqZh+qDJ4DwcnL90HG0uBK7pwh3an fGztDyujWeb5A==
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/YBzOVfAXT1wvI5s1WjaBv51u95g>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2015 00:18:06 -0000

On 05/11/2015 01:26 PM, Nico Williams wrote:
> On Mon, May 11, 2015 at 08:02:13PM -0000, D. J. Bernstein wrote:
>> Nico Williams writes:
>>> replacing M with H(M) in the second hash
>> This makes the signature scheme vulnerable to collisions in H. This
>> _shouldn't_ be a problem, since the community puts a lot of effort into
>> designing hash functions for which finding collisions seems to be
>> extremely difficult; but it's safer to build collision-resilient
>> signature systems, using collisions as an early-warning mechanism.
> Right.  Fot the record, I'd prefer to not replace M with H(M) in the
> derivation of k.  Instead I'd rather not have hardware like Andrey
> posited.

This is a somewhat separate question about the hashing twice 
(https://www.ietf.org/proceedings/92/minutes/minutes-92-cfrg search for 
"twice"), but I view that the related concerns supports the idea of a 
random k esp. with protocols that deal with messages of unlimited size.

Nico: you are against the interpretation of EdDSA as done in 
https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-00#section-5. 
If you are against, consider what the code like "cat InFile | gpg 
--clearsign" suppose to do then? (I assume that this piping is what 
influenced this particular interpretation of EdDSA.)

Because pipes are unidirectional, M (v.s. H(H)) protocol forces the code 
to buffer the message into a temporary file. Creating a temporary file 
amplifies the concern in 
http://www.ietf.org/mail-archive/web/cfrg/current/msg06759.html (e.g. 
consider some setup with different privileges): there is a good chance 
that an implementation will do the second hashing on the temp file, but 
not the first (because the first hashing can be performed on the piped 
in content).

>
> It is clear that some users have a use for randomized k's, and that will
> interop with a deterministic, stateless signature scheme that derives k
> from the secret key and the message.  There's no way to prevent that,
> so/and we shouldn't try, but the signature scheme that CFRG settles on
> should be deterministic and stateless as specified.

I generally agree with this. Just don't criminalize / recognize the 
benefit of random 'k' (with the security caveats).

> Nico

v2.23.0 | Report a Bug | By Email