IETF Logo Mail Archive

[CFRG] Threshold Sig required - Random bit flip hits Cert Transparency Log

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 07 July 2021 16:03 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DB423A1D02 for <cfrg@ietfa.amsl.com>; Wed, 7 Jul 2021 09:03:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.402
X-Spam-Level:
X-Spam-Status: No, score=-1.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tXJDOzKijjt2 for <cfrg@ietfa.amsl.com>; Wed, 7 Jul 2021 09:03:52 -0700 (PDT)
Received: from mail-yb1-f177.google.com (mail-yb1-f177.google.com [209.85.219.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EA4C3A1D00 for <cfrg@irtf.org>; Wed, 7 Jul 2021 09:03:52 -0700 (PDT)
Received: by mail-yb1-f177.google.com with SMTP id r132so3923254yba.5 for <cfrg@irtf.org>; Wed, 07 Jul 2021 09:03:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=OIi+X4mDchrl5w+ONU8wxtMaPXaXySM7TFYRqxBu1zQ=; b=VrSW5+v8lRjxLJlHY95i3Epii1v/m52377ogeaseju+4VvlaykeOCYZFwXbZTipEuv IaD/Znaf6dZDpOgtrj5DmxSAucBBGnjO6SGiASdD5iKwk10Z2LQdNIg82ehrJ2tH6sgD TL5yyi3A9a/rzNwUKfF+gTOFcGn5Z7SOZT5ao7AB4KS195I5GbjbGKNO/4s2fYpjzDVz yIXz+nc1wcXXbGHa5JLudD/jtanqwGQzoHH8QNYtUSEZcYidwEN0QHMfq3fPiJmTmQ1u 4DU/2kFSBUhmSfGpcPsgG835W8fYShBUibiiXOWu6NTLAcsoLFNWeDtN8e+pmVZ09mTI wlzQ==
X-Gm-Message-State: AOAM5332vzsbvR3HD/qL8WffG4kU9F+aLe3uoD/WJd5dkbIyLX8X5ts8 WxKQOyMGs3f/m6UpJp/BpFdIhe5Bxa5Nx+wVYQkugLtUCEY9Mw==
X-Google-Smtp-Source: ABdhPJxQi42ULLRnstpiS9HnbKnrOIzsEo8sPC76uUN9OXe0c5DA/lruzAA77tUfqeuloxhI5HeKYUdjllTcBBz0Ts0=
X-Received: by 2002:a25:f0b:: with SMTP id 11mr33645397ybp.518.1625673830845; Wed, 07 Jul 2021 09:03:50 -0700 (PDT)
MIME-Version: 1.0
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 07 Jul 2021 12:03:41 -0400
Message-ID: <CAMm+Lwjh29Eugv=HO-yL8fXW_xh7a=4vVgCKYWdRvGW9dU9o7A@mail.gmail.com>
To: IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000035517405c68aafa6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ZMoPnaVoZtE7yJftdKgDi01eyw8>
Subject: [CFRG] Threshold Sig required - Random bit flip hits Cert Transparency Log
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jul 2021 16:03:57 -0000

So it has actually happened, a one in a billion computing error has caused
a cert transparency log to become corrupted due to a bit flip error. There
is a discussion of the issue here:

Single random bit flip causes error in certificate transparency log |
Hacker News (ycombinator.com)
<https://news.ycombinator.com/item?id=27728287>

The solution they obsess over (ECC RAM) is actually irrelevant to the error
in that case as it was an even rarer CPU error. Which means that what I
considered to be a more or less theoretical concern about signing append
only logs turns out to have actually occurred. Do things billions of times
and billion to one chances will happen.


The only robust solution to this issue is for redundant notaries to sign
the log.

Consider the case where we have an append only log that is authenticated by
means of a Merkle tree with the apex of the tree being signed at 10 minute
intervals. If we have a single server doing the signing, any error that
occurs will lead to the log becoming invalid. This condition cannot be
distinguished from a notary default.

But consider the case where there are three notaries each signing the log,
which private key should they use?

All three signers use the same key means that if an error occurs, we risk
having a correct and incorrect version of the same log being signed. That
means there is a real risk of the incorrect log and signature leaking
somehow.

All three signers using different keys is also bad because now we have
three independent notaries and the relying party has to do the job of
deciding which one to trust. There is an even greater risk of the wrong log
being relied on at some point.

A threshold scheme with three shares and a quorum of 2 solves the problem
very neatly. The possibility of an undetected error is now much smaller as
two signers must be hit with an error having exactly the same effect at the
same time. That is a very remote possibility unless the error is somehow
caused by an architectural defect in the CPU. So we should probably choose
separate chipset architectures (Intel, AMD, ARM?) if we want to get to
maximum robustness.


So how is the FROST draft coming?

v2.38.3 | Report a Bug | By Email | System Status