Re: [Cfrg] Multi-user attack on bottleneck key generation?
Rene Struik <rstruik.ext@gmail.com> Thu, 02 May 2019 18:46 UTC
Return-Path: <rstruik.ext@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0322512012C for <cfrg@ietfa.amsl.com>; Thu, 2 May 2019 11:46:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 836S2A-eDEhE for <cfrg@ietfa.amsl.com>; Thu, 2 May 2019 11:46:44 -0700 (PDT)
Received: from mail-it1-x12f.google.com (mail-it1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE254120125 for <cfrg@irtf.org>; Thu, 2 May 2019 11:46:43 -0700 (PDT)
Received: by mail-it1-x12f.google.com with SMTP id l10so5183036iti.3 for <cfrg@irtf.org>; Thu, 02 May 2019 11:46:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=t9TTRLRN3DyeOPL6cdsc3gPs0dLQJawFB1vti62E0JU=; b=IlJUFa7w9GmRDzY3rgo60oCfCkEY4NSy5R6zvej4k8ogV2YttETOwlgiEZOEQYWUw9 dkB2Ap9U7MUmMs5MhWgcOlq2fXtOU93H7T8ro2hBmVHXgmpJeHi407SKpTaj8SwR/zUe 59v18sZNgAVHUq98QDFI1rDXD9Armh8EE9J7AdaqEvImF6GGxBsoQcGNvyLF75vWvaHC n+quyp/e1m1V8VlvU93X32YoyZC3Z2bqK9KqVOhz4HsnqV1DKAPqMjoZhlAjV1WJzQgv eRe7l/dBSCoSaON+8hoT0IS/uFg54lLSO/AOJL2RmE39ff3nngf3yi4IWQ9vCQhdKIA2 nBrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=t9TTRLRN3DyeOPL6cdsc3gPs0dLQJawFB1vti62E0JU=; b=IBLXPK7NdibabS4uU3rZVu7pYpu2tldPbv786XKFiMuk7x+AdrXVsHUl29l8PbZEuO IHZpmoxaszzBPDfVmkr0BDd5a2mgun+k+gX8vDUcHkth+P40hRmbVueg5RTB2n18KGxK r03kUo9VqKGx+0+S1b07mu8QcMdZDwc6gTTvQnl8ylOqFH1G5yeO3mpAx6KYzuEoQbt1 +GxZd6SlGh6zINzf8Z0DmO1j0ifZl0QK67Xhz4JwRzP9kV7KPqxd3lhZcMa8yXZDFONG dg5v6wOyocMNjcGfL3aKxSY7HmKSZjkNO+5bP+RWtOh+v0SVubSP7nxISpHxkQou7CHi bvHA==
X-Gm-Message-State: APjAAAV/LAUwqxClyE/70qSWhRNW9WiSHYbAUcHeDm8sSBi7VxmbdbdU YKpL0pIdp/dkIkQFEw9VP/jpq35d
X-Google-Smtp-Source: APXvYqz5TtPgkjlwCN86TmeYJTOJZvn/rfTsQQ6l33Z36xq2nEfRRbMyV9KJxHgdeJc8rv4go4fdNA==
X-Received: by 2002:a02:63c7:: with SMTP id j190mr3758305jac.143.1556822802978; Thu, 02 May 2019 11:46:42 -0700 (PDT)
Received: from ?IPv6:2607:fea8:69f:f5eb:34f4:7800:b7b9:544d? ([2607:fea8:69f:f5eb:34f4:7800:b7b9:544d]) by smtp.gmail.com with ESMTPSA id q16sm4913544itb.37.2019.05.02.11.46.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 02 May 2019 11:46:41 -0700 (PDT)
To: Dan Brown <danibrown@blackberry.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <810C31990B57ED40B2062BA10D43FBF501DD031D@XMB116CNC.rim.net>
From: Rene Struik <rstruik.ext@gmail.com>
Message-ID: <0a72ce5f-3854-3210-d1ae-e371a6245564@gmail.com>
Date: Thu, 02 May 2019 14:46:39 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF501DD031D@XMB116CNC.rim.net>
Content-Type: multipart/alternative; boundary="------------5BDF396E52C935C1994D16D3"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Zt11BM_xbfkDBUTBZNXHhj3Au9c>
Subject: Re: [Cfrg] Multi-user attack on bottleneck key generation?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 May 2019 18:46:48 -0000
Hi Dan: The paper [1] may be of interest to your problem. Best regards, Rene Ref: [1] DLP - Small Generic Hardcore Subset for DLP, Short Secret DL Keys (Claus Schnorr, Inform. Proc. Letters, 2001) On 5/2/2019 11:41 AM, Dan Brown wrote: > Dear CFRG, > > Is there a multi-user attack (e.g., see below) on _any_ 128-bit-secure public keys (e.g. 256-bit ECC keys) if they are generated by hashing 128-bit uniformly random seed? I will call this key generation method "bottleneck key generation". To be clear, all user users share the same 128-bit bottleneck, and that may be the problem. > > If there is indeed an multi-user attack here, is the multi-user attack (against 2^N users) prevented by using a (128+N)-bit seed, OR by using a unique-per-public-key salt/nonce/tag/personalization value? > > The very notion of multi-user security has always puzzled me: I question its merit as a goal. This might be why I forget how it works so easily. (Over the last day, I tried to remember/search for existing write-ups on this, see further below.) > > On the issue of naivety of the bottleneck key generation above, I think it very plausible that many would consider it reasonably secure. > > This topic touches a couple CFRG items, but seems to be question of general crypto interest. > > *** > > For completeness, here is what I think the multi-user attack on bottleneck key generation: > > Each of 2^32 users does the following. > - User j chooses a uniformly random 128-bit seed s[j], independently of all other users. > - User j computes a secret key a[j] by hashing s[j], e.g., using SHA-256 (or some other deterministic, collision-resistant function). > - User j computes a public key A[j] from a[j], e.g. in ECC A[j]=a[j]*G. > > The attacker does the following. > - Obtain all 2^32 values A[j], and sorts them, or stores in a hash-table. > - Does the following up to 2^96 times: > - compute a 128-bit seed, s', > - compute secret key a', the same way as the user, e.g. a' = SHA256(s'), > - compute public key A', the same way as the user, e.g. A' = a' * G, > - check if A' in is list of A[j], via table-lookup. > - If A' in A[j] is found, then attacker outputs a' as the guess for a[j]. The attacker wins the multi-user game. > > Success rate: The attack is expected to work with probability near 1/e (e~2.7?), essentially finding a collision at the level of seeds with s[j]=s', being a variation of the birthday paradox. (Proof sketch? Each s' has prob 2^32/2^128 of hitting an s[j], assuming all user seed distinct. This is 1/M for M=2^96. The prob of all M independent s' missing is (1-1/M)^M ~ 1/e. This ignore the prob of s[j] collisions, and SHA256 collisions, etc.) > > Attack cost: The attacker uses 2^96 steps (each step matching the user's cost). > > Hmm ... is this somehow an "optimal" multi-user attack, in the sense the cost reduction factor equals the number of users? > > If the seeds above are increased to 160 bits, then the multi-user attack (against 2^32 users) seems to take 2^128 steps. In this case, the multi-user security is optimal (matching single-user security). If we put a max of 2^64 users, then a 192-seed may be good enough for maximal multi-user security. > > Why do I question multi-user security? The cost of resisting multi-user attacks seems to be nonzero for the single user. It seems to me that the single-user should only pay for this cost if there is a common interest with other users. If there is a common interest, then maybe so formalized communal crypto is needed instead? E.g. group/ring/whatever signature? > > *** > > Relevant past work on multi-user security, in approximate chronological order: > > [1] Salting password hashes. Not sure what the best reference is for this. I think the oldest work is salting the password hashes. Is "salt" the usual word here? The numbers for larger seeds and keys correspond to higher security levels then passwords and hashes, but the logic is otherwise similar, isn't it? (In other words, not sure why new words would be used instead of salt.) > > [2] Hastad-style security analysis: I lump MANY works together, perhaps originating from Hastad, which all assume full-power key generation, i.e. NOT 128-bit bottleneck key generation. Instead, these papers ask other important questions about multi-user security. In other words, the question is whether the public key algorithm itself has some other kind of bottleneck (which all users share). As some examples of this direction of research, I include Bellare--Boldyreva--Micali work on PKE https://cseweb.ucsd.edu/~mihir/papers/musu.pdf and Bernstein's work on Schnorr signatures https://ia.cr/2015/996, but I would need to re-read these works carefully: perhaps they treat the issue of bottleneck key generation in an off-hand remark as an something obvious, dating back to [1]. > > [4] The issue seems to be discussed, rather vaguely, in ANSI X9.62-2005, Section K.5, item e. (I am trying to resolve comments from Elaine Barker about this Section K.5. I eventually clued about the generality of this issue, leading me to this email.) > > [5] Zaverucha, https://ia.cr/2012/159, "Hybrid encryption in the multi-user setting" perhaps goes a little further than the Hastad-type attacks that I lumped together in [3], since it describes 128-bottlenecks in key derivation more generally, including the key generation and HKDF. As with [3], I have forgotten the details, and would need re-read the paper very carefully to see if it really should be lumped together with [3]. > > [6] NIST Special publication 800-90Ar1, specifies a "DRBG". A DRBG can be interpreted as a deterministic function mapping a 128-bit secret seed to a pseudorandom 256-key. The NIST SP 800-90Ar1 requires a "nonce" or a "personalization string", unique to each user. Is this not just another example of the "salt" solution? Is the purpose of this "multi-user" security? I find the NIST document very long, and find it difficult to be certain if the multi-user security is resolved. > > [7] RFC 8032 has a comment about a few missing bits of entropy (in the EdDSA key) missing not being disastrous. This claim sounds correct (see the attack where I talk about 192-bit seeds). Is the justification for this claim quantified somewhere? There was also some discussion of multi-user security surrounding EdDSA variants, so maybe bottleneck key generation is an issue for EdDSA too. > > [8] The randomness improvement draft https://datatracker.ietf.org/doc/draft-irtf-cfrg-randomness-improvements/ uses the term "tag", which should be user-specific (?). Another example of a "salt", if I understand it. See also https://ia.cr/2018/1057 > > > A digression: best practice password-hashing involves costly hashes, e.g. Argon2, not just per-user salts. Costly hashes may be re-usable for public key seeding, no? > > > > Dan Brown > Phone: +1 (289) 261-4157 > BlackBerry, Security in Motion > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg -- email: rstruik.ext@gmail.com | Skype: rstruik cell: +1 (647) 867-5658 | US: +1 (415) 690-7363