IETF Logo Mail Archive

Re: [Cfrg] Summary of the poll: Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

Andrey Jivsov <crypto@brainhub.org> Fri, 19 June 2015 22:29 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 264061B2B6F for <cfrg@ietfa.amsl.com>; Fri, 19 Jun 2015 15:29:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.501
X-Spam-Level:
X-Spam-Status: No, score=-0.501 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2dWTt_rnqFmH for <cfrg@ietfa.amsl.com>; Fri, 19 Jun 2015 15:29:52 -0700 (PDT)
Received: from resqmta-po-03v.sys.comcast.net (resqmta-po-03v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:162]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09B371A3B9F for <cfrg@irtf.org>; Fri, 19 Jun 2015 15:29:51 -0700 (PDT)
Received: from resomta-po-01v.sys.comcast.net ([96.114.154.225]) by resqmta-po-03v.sys.comcast.net with comcast id iNVr1q0014s37d401NVrsl; Fri, 19 Jun 2015 22:29:51 +0000
Received: from [IPv6:::1] ([71.202.164.227]) by resomta-po-01v.sys.comcast.net with comcast id iNVq1q0044uhcbK01NVqvY; Fri, 19 Jun 2015 22:29:51 +0000
Message-ID: <558497DD.5060006@brainhub.org>
Date: Fri, 19 Jun 2015 15:29:49 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: cfrg@irtf.org
References: <557FEA01.7070207@isode.com> <557FE6E4.3040509@isode.com> <20150619062752.3506.qmail@cr.yp.to> <CAA4PzX3Toc+Ev6rp38rU73rinygxGPE7_FLXOWrRMh+N4SPyYQ@mail.gmail.com> <CAMfhd9Ua=fV_MKMfj1T8dApM6fA7Ko4y8-_uu03dd_WpmK4VvQ@mail.gmail.com>
In-Reply-To: <CAMfhd9Ua=fV_MKMfj1T8dApM6fA7Ko4y8-_uu03dd_WpmK4VvQ@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1434752991; bh=b7Frt88c+rQDXQxUDb1i53MHhgZh3X5F4ZRj3BY8TVA=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=OcMI+db31bT2OkeH+uzgYXCzfgeNE4713hAhH812iulyhi8EEojrxe46gzBq9kYnx ok5F7rQp0cj1Xeghi0LbTu4IdQZCJCU6kK0ef7Wbbi5xbQRZjxektb6wqspiZwBvP8 nOGXBycZZfXw7aLpxoelM8tE/QYkJLRF8sRgmhbjGNO2cHsf2yp1vnDMlrbr4NXfKW 03QVu3jy6grgDkgYkWDiXdARHRkhbcQwTmgbehpg34WS7OjEw1wDeX5AdrmRuJtWoV XUMgG0IRlWUwzmlZR3yBeYNQwVSSDMOUFDS+/svkydI10sq3Zpe9gE/Vswbg4S0PLs r8SWAyKy+ZvCQ==
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/_pQHc2hKm3zQ2NMfbH2WrqnJA-g>
Subject: Re: [Cfrg] Summary of the poll: Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2015 22:29:54 -0000

On 06/19/2015 02:32 PM, Adam Langley wrote:
> Ponder, for a second, a world in which CFRG specified two schemes:
> Ed25519(m) and Ed25519(H(m)).
>
> Also consider a PKI system that issues certificates and CRLs.
> Certificates are a type of message and are some serialisation of {0,
> name, public-key of name}, where the zero is a single byte that serves
> as a "type" indicator. CRLs are another type of message and are {1,
> start-time, end-time, list of revoked certificate hashes}.
>
> A signed message is {message, signature-algorithm, signature}.
>
> Now, you might not think that this design is wise, but I would argue
> that it's plausible as it's similar to X.509.
>
> I, the attacker, can register a domain name and get a certificate for
> it. The CA happens to sign with Ed25519(H(m)), even though the
> messages aren't very large. So, offline, I iterate over many domain
> names and pick one where the hash of the certificate structure for
> that name and my public-key looks like a valid CRL message. I need to
> fix the first byte to be one, probably fix a few other length bytes,
> and obviously my fake CRL has to be exactly the length of a hash, but
> the work-factor is pretty plausible.
>
> Now I register that domain name and get a certificate for it. Then I
> construct {message = fake CRL, signature-algorithm = Ed25519(m),
> signature = signature from real certificate}. That should validate,
> no? If I can construct a valid, signed CRL that covers a wide range of
> time then I've broken revocation in this system.
>
> The key here is that the attacker can specify the signature algorithm
> and confuse the verifier. X.509 allows exactly this but, even if not,
> I suspect that people will use the same key in several different
> contexts like that.
>
> So we would need to be careful with Ed25519(H(m)).
>
We can stress that IUF is a property of the key. I think this is a 
natural thing to do.

Randomized signatures mitigate these concerns too. The attack Adam 
described assumes that the attacker controls the image of the H(m) fed 
by the CA to Ed25519.

Compare this with sig = nonce | Ed25519(H(nonce | m))), where the signer 
picks/derives the unpredictable nonce somehow. Applications that want 
IUF need it for "large" files, and they shouldn't mind expanding the 
signature with an explicit nonce.

( On Adam's particular attack, it's odd that a (small) X.509 cert is 
signed as Ed25519(H(m)), but a (large) CRL as Ed25519(m) ).

v2.23.0 | Report a Bug | By Email