Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
Taylor R Campbell <campbell+cfrg@mumble.net> Wed, 03 June 2015 22:47 UTC
Return-Path: <campbell@mumble.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B2181B3002 for <cfrg@ietfa.amsl.com>; Wed, 3 Jun 2015 15:47:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NjlZkbJ-bslB for <cfrg@ietfa.amsl.com>; Wed, 3 Jun 2015 15:47:35 -0700 (PDT)
Received: from jupiter.mumble.net (jupiter.mumble.net [74.50.56.165]) by ietfa.amsl.com (Postfix) with ESMTP id B96711B3003 for <cfrg@irtf.org>; Wed, 3 Jun 2015 15:47:35 -0700 (PDT)
Received: by jupiter.mumble.net (Postfix, from userid 1014) id AF2A460567; Wed, 3 Jun 2015 22:46:40 +0000 (UTC)
From: Taylor R Campbell <campbell+cfrg@mumble.net>
To: Rene Struik <rstruik.ext@gmail.com>
In-reply-to: <556F6E51.7060607@gmail.com> (rstruik.ext@gmail.com)
Date: Wed, 03 Jun 2015 22:47:34 +0000
Sender: Taylor R Campbell <campbell@mumble.net>
User-Agent: IMAIL/1.21; Edwin/3.116; MIT-Scheme/9.1.99
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20150603224640.AF2A460567@jupiter.mumble.net>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/aS6ZgJ7uRHiTY6jJTKaxgn982hs>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2015 22:47:38 -0000
Date: Wed, 03 Jun 2015 17:14:57 -0400 From: Rene Struik <rstruik.ext@gmail.com> Isn't the double signing merely an artifact of running the Schnorr signature scheme in a mode where the ephemeral private key is deterministically derived from message and private info? I don't see how this would apply with the original Schnorr scheme, since there one simply has s:= k - e d (mod n), where e=h(m,R), where R:=kG, where n size of prime-order subgroup, and where k is randomly picked. Requiring signers to have a source of entropy at signing time to randomly choose a distinct k for each signature has historically been a source of high-profile cryptography disasters[1][2]. The NIST was warned about this in 1991 when standardizing the DSA, and ignored the warning[3], claiming that entropy at signing time is no more likely to be bad than entropy at key generation time. Debian showed them wrong. There are three security concerns in Alexey's poll and your question: (a) secret key recovery if k is reused or even slightly predictable, (b) signature forgery if the attacker can find collisions in the hash function, and (c) denial of service or processing of unauthenticated data if a protocol requires the verifier to consume arbitrarily large messages before verifying the signature. Randomized DSA- or Schnorr-type schemes that use an entropy source at signing time are vulnerable to (a). You can defend against this (and EdDSA does) by hashing the secret key together with the message to derive k deterministically: the secret key is unpredictable to the attacker, so standard PRF assumptions imply k is unpredictable too. (Bonus: easy test vectors for the real signing code.) Schemes defined in terms of H(m) for a fixed H are vulnerable to (b). You can defend against this (and EdDSA does) by using a keyed hash H_k(m) and relying only on target collision resistance instead of collision resistance. You could defend against both (a) and (b) by hashing the message under a different key, say h, and signing H_h(m) -- that is, choose h randomly, compute H_h(m), and derive k from the secret key and H_h(m) to sign the message h || H_h(m). But this leaves (c). Protocols designed under the assumption of streaming I/U/F are likely to be vulnerable to (c). You can defend against this (and EdDSA does) by encouraging protocol designers to sign and verify short messages rather than long ones, and to split long messages into independently verifiable parts, e.g. by signing each part separately or signing the root of a Merkle tree of parts. [1] Debian broke OpenSSL's PRNG seeding so that it had only 2^15 possible seeds, enabling recovery of (EC)DSA secret keys used on affected systems with predictable k even if the secret key was otherwise secure. https://wiki.debian.org/SSLkeys [2] Sony reused k verbatim for PlayStation 3 firmware updates signed with ECDSA, enabling recovery of the firmware signing key. fail0verflow, `Console Hacking 2010: PS3 Epic Fail', 27c3, 2010. http://events.ccc.de/congress/2010/Fahrplan/attachments/1780_27c3_console_hacking_2010.pdf [3] Miles E. Smid and Dennis K. Branstad (NIST), `Response to Comments on the NIST Proposed Digital Signature Standard', CRYPTO'92, LNCS 740, pp. 76--88, Springer, 1993. (See Sec. 4.9 about k.)
- [Cfrg] Elliptic Curves - signature scheme: friend… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Adam Langley
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Jim Schaad
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Peter Gutmann
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Mike Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Laurens Van Houtven
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Salz, Rich
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… David Leon Gil
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Taylor R Campbell
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Rene Struik
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Taylor R Campbell
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Stephen Farrell
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tom Yu
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Rene Struik
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Yoav Nir
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- [Cfrg] square roots Rene Struik
- [Cfrg] testability of signature input/output para… Rene Struik
- Re: [Cfrg] testability of signature input/output … Ilari Liusvaara
- Re: [Cfrg] testability of signature input/output … Rene Struik
- Re: [Cfrg] square roots David Jacobson
- Re: [Cfrg] testability of signature input/output … Watson Ladd
- Re: [Cfrg] testability of signature input/output … Taylor R Campbell
- Re: [Cfrg] square roots Ilari Liusvaara
- Re: [Cfrg] testability of signature input/output … Derek Atkins
- Re: [Cfrg] testability of signature input/output … Rene Struik
- Re: [Cfrg] testability of signature input/output … Mike Hamburg
- Re: [Cfrg] testability of signature input/output … Yoav Nir
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Rene Struik
- Re: [Cfrg] testability of signature input/output … Watson Ladd
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Ilari Liusvaara
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Watson Ladd
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- [Cfrg] Summary of the poll: Elliptic Curves - sig… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Watson Ladd
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Nico Williams
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… D. J. Bernstein
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… D. J. Bernstein
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alyssa Rowan
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Paterson, Kenny
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Björn Edström
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Adam Langley
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Adam Langley
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Paul Hoffman
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Taylor R Campbell
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Paterson, Kenny
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Andrey Jivsov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Taylor R Campbell
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alyssa Rowan
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Andrey Jivsov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Dan Brown
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Stephen Farrell