[Cfrg] testability of signature input/output parameters
Rene Struik <rstruik.ext@gmail.com> Thu, 04 June 2015 14:09 UTC
Return-Path: <rstruik.ext@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54E4D1B34F6 for <cfrg@ietfa.amsl.com>; Thu, 4 Jun 2015 07:09:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.5
X-Spam-Level:
X-Spam-Status: No, score=-1.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_ABOUTYOU=0.5, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x_TH7hy-0w4Z for <cfrg@ietfa.amsl.com>; Thu, 4 Jun 2015 07:09:49 -0700 (PDT)
Received: from mail-ie0-x22a.google.com (mail-ie0-x22a.google.com [IPv6:2607:f8b0:4001:c03::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 903081A87E7 for <cfrg@irtf.org>; Thu, 4 Jun 2015 07:09:49 -0700 (PDT)
Received: by ieclw1 with SMTP id lw1so36884374iec.3 for <cfrg@irtf.org>; Thu, 04 Jun 2015 07:09:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=+RHHihUTzz8oo2mttlExiyeAy+HUqTUDlhuaDHzTDms=; b=TW15epGNobjTNyHBQlzEPM+pS0R9lA++9dTeGStCmUlTagjcjme3Y+VjgmdWbJwDGm zvDHGOKFuRHRiYJ5JO+XAIYyn/7zT8TUvv8cu+kgo9kZvLm8l0kQYI4+GQ5g0eZyJWTc 5R/vgQ40+/Sju0K+wv60rwCQOulFCTYxUiFsdj5IOoJvjSG7azf+Hctxh4XDX8+HZNJz 7mW06dO+AIBNQBGP7vkuEAtP08wzYvudDKozJzcxE/Zg2r2nQl6Wb6lE9/KVcx+2oSyI 6v4bNMqGG1OsU+vhPQeaxvj7ZEbTqc0Uqeh+dCIbh3ToCoTdwukjtmf30a5nK/ij1x1p 1Hug==
X-Received: by 10.50.79.232 with SMTP id m8mr33922940igx.6.1433426988924; Thu, 04 Jun 2015 07:09:48 -0700 (PDT)
Received: from [192.168.0.14] (CPE7cb21b2cb904-CM7cb21b2cb901.cpe.net.cable.rogers.com. [99.231.49.38]) by mx.google.com with ESMTPSA id p8sm2682451iga.13.2015.06.04.07.09.48 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 04 Jun 2015 07:09:48 -0700 (PDT)
Message-ID: <55705C19.4040600@gmail.com>
Date: Thu, 04 Jun 2015 10:09:29 -0400
From: Rene Struik <rstruik.ext@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com> <556F8811.2070101@cs.tcd.ie> <20150604065658.GA14531@LK-Perkele-VII>
In-Reply-To: <20150604065658.GA14531@LK-Perkele-VII>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/cWFdweiq02sKf1KsAxluCnNc8FE>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: [Cfrg] testability of signature input/output parameters
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jun 2015 14:09:51 -0000
Hi Ilari: Just curious about your remark that deterministic signatures would allow for easier testability. I don't know how these tests would exactly look like, but I presume these take as input some messages and public keys written in a spec and then checking whether the signature output is indeed as listed in the spec for the corresponding message/public key pairs {let us assume that these test parameters have been confirmed independently, prior to ending up in this spec}. Wouldn't one be able to get similar testability results by listing as input some messages and public/private key pairs, and then checking whether the signature output is indeed as listed in the spec? {After all, one can recompute all private parameters, once the private signing key is known.} If so, this would provide easy testability also in case of non-deterministic signature schemes. Note that the signature verification routine already provides virtually all the mechanisms to implement these "self tests", so incremental implementation cost would be virtually zero. In either case, the testability argument seems to provide only evidence re "expected" implementation behavior with specified test parameters and not for any non-specified input/output parameters. Best regards, Rene On 6/4/2015 2:56 AM, Ilari Liusvaara wrote: > On Thu, Jun 04, 2015 at 12:04:49AM +0100, Stephen Farrell wrote: >> I'd hate to miss one of Alexey's polls:-) >> >> I'm almost neutral on this one. While we have historically preferred >> #1 for the reason noted in the subject line, there are really very few >> cases where that turns out to be a real issue, as opposed to being a >> theoretical one. >> >> So I think we could probably live with #2, and that could suffice for >> TLS and DNSSEC and other applications, even though #2 would mean >> that users of the signature scheme (e.g. IETF protocol developers) may >> need to learn something new, which is a downside. >> >> While #3 seems superficially attractive, my guess is it'd cause more >> confusion and interop issues, and is of course offering a choice to >> users of the scheme and so I don't like that one:-) > Having an option of hashing the message first (with an indication that > message was prehashed or even what hash was used) would be #3. > > Conversely, that would be the most reasonable implementation of #3. > > The reason for including hash function is to guard against trying to > confuse implementations over what hash function is used, allowing > forging signatures using stronger hashes by abusing weaker ones. The > internal hash function is much less of concern due to natural > strengthtening from hashing in various things derived from key. > > >> So put me down for (#2 or #1) for this one, with a very very tiny >> preference for #2 and documenting that one ought not use this for >> signing large things directly (which one probably ought not do in any >> case). But #1 would also be an acceptable outcome from my POV since >> we're in practice already dependent on the collision resistance of >> all the relevant hash functions and that won't ever really go away >> as long as there are RSA/SHA256 certificates out there which'll be >> the case for years and maybe decades to come. So the security >> benefit of #2 isn't so great, although it's real. > The problem with #1 isn't so much the CR requirement, but what it will > do to implementation safety: > > Basically, it is difficult to do #1 without either: > - Prehashing the message with something capabile of signing much larger > things. Adding an indication that this prehash has been done would give > #3). > - Making scheme that is dangerous by breaking basic safety. > > > The basic safety requirements I am thinking are: > > 1) Determinism. > > The scheme is fully deterministic. > > Breaking this makes the implementations very hard to test. > > 2) No random/unpredictable inputs except key. > > No input to functions except key may be assumed random in any way nor > unpredictable. > > Breaking this makes primitive easy to misuse in ways that cause > catastrophic breakage (reveal signing private key). > > 3) No scalar inversions or square roots for signature > > Signing must not need computing 1/x mod l or sqrt(x) mod l. > > Breaking this doesn't just make scheme slow, but also causes severe > side-channel hazards. > > And sidechannels matter: Modern CPUs and OSes are ridiculously vulernable, > with attackers capable of exploiting such bugs across virtual machines on > the same physical hardware. > > 4) No nonces in main mode > > The main mode may not assume any input is not repeated. > > Breaking this again makes scheme easy to misuse with very bad results > (hopefully anything using special modes will read the caveats). > > > Breaking any of these will cause real-world failures, as has been > demonstrated many times by ECDSA. > > > -Ilari > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg -- email: rstruik.ext@gmail.com | Skype: rstruik cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
- [Cfrg] Elliptic Curves - signature scheme: friend… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Adam Langley
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Jim Schaad
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Peter Gutmann
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Mike Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Laurens Van Houtven
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Salz, Rich
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… David Leon Gil
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Taylor R Campbell
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Rene Struik
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Taylor R Campbell
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Stephen Farrell
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tom Yu
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Rene Struik
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Yoav Nir
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- [Cfrg] square roots Rene Struik
- [Cfrg] testability of signature input/output para… Rene Struik
- Re: [Cfrg] testability of signature input/output … Ilari Liusvaara
- Re: [Cfrg] testability of signature input/output … Rene Struik
- Re: [Cfrg] square roots David Jacobson
- Re: [Cfrg] testability of signature input/output … Watson Ladd
- Re: [Cfrg] testability of signature input/output … Taylor R Campbell
- Re: [Cfrg] square roots Ilari Liusvaara
- Re: [Cfrg] testability of signature input/output … Derek Atkins
- Re: [Cfrg] testability of signature input/output … Rene Struik
- Re: [Cfrg] testability of signature input/output … Mike Hamburg
- Re: [Cfrg] testability of signature input/output … Yoav Nir
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Rene Struik
- Re: [Cfrg] testability of signature input/output … Watson Ladd
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Ilari Liusvaara
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Watson Ladd
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- [Cfrg] Summary of the poll: Elliptic Curves - sig… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Watson Ladd
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Nico Williams
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… D. J. Bernstein
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… D. J. Bernstein
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alyssa Rowan
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Paterson, Kenny
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Björn Edström
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Adam Langley
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Adam Langley
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Paul Hoffman
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Taylor R Campbell
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Paterson, Kenny
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Andrey Jivsov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Taylor R Campbell
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alyssa Rowan
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Andrey Jivsov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Dan Brown
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Stephen Farrell