IETF Logo Mail Archive

Re: [Cfrg] testability of signature input/output parameters

Yoav Nir <ynir.ietf@gmail.com> Thu, 04 June 2015 17:20 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B56001A1BAE for <cfrg@ietfa.amsl.com>; Thu, 4 Jun 2015 10:20:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.5
X-Spam-Level:
X-Spam-Status: No, score=-1.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_ABOUTYOU=0.5, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iWPorjjj39kM for <cfrg@ietfa.amsl.com>; Thu, 4 Jun 2015 10:20:14 -0700 (PDT)
Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 679361A1B9E for <cfrg@irtf.org>; Thu, 4 Jun 2015 10:20:14 -0700 (PDT)
Received: by wgv5 with SMTP id 5so38851975wgv.1 for <cfrg@irtf.org>; Thu, 04 Jun 2015 10:20:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5ifFo1CmYAQy9XEmAkFcY0arrKDHV0CTebd8ZTLNdAk=; b=Oexpn9cIBMpSQ+crcfrmFa815HdGyHFypjAjW6UPCCyZv3PqufvGsolyLPYfeTIXVV 5lbQt58ZBjpBJHK/ymepLQr+kgzdkAv84xA+1nMJx6dRmnsVKuWMlJnFXuzhDCJkoEpN YDaY7gyT3doEAqMmySXjhYRg7VqZF+dLw+8BuHncjw6vY5Us5O+qjNjHy5RzHxIggASv JOOQWbAawFLJajsd63adOoxkZyda1zMU7FCWoL6EtRsydcp8gbNpP1UaY9YpYgrhKQhr AVcBroMEPzVdLaJQREbL3Y6kRJTooOnWIV9rbs2EhzpnYWG7TNcXGqnjSGUrNTzo3p8H iYog==
X-Received: by 10.180.106.6 with SMTP id gq6mr9870775wib.39.1433438413200; Thu, 04 Jun 2015 10:20:13 -0700 (PDT)
Received: from [192.168.1.17] ([46.120.13.132]) by mx.google.com with ESMTPSA id ei8sm6651648wjd.32.2015.06.04.10.20.11 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 04 Jun 2015 10:20:11 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <sjma8wfe7fb.fsf@securerf.ihtfp.org>
Date: Thu, 04 Jun 2015 20:20:10 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <ADC710F2-7E7F-4A14-8649-ACA60FADE03B@gmail.com>
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com> <556F8811.2070101@cs.tcd.ie> <20150604065658.GA14531@LK-Perkele-VII> <55705C19.4040600@gmail.com> <sjma8wfe7fb.fsf@securerf.ihtfp.org>
To: Derek Atkins <derek@ihtfp.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/d7S8YnXNu2Onbki6-EcoJwN11p4>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] testability of signature input/output parameters
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jun 2015 17:20:15 -0000

> On Jun 4, 2015, at 7:59 PM, Derek Atkins <derek@ihtfp.com> wrote:
> 
> Rene Struik <rstruik.ext@gmail.com> writes:
> 
>> Hi Ilari:
>> 
>> Just curious about your remark that deterministic signatures would
>> allow for easier testability.
>> 
>> I don't know how these tests would exactly look like, but I presume
>> these take as input some messages and public keys written in a spec
>> and then checking whether the signature output is indeed as listed in
>> the spec for the corresponding message/public key pairs {let us assume
>> that these test parameters have been confirmed independently, prior to
> 
> No, you would publish the *PRIVATE* key, the message, and the signature,
> so that you could verify that your implementation generates the exact
> same signature given the exact same inputs.
> 
> You could theoretically do this with a non-deterministic scheme as well
> if you also publish the random nonces along with the private key
> parameters.  But having a deterministic signature scheme is better,
> IMHO, because frankly some devices don't have a good source of random
> numbers.

I agree. Additionally, that test with provided nonces forces you to have aa special test path in your code.

Normally, your cryptographic library wouldn’t expose to the user that it is using random input. Consider OpenSSL’s ECDSA signing function:
  ECDSA_SIG*     ECDSA_do_sign(const unsigned char *dgst, int dgst_len, EC_KEY *eckey);

Internally this function calls whatever random number generator is either part of the library or used by it, but the user doesn’t need to worry about it.

Once you have the need to test, you need a new function. OpenSSL has that as well:
  ECDSA_SIG*     ECDSA_do_sign_ex(const unsigned char *dgst, int dgstlen, 
                        const BIGNUM *kinv, const BIGNUM *rp,
                        EC_KEY *eckey);

The application doesn’t call this second function. It calls the first function. So you’re testing a function that is different from the one that you are testing.

That’s an artifact of having to test randomized signatures. There is no equivalent for, say, RSA.

Yoav

P.S. Yes, I know that the first function just calls the second function, and that the second function generates randoms if kinv and rp are NULL. But this expanded API would not exist if not for the need of testing.

v2.23.0 | Report a Bug | By Email