IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)

Watson Ladd <watsonbladd@gmail.com> Fri, 08 May 2015 13:14 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B57E1A0196 for <cfrg@ietfa.amsl.com>; Fri, 8 May 2015 06:14:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.329
X-Spam-Level: ****
X-Spam-Status: No, score=4.329 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FB_INCREASE_VOL=3.629, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ivN4Jm7DrTE for <cfrg@ietfa.amsl.com>; Fri, 8 May 2015 06:14:42 -0700 (PDT)
Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACF971A0141 for <cfrg@irtf.org>; Fri, 8 May 2015 06:14:41 -0700 (PDT)
Received: by wizk4 with SMTP id k4so29322956wiz.1 for <cfrg@irtf.org>; Fri, 08 May 2015 06:14:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=lOyjcXWSIDXtgsurOKX+ccik8RvTIjcnKx/+f8uPfn4=; b=Z9U5tX5MWARcsQCPsFGiKr70g3G/oUtEuJfHlLNgtax/SPntxz+8LiKMXN9kInemUr UwrFSWG6hTGU2U3fk+Uo73ZbHKp3FHzS6shykahyQe+vr8T00jxS83da5JWmQC52q6Ri z7n2ipeAUDONJ7aKVux1LbUIF5PXrQ/Pi1yBAiXmx+59rbjI/kcmvA6nekDp2Oe/zLZM HxN8JuIzUfhAALfjArgzREEEpop4GtKjtrCdRUq5JxpYgTuc9unkS9hhV0lM+lryKiTZ xb4xxOmw91vwWZHlYAaFYYBTPZHO6k1cKsLOeqFq9Nr0cfbZItAmX7PHYSBM1DCqzHeP Lizg==
MIME-Version: 1.0
X-Received: by 10.194.157.225 with SMTP id wp1mr7223575wjb.32.1431090880391; Fri, 08 May 2015 06:14:40 -0700 (PDT)
Received: by 10.194.20.97 with HTTP; Fri, 8 May 2015 06:14:40 -0700 (PDT)
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5DCC801@XMB116CNC.rim.net>
References: <810C31990B57ED40B2062BA10D43FBF5DCAEDC@XMB116CNC.rim.net> <20150505152258.31923.qmail@cr.yp.to> <810C31990B57ED40B2062BA10D43FBF5DCBA9C@XMB116CNC.rim.net> <CACsn0c=TWiNaCZC2O2CvRqO-tZgYnCwEzAsXqnX2FzutBFMi-w@mail.gmail.com> <810C31990B57ED40B2062BA10D43FBF5DCC801@XMB116CNC.rim.net>
Date: Fri, 08 May 2015 06:14:40 -0700
Message-ID: <CACsn0ck8Ni_wz-_BbD++UaagK5Oc7+hfm_S+hpRN+e3ZvneQXA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Dan Brown <dbrown@certicom.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/fMm2ryWt8PqKsN-XYwdI-M8Od5s>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "djb@cr.yp.to" <djb@cr.yp.to>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 May 2015 13:14:44 -0000

On May 7, 2015 8:45 AM, "Dan Brown" <dbrown@certicom.com> wrote:
>
>
> > -----Original Message-----
> > From: Watson Ladd [mailto:watsonbladd@gmail.com]
> >
> > On Wed, May 6, 2015 at 8:39 AM, Dan Brown <dbrown@certicom.com>
> > wrote:
> > > Accordingly, I now amend my proposal to k = F(m,a,t) where F is some
> > > to-be-specified cryptographically strong deterministic function, m is
> > > the message, a is the actual long-term (signing) key, and t is a
> > > temporal value (tweak/nonce), preferably secret and unpredictable, or at
> > least non-repeating, optionally fixed (including empty: reducing the signature
> > scheme to an outright deterministic signature scheme), and not under any
> > influence from an adversary.
> >
> > I think that if we worry about kleptography, t should not be used.
>
> [DB] Good catch.  So, that cost should be weighed against the gains from using t.
>
> Just to expand: is your concern about the following kleptographic malware? The malware lets multiple t values be generated (honestly), say t_1, t_2, ... t_n, and then search the corresponding k_1, ..., k_n for a value k_i that suffers from bias needed to make a lattice attack work? The kleptographic malware then lets k=k_i through to per a normal signature.

Exactly.

>
> >
> > >
> > > When k is used in signatures, this approach could be called tweakably
> > deterministic signatures, although I would prefer to call it message-dispersed
> > signatures (to avoid the silly pitfall I mentioned of over-generalizing the value
> > of determinism in key generation).
> > >
> > > The changes my previous proposal have brought my current proposal closer
> > to deterministic signatures than to purely randomized signatures. The tweak
> > value t helps to address some of the potential pitfalls of purely deterministic
> > signatures that I listed in my previous email.  Please let me know if you think
> > the cost of tweaking outweighs the gains I described.
> > >
> > > So, I'm not intending to be critical of deterministic signatures, or to
> > support/defend past pure PRNG-based or underspecified randomized
> > signatures, but rather to be in support something slightly securer than either,
> > by combining the good features of both randomized and deterministic
> > signatures.  Yet more reasons and responses in-line below.  So, please take
> > them with a grain of salt, and read them in the light of trying make things
> > securer.
> >
> > How is this proposal more secure, i.e. what properties does it have, that
> > protocols rely on, that EdDSA doesn't?
> >
> [DB] Maybe I was unclear above: the tweak tries to address the issues I labelled 3a..3h in the first email I sent.  If you have time to spare, then please consider these issues.  I think you know that Bernstein responded to 3a...3h already, so I would fully understand if you didn't want to waste any time.

As far as I can tell, only 3a and 3h involves anything that actually
can be analyzed. And the results in 3h, knowing that ROM=>PRF and we
need ROM (or generic group model) for Schnorr security, are not good
for your position. (I don't know if generic group implies PRF exists,
and my earlier comment on PRF->collision was completely bogus, when
looking at multiple queries) 3a is actually a reasonable argument, but
there are quite a few cases where power analysis doesn't matter.

>
> >
> > Let me see if I have this correct. You're arguing that an implementor, told to
> > compute k=F(m, x), and go through some more steps, will skip that step. Fine:
> > they evidently skipped the random number generation step. But at that point
> > we might as well specify an implementor who skips over comparison steps in
> > signature verification.
>
> [DB] Wasn't there were real world examples (goto fail???) of signature verification steps being accidentally skipped?  I'm trying to see if the point of your paragraph is to compare realisms of two failure modes, or to just give up on protecting against attack X because we cannot protect against attack Y. ASIDE: implicit certificates, e.g. SEC4 (includes IPR), can _sometimes_ address this failure to verify a cert, because of instead of a verification step to miss it absorbs the authentication right into the use of the public key.

No, it's to point out that once you assume the implementor isn't
reading the spec, there is nothing you can do. I don't see how your
proposal makes this better. In fact it makes it worse in a number of
ways, and makes implementations more complicated.

First, you are proposing that the "implementation" include a DRGB,
that gets instantiated once, and called multiple times. That's
incompatible with threads in C, unless the library author forces
applications to call per-thread initialization functions, etc, etc. Of
course, encryption libraries essentially need to do this, but there's
a workaround: open /dev/urandom once, and use the fact that read is a
threadsafe system call. Some operating systems have a systemwide
random number generator that is a single, nonfailing, call. Libraries
that require randomness can use it. But that's not all operating
systems. Some CPUs have an instruction that can be used to generate
random data. But that isn't universal.

Once we decide to make a DRGB, with the possibility of injecting
seeds, applications have to remember not to do this, but to seed the
DRGB correctly before using. But now we have a Big Red Button, which
if pushed utterly destroys security. Libraries that require strong
randomness should use standard system provided means to obtain it, and
should not offer alternatives with no security. Fork security, and VM
restarts are good reasons not to do this. (Passing in a secret key for
testing does not have this problem: it's exactly the same interface as
used when using the code not in testing).

With your amended proposal, signatures remain secure even with bad
randomness (unless we have kleptographic bugs, induced by our good
friends at Fort Mead). So what exactly is the point of having all this
extra code lying around, and dependencies on randomness?

Of course, you've stated that implementors should be permitted to make
deterministic signatures instead, but we should warn people that this
is less secure and not recommended. Instead we should recommend design
decisions which weaken, not strengthen, security, increase the volume
of code to be written, and make certain design decisions impossible.

Sincerely,
Watson Ladd

v2.23.0 | Report a Bug | By Email