Re: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA Digital Signature Algorithms
"David W. Kravitz" <dkravitz@trustcentral.com> Tue, 25 September 2012 16:46 UTC
Return-Path: <dkravitz@trustcentral.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F26AC21F8818 for <cfrg@ietfa.amsl.com>; Tue, 25 Sep 2012 09:46:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.328
X-Spam-Level:
X-Spam-Status: No, score=-1.328 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, HTML_MESSAGE=0.001, SARE_GIF_ATTACH=1.42]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y+fH-DUNpL0H for <cfrg@ietfa.amsl.com>; Tue, 25 Sep 2012 09:46:41 -0700 (PDT)
Received: from vms173019pub.verizon.net (vms173019pub.verizon.net [206.46.173.19]) by ietfa.amsl.com (Postfix) with ESMTP id 15BC821F8844 for <cfrg@irtf.org>; Tue, 25 Sep 2012 09:46:41 -0700 (PDT)
Received: from hatemtlaptop ([unknown] [173.66.52.63]) by vms173019.mailsrvcs.net (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009)) with ESMTPA id <0MAW00K99ZWSK2J1@vms173019.mailsrvcs.net> for cfrg@irtf.org; Tue, 25 Sep 2012 11:46:06 -0500 (CDT)
From: "David W. Kravitz" <dkravitz@trustcentral.com>
To: 'Dan Brown' <dbrown@certicom.com>, "'Igoe, Kevin M.'" <kmigoe@nsa.gov>, cfrg@irtf.org
References: <CC7768A9.EDA64%mcgrew@cisco.com> <9745FE04-5A2C-4D38-9D34-AFF3A2EC54C6@callas.org> <002801cd96b7$b7c38c80$274aa580$@trustcentral.com> <3C4AAD4B5304AB44A6BA85173B4675CA17687160@MSMR-GH1-UEA03.corp.nsa.gov> <000601cd9a69$897d3460$9c779d20$@trustcentral.com> <3C4AAD4B5304AB44A6BA85173B4675CA176901BE@MSMR-GH1-UEA03.corp.nsa.gov> <002901cd9a99$070dc870$15295950$@trustcentral.com> <810C31990B57ED40B2062BA10D43FBF50BA17E@XMB111CNC.rim.net>
In-reply-to: <810C31990B57ED40B2062BA10D43FBF50BA17E@XMB111CNC.rim.net>
Date: Tue, 25 Sep 2012 12:46:03 -0400
Message-id: <001801cd9b3d$40f6aa30$c2e3fe90$@trustcentral.com>
MIME-version: 1.0
Content-type: multipart/related; boundary="----=_NextPart_000_0019_01CD9B1B.B9E81770"
X-Mailer: Microsoft Outlook 14.0
Thread-index: AQJZjD1WbN3mB22kfgMwgvHZe2e5lAHYBuGkAN83IhkCSTqTvgGB4PPAAV1JojICFAfetQHTGd8mliUm+KA=
Content-language: en-us
Cc: john.kelsey@nist.gov, mcgrew@cisco.com, lily.chen@nist.gov
Subject: Re: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA Digital Signature Algorithms
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2012 16:46:44 -0000
Hi Dan and all, I can actually see a potential non- anonymity-related downside of the feature of having the same signature per message (which unlike the anonymity issue applies equally to DSA and ECDSA): If a system is configured so as to reject duplicate signatures as potential fraudulent replays, legitimate duplicates could also be rejected. Such a system configuration might be more than hypothetical, in that (as far as I know) an adversary without knowledge of the private key 'x' cannot feasibly generate additional distinct DSA/ECDSA signatures that are not in the set of signatures for that message that the adversary already has available. For reference, this is what the current draft of the I-D http://tools.ietf.org/html/draft-pornin-deterministic-dsa-01 says on this specific topic: "Deterministic signature schemes may also help in other situations, e.g. to avoid spurious duplicates, when the same data element is signed several times with the same key: with a deterministic signature scheme, the same signature is generated every time, making duplicate detection much easier. Conversely, lack of randomization may have adverse effects in some advanced protocols, e.g. related to anonymity in some voting schemes." Thanks, David From: Dan Brown [mailto:dbrown@certicom.com] Sent: Tuesday, September 25, 2012 11:24 AM To: 'David W. Kravitz'; 'Igoe, Kevin M.'; cfrg@irtf.org Cc: john.kelsey@nist.gov; mcgrew@cisco.com; lily.chen@nist.gov Subject: RE: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA Digital Signature Algorithms Hi David and CFRG subscribers, Regarding David's question comparing the security of the HMAC_DRBG method from the I-D to David's simpler HMAC-only proposal, I don't think anybody is saying the HMAC_DRBG method is more secure (though Kevin Igoe mentions that analysis already done on HMAC_DRBG). My intuition would be that they are about the same security, for what little my intuition is worth. To further answer David's question, my understanding that one of the intuitive goals of HMAC_DRBG design, which I'm not sure is applicable here, was (a) to have a wider pipe than just HMAC and (b) that as long as HMAC_DRBG is fed enough input entropy the output entropy of its initial segment output is not limited by the security level of HMAC. (The latter is the "full entropy" notion in 90C). I'm not sure that I quite understand that goal exactly, or that HMAC_DRBG meets it, but I would hazard a bet that HMAC_DRBG could be secure on an assumption slightly milder than HMAC being PRF, which might be the only advantage of the HMAC_DRBG over the simpler HMAC-only. Put another way, one might be able to devise a pathological condition on the hash function such that HMAC is not PRF, but HMAC_DRBG is still secure. The I-D and I have raised the issue of compliance. (I should clarify myself by saying that I agree the I-D probably complies with 90A. But I think it would be nice to further comply 90C and some of the boundary concepts hinted at in ANSI X9.62-2005 but unfortunately that may not be possible). That said, given that David's solution is also secure, and more efficient, then maybe it deserves to be standardized (that was my point 7). David's mention of the key derivation function standard suggests that it could applicable here, as an alternative well-studied method. Can somebody please articulate the benefit of the feature of having the same signature per message? Perhaps the I-D itself should elaborate on this point. Is it just that some protocol picked some signature scheme with this deterministic feature, and then the protocol decided to rely on this feature, e.g. by using the signature as an stable index for the message? Curiously, a randomized ECDSA signature (r,s) can also almost provide stable index for the message m, by computing a message-index of h(m)G = sR - rQ, where R is one a just a few elliptic curve point which can be derived from r (this is similar to how the public key can almost be recovered). Best regards, Daniel Brown Research In Motion Limited
- [Cfrg] call for review: Deterministic Usage of DS… David McGrew (mcgrew)
- Re: [Cfrg] call for review: Deterministic Usage o… David W. Kravitz
- Re: [Cfrg] call for review: Deterministic Usage o… Igoe, Kevin M.
- Re: [Cfrg] call for review: Deterministic Usage o… David W. Kravitz
- Re: [Cfrg] call for review: Deterministic Usage o… Igoe, Kevin M.
- Re: [Cfrg] call for review: Deterministic Usage o… Blumenthal, Uri - 0668 - MITLL
- Re: [Cfrg] call for review: Deterministic Usage o… Dan Brown
- Re: [Cfrg] call for review: Deterministic Usage o… David W. Kravitz
- Re: [Cfrg] call for review: Deterministic Usage o… David W. Kravitz
- Re: [Cfrg] call for review: Deterministic Usage o… Dan Brown
- Re: [Cfrg] call for review: Deterministic Usage o… David W. Kravitz
- Re: [Cfrg] call for review: Deterministic Usage o… David W. Kravitz
- Re: [Cfrg] call for review: Deterministic Usage o… Dan Brown
- Re: [Cfrg] call for review: Deterministic Usage o… Scott Fluhrer (sfluhrer)
- Re: [Cfrg] call for review: Deterministic Usage o… David W. Kravitz
- Re: [Cfrg] call for review: Deterministic Usage o… David W. Kravitz