Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
Nico Williams <nico@cryptonector.com> Mon, 11 May 2015 15:23 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7BC61A8F37 for <cfrg@ietfa.amsl.com>; Mon, 11 May 2015 08:23:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.233
X-Spam-Level:
X-Spam-Status: No, score=0.233 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L8L8jCMrljEG for <cfrg@ietfa.amsl.com>; Mon, 11 May 2015 08:23:21 -0700 (PDT)
Received: from homiemail-a96.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id B37D51A8F33 for <cfrg@irtf.org>; Mon, 11 May 2015 08:23:21 -0700 (PDT)
Received: from homiemail-a96.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a96.g.dreamhost.com (Postfix) with ESMTP id CAD433B807B; Mon, 11 May 2015 08:23:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=U6sdEiTgITa3oY zD1NaWtrIXglE=; b=OWz1h7onJ6vqPWEpWTa5nh4MHtUGFqLQGV3A/mgPWVBEwT eX7+KPvBQ8aDxCgPZkXDVDK922Pjh4k1slj935Aj/TV0A14hvsOPUA42Vffam4Lv kZyt6bQRlTrj7dSLxcjv15l1dPwZYQfBHtG6lP5vwKcgC9R2DIH3srYeeSmEQ=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a96.g.dreamhost.com (Postfix) with ESMTPA id 901E83B8077; Mon, 11 May 2015 08:23:18 -0700 (PDT)
Date: Mon, 11 May 2015 10:23:15 -0500
From: Nico Williams <nico@cryptonector.com>
To: Andrey Jivsov <crypto@brainhub.org>
Message-ID: <20150511152314.GG7287@localhost>
References: <5546032D.5070208@isode.com> <EE0F9CDF-7B62-4950-A708-EAC071FCAE4F@shiftleft.org> <5549D23F.5000107@brainhub.org> <20150506093204.GA26785@LK-Perkele-VII> <55504D2E.8030709@brainhub.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <55504D2E.8030709@brainhub.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/lam6Cb0m7oKa7zjJ6zPxjKf8wwE>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2015 15:23:23 -0000
On Sun, May 10, 2015 at 11:33:18PM -0700, Andrey Jivsov wrote: > I agree that signing algorithms like ECDSA are sensitive to the > leaking of a few bits of nonces per signature. However, a secure > DRBG/KDF used throughout is considered mandatory nowadays. Nonces, > long-term key generation, IVs, session keys, etc, should be obtained > via good DRBG/PRF anyway. "Sure, and I want a pony too." Statefulness is difficult to implement. Consider OpenSSL. Till now OpenSSL has thankfully not needed to use file locking. If it had to... The thought of OpenSSL using POSIX file locking makes me shudder with fear. As it is one really does not need to worry too much about N copies of OpenSSL in one process (besides some of those N being out of date) for N>1 -- just make sure that the right version is loaded and linked at run-time for each dependent. Or consider any other software implementation. To make it work reliably one would really need an IPC mechanism to talk to a daemon so it does all the signing because then it can have a single lock around the signing state. Even accepting that complication, compare the result to a deterministic, state-less signature function! (This is not even considering the difficulty in synchronously updating persistent state, or arranging to be able to survive occasional failures to do so.) Test vectors go out the window, unless we specify every detail of state keeping so that the state can be made explicit... further complicating implementations _and_ applications. > Your list got me thinking regarding the issue of fault attacks on > deterministic signatures. > > I will use the EdDSA as an example. Consider an EdDSA signing on a > smartcard. > > EdDSA algorithm, in its canonical version, includes a message M in > the calculation of the hash twice: once to calculate the ephemeral > private value r for R=r*G, and second, to calculate a multiple of > the long-term private signing key 'a' during the calculation of S. > {R,S} is the signature. Assume that a smartcard signature > implementation requires transfer of the M to the smartcard twice, > due to limited memory on the smartcard and that the EdDSA > cryptographically enforces that the two hashing operations are > performed sequentially. As a result, the signing operation provides > a reliable method to affect the second hashing, but not the first. A > user (or malware) can change the M to M' at the appropriate moment, > affecting the second hashing, which should be a realistic task with > a sufficiently large message. > > The second hashing in the EdDSA algorithm is done over data that the > user knows, specifically, H'=Hash(R, A, M'). It can be observed that > one valid signature and one invalid, generated as described above, > will recover the private key 'a'. Hint: the deterministic r remains > the same and is canceled out by subtraction. This can be fixed by replacing M with H(M) in the second hash, since H(M) will be of fixed size and the smartcard can compute it as it computes the first hash. Perhaps we should add 'online' to the list of required attributes (which so far should be: deterministic, and state-less). Nico --
- [Cfrg] Elliptic Curves - signature scheme: random… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Stephen Farrell
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Salz, Rich
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Paul Hoffman
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andy Lutomirski
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Jacobson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Alyssa Rowan
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Yoav Nir
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… James Cloos
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Jacobson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Damien Miller
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Jacobson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Adam Langley
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Daniel Kahn Gillmor
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Parkinson, Sean
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Paul Lambert
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Olafur Gudmundsson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Russ Housley
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Brian Smith
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Sean Turner
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Leon Gil
- [Cfrg] Summary of the poll: Elliptic Curves - sig… Alexey Melnikov