Re: [Cfrg] My thoughts on randomized signature generation
Phillip Hallam-Baker <phill@hallambaker.com> Mon, 11 May 2020 17:38 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 665953A098A
for <cfrg@ietfa.amsl.com>; Mon, 11 May 2020 10:38:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.396
X-Spam-Level:
X-Spam-Status: No, score=-1.396 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25,
FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249,
HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id IyUNdEQIBYrV for <cfrg@ietfa.amsl.com>;
Mon, 11 May 2020 10:38:30 -0700 (PDT)
Received: from mail-ot1-f54.google.com (mail-ot1-f54.google.com
[209.85.210.54])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 45B933A0854
for <cfrg@irtf.org>; Mon, 11 May 2020 10:38:30 -0700 (PDT)
Received: by mail-ot1-f54.google.com with SMTP id v17so278694ote.0
for <cfrg@irtf.org>; Mon, 11 May 2020 10:38:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=GAvgi+m/k0zDWlS/XhiI9f2bRwT1YpWg15s/vC42sIo=;
b=PwfT6tu3+w14lwtKhAdux9om6H9HcIiG0mZl5pdM6RJjrktWSSHkzHVBOnb9UBE2XU
Bc1xwIYgklAe2DqcZk2afVQrw+G/YiWProvHpOA1xpSgDzZDlu2d4qyhvEbPbzqhVvoH
+wZLWMlfwg0QOBI6n1hViKkX+brwkPZwHCPTdVCtmAnHLeQme6sF2vAUh76Dk1muWCYe
r0mtN5BzdN5a8HaFZwmzGhTGg6wKYlxJd/IaWOLnYo14MTo6Bg5uofySH5WkiES+OOb5
EMdbQmfSMluVqL0t30StVkqOpiTELD2+NoorBMcLKv2IaslRHcTN6P0gU7StorTEw8hl
67dg==
X-Gm-Message-State: AGi0PubLa76k9q4TcehNzkco1XRDwGEWowSAYvzQchOAYno2vd+X+riP
/ARoa4bwuNfUM/KomwzfRA/4ovmjx2kw+RuCbGc=
X-Google-Smtp-Source: APiQypI/IDWwq6onsZFpWCkBmIL7gXbGSfFi9Gs8pKpHmR8klAy9x7nPAF7LIBrt1AvMuZwWGdvf7Z88wxdcr6a/mnw=
X-Received: by 2002:a9d:bd1:: with SMTP id 75mr14516803oth.155.1589218709213;
Mon, 11 May 2020 10:38:29 -0700 (PDT)
MIME-Version: 1.0
References: <CACsn0c=8TTmh=_Zbf170sSxDHkSyzeTsvp2g=KZm4U19LCb7eQ@mail.gmail.com>
In-Reply-To: <CACsn0c=8TTmh=_Zbf170sSxDHkSyzeTsvp2g=KZm4U19LCb7eQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 11 May 2020 13:38:17 -0400
Message-ID: <CAMm+LwgL0SrxuYSUZ-WmxEJQTzbjWvv1tbcJ1SkrMW12Ua8Aig@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Cc: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000a2189c05a562d0ce"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/mzFE-F80Rhges3CFWFZvLJub2g4>
Subject: Re: [Cfrg] My thoughts on randomized signature generation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>,
<mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>,
<mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2020 17:38:52 -0000
I agree with Watson's conclusion but for the opposite reason. If you follow the MtGox saga you will know that a particular malleability attack was claimed as the reason for the disappearance of the funds. The use of deterministic signatures sets up similar opportunities for attack. While I have not identified a specific exploit, I don't see the need. It is clear that this is an area where the construction of the signature algorithm invites the relying party to rely on a property of the signature that is not actually guaranteed by the algorithm itself. That is just bad practice. The only circumstance in which I would want to be able to distinguish these specific cases is if I had bought a HSM and wanted to verify it was generating k in a principled fashion. There is a genuine problem that arises from having HSMs act non deterministically. As Moti Yung pointed out, your RSA keygen can be encrypting the random seed used to generate a key pair and using the public key itself as the side channel. So I support adding a non deterministic mode of signature generation. Recognizing the fact that once you do that, there is no way to prohibit online/offline signing and pregenerating values of k. On Tue, May 5, 2020 at 8:36 AM Watson Ladd <watsonbladd@gmail.com> wrote: > Dear participants, > > I apologize for the long delay between the virtual meeting and this > email. I'm writing to expand upon my opposition at the mike to > distinguishing between interoperable signatures based on the method of > generation. > > My opposition is rooted in the following facts: the signature > generation method doesn't introduce any incompatibility with existing > verfiers, and the existing installed verifiers expect the already > allocated codepoints. A new system using randomized generation that > doesn't use the existing codepoints will thus be incompatible. It > would of course be possible to avoid this, and the right way is simply > to use the existing codepoints rather then implement the less secure > generation method. > > Sincerely, > Watson Ladd > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] My thoughts on randomized signature genera… Watson Ladd
- Re: [Cfrg] My thoughts on randomized signature ge… Sofía Celi
- Re: [Cfrg] My thoughts on randomized signature ge… Phillip Hallam-Baker
- Re: [Cfrg] My thoughts on randomized signature ge… Phillip Hallam-Baker