IETF Logo Mail Archive

Re: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA Digital Signature Algorithms

"Igoe, Kevin M." <kmigoe@nsa.gov> Mon, 24 September 2012 17:17 UTC

Return-Path: <kmigoe@nsa.gov>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35F3A21E8048 for <cfrg@ietfa.amsl.com>; Mon, 24 Sep 2012 10:17:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.554
X-Spam-Level:
X-Spam-Status: No, score=-9.554 tagged_above=-999 required=5 tests=[AWL=0.444, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IafSzTwCZCUS for <cfrg@ietfa.amsl.com>; Mon, 24 Sep 2012 10:17:12 -0700 (PDT)
Received: from nsa.gov (emvm-gh1-uea09.nsa.gov [63.239.67.10]) by ietfa.amsl.com (Postfix) with ESMTP id 83ABD21F8829 for <cfrg@irtf.org>; Mon, 24 Sep 2012 10:17:11 -0700 (PDT)
X-TM-IMSS-Message-ID: <77f3cb72001776b7@nsa.gov>
Received: from MSHT-GH1-UEA01.corp.nsa.gov ([10.215.227.18]) by nsa.gov ([63.239.67.10]) with ESMTP (TREND IMSS SMTP Service 7.1) id 77f3cb72001776b7 ; Mon, 24 Sep 2012 13:18:50 -0400
Received: from MSMR-GH1-UEA02.corp.nsa.gov (10.215.227.180) by MSHT-GH1-UEA01.corp.nsa.gov (10.215.227.18) with Microsoft SMTP Server (TLS) id 14.1.289.1; Mon, 24 Sep 2012 13:17:10 -0400
Received: from MSMR-GH1-UEA03.corp.nsa.gov ([10.215.224.3]) by MSMR-GH1-UEA02.corp.nsa.gov ([10.215.227.180]) with mapi id 14.01.0289.001; Mon, 24 Sep 2012 13:17:10 -0400
From: "Igoe, Kevin M." <kmigoe@nsa.gov>
To: "'David W. Kravitz'" <dkravitz@trustcentral.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA Digital Signature Algorithms
Thread-Index: AQJZjD1WbN3mB22kfgMwgvHZe2e5lAHYBuGklmuTzgCAB1BZIIAAWUCA///I9JA=
Date: Mon, 24 Sep 2012 17:17:08 +0000
Message-ID: <3C4AAD4B5304AB44A6BA85173B4675CA176901BE@MSMR-GH1-UEA03.corp.nsa.gov>
References: <CC7768A9.EDA64%mcgrew@cisco.com> <9745FE04-5A2C-4D38-9D34-AFF3A2EC54C6@callas.org> <002801cd96b7$b7c38c80$274aa580$@trustcentral.com> <3C4AAD4B5304AB44A6BA85173B4675CA17687160@MSMR-GH1-UEA03.corp.nsa.gov> <000601cd9a69$897d3460$9c779d20$@trustcentral.com>
In-Reply-To: <000601cd9a69$897d3460$9c779d20$@trustcentral.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.215.254.27]
Content-Type: multipart/alternative; boundary="_000_3C4AAD4B5304AB44A6BA85173B4675CA176901BEMSMRGH1UEA03cor_"
MIME-Version: 1.0
Cc: "john.kelsey@nist.gov" <john.kelsey@nist.gov>, "mcgrew@cisco.com" <mcgrew@cisco.com>
Subject: Re: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA Digital Signature Algorithms
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Sep 2012 17:17:17 -0000

Hi David:

Thanks for the clarifications.

I have heard reports that some applications (I think it was BGPsec related, but I could easily be wrong),
like the "feature" that  Alice's signature will be the same each time she signs the same message.  (Hopefully
someone more familiar with BGPsec can verify this).

I believe your main concern is the double use of the signer's secret "x" value.   As you point out, we are
"betting the farm" that ALL of the "k"'s produced by the HMAC_DRBG are strong.  I've not seen any reason
to doubt the strength of HMAC_DRBG.

It is  unlikely that we will ever be able to prove this double usage doesn't introduce any security problems .
But I agree with the author that given the extensive analysis of the primitive's involved, the only risk is that
somehow combining the two leads to an exploitable weakness.   I agree with you and the author that this
is double usage unlikely to lead to an exploitable  weakness,  but would like more feedback from the list
on this point.

You're probably right that the use of full blown HMAC_DRBG is overly conservative, but it has the virtue of
having withstood many years of examination.  In an effort to get a design finished in a timely fashion I
suggest that we continue with the existing design.  But I also would strongly encourage you and your co-authors
to put forth a more daring and an efficient alternative design, one that will require more extensive analysis
before it is ready for adoption.


From: David W. Kravitz [mailto:dkravitz@trustcentral.com]
Sent: Monday, September 24, 2012 11:30 AM
To: Igoe, Kevin M.; cfrg@irtf.org
Cc: john.kelsey@nist.gov; mcgrew@cisco.com; pornin@bolet.org
Subject: RE: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA Digital Signature Algorithms

Kevin,

One effect of the use of "internal state" is the prevention of HMAC_DRBG from producing repeat outputs, where "HMAC_DRBG Internal State" is defined in section 10.1.2.1 of SP 800-90A. By stating that "Note that we instantiate a new HMAC_DRBG instance for each signature generation process," the draft is indicating that internal state is not carried over (which is what I meant by "null"). Consequently, given a repeat message 'm' (i.e., repeat seed (= x || H(m) )), the output repeats. While this is not a problem in this particular application, it violates a fundamental property of a good DRBG. Furthermore, with regard to the next-output-bits-given-previous-output-bits- uncertainty property of a good DRBG, if the output for a single message 'm' becomes known, all other outputs are not only distinguishable from the output of a truly random function, but are actually computable. This is due to the "double use" of the private key 'x' for generation of 'k' and for generation of 's' from 'k'. Since we don't require the use of a DRBG in this (EC)DSA application, we can use HMAC directly (with 'x' as the HMAC key, and H(m)||Counter as the HMAC'ed data, where Counter is used in conjunction with FIPS PUB 186-3 B.2.1 or B.2.2).

Note that the use of deterministic generation of 'k' (whether done as in the current draft, or the suggested simplified version, or based on a block cipher instead of HMAC) has an additional potential non-repudiation advantage not previously explicitly mentioned: It could make it more difficult to plausibly disavow signatures on the basis of leakage of 'x' due to low entropy 'k'.

Thanks,
David

From: Igoe, Kevin M. [mailto:kmigoe@nsa.gov]
Sent: Monday, September 24, 2012 10:21 AM
To: 'David W. Kravitz'; cfrg@irtf.org
Cc: john.kelsey@nist.gov; mcgrew@cisco.com
Subject: RE: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA Digital Signature Algorithms

David:

  I'm having a hard time parsing the last two sentences of the first paragraph.  Would you be kind
enough to rephrase them for me?

1) As far as I can see this draft instantiates the HMAC_DRBG using the seed (= x || H(M) ) in
precisely the correct manner.  I miss where they have strayed from the standard.

2) I'm not  sure what you mean by "null internal state".

Clearly I am misinterpreting what you are trying to say.

From: cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org> [mailto:cfrg-bounces@irtf.org]<mailto:[mailto:cfrg-bounces@irtf.org]> On Behalf Of David W. Kravitz
Sent: Wednesday, September 19, 2012 6:40 PM
To: cfrg@irtf.org<mailto:cfrg@irtf.org>
Cc: john.kelsey@nist.gov<mailto:john.kelsey@nist.gov>; mcgrew@cisco.com<mailto:mcgrew@cisco.com>
Subject: Re: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA Digital Signature Algorithms

Hi all,

Comments below.

Thanks,
Jon Callas, David W. Kravitz, and Phil Zimmermann

The required security attributes for the safe use of HMAC in this draft are more nuanced than the description currently conveys.  Consider the following two excerpts of the draft from the Security Considerations (section 5): "Security relies on whether the generation of 'k' is indistinguishable from the output of a Random Oracle.  Roughly speaking, HMAC_DRBG is secure in that role as long as HMAC behaves as a PRF (Pseudo-Random Function)."   "One remaining issue with deterministic (EC)DSA, as presented in this document, is the "double use" of the private key 'x', both as private key in the signature generation algorithm itself, and as input to the HMAC_DRBG-based pseudo-random oracle for producing the 'k' value.  This requires HMAC_DRBG to keep on being a random oracle, even when the public key (which is computed from 'x') is also known.  Given the lack of common structure between HMAC and discrete logarithm, this seems a reasonable assumption." Any discussion in the literature of "random oracle" is typically with respect to "a publicly accessible random function" (as, for example, in "Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology," by U. Maurer, R. Renner, and C. Holenstein, ftp://ftp.inf.ethz.ch/pub/crypto/publications/MaReHo04.pdf). But as HMAC_DRBG is specified in the draft document (with null internal state per "Note that we instantiate a new HMAC_DRBG instance for each signature generation process," and "double use" of the private key 'x'), given any single output of HMAC_DRBG, all other outputs are completely distinguishable from the output of an arbitrary truly random function. In other words, given a single 'k' value that was generated using HMAC_DRBG as specified, any other 'k' value(s) recovered from 's' by using 'r', 'H(m)' and the no-longer-private value of 'x' can be determined as having been generated using HMAC_DRBG as specified. Note that even if no values of 'k' are disclosed, the use of null internal state would be problematic in an application relying on a DRBG where repeated outputs are unacceptable.

So, given that neither (pseudo-)random oracle nor the next-output-bits-given-previous-output-bits- uncertainty property of DRBG is achieved within the context of the actual (EC)DSA application, we can use a simpler formulation here. An example of such is HMAC('x', H(m)||Counter), where Counter is reinitialized for each signature generation process instance and potential bias is addressed by deriving 'k' using  a single Counter value as in [FIPS PUB 186-3] B.2.2 (Per-Message Secret Number Generation by Testing Candidates), or multiple Counter values are used as in B.2.1 (Per-Message Secret Number Generation Using Extra Random Bits).

Note that in the case where multiple entities have knowledge of 'x' (which may complicate non-repudiation), deterministic generation of 'k' has the effect that the potential subliminal/covert channel is replaced by a MAC property. That is, any entity with knowledge of 'x' can verify the integrity of 'm' using 's' while ignoring both the transmitted value of 'r', and 'y' or 'U' (where y = g^x mod p in DSA or U = xG in ECDSA).

It might also be prudent to indicate in the Security Considerations section that the use of wholly deterministic generation of 'k', while not adversely affecting the security of (EC)DSA itself and enabling an implementation to be safely tested using dummy values of 'x', may have a deleterious effect against resistance to side-channel attacks such as DPA (as opposed to "masking" using a true RNG).


From: "David McGrew (mcgrew)" <mcgrew@cisco.com<mailto:mcgrew@cisco.com>>
Subject: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA Digital Signature Algorithms
Date: September 13, 2012 7:40:41 AM PDT
To: "cfrg@irtf.org<mailto:cfrg@irtf.org>" <cfrg@irtf.org<mailto:cfrg@irtf.org>>

Hi,

Thomas has updated his individual submission on deterministic [EC]DSA.   I think this is useful work that deserves to move forward to RFC, and that the research group should support it (based on my own opinion and the positive feedback on the list regarding version -00).   Please take a look at the draft if you have an opinion on digital signatures, and let Thomas know if you have constructive criticism.   Verification of the test cases, and review of the security considerations, would be especially helpful.

Thanks,

David

<http://tools.ietf.org/html/draft-pornin-deterministic-dsa-01>
_______________________________________________
Cfrg mailing list
Cfrg@irtf.org<mailto:Cfrg@irtf.org>
http://www.irtf.org/mailman/listinfo/cfrg

v2.14.0 | Report a Bug | By Email