IETF Logo Mail Archive

[CFRG] Psychic Signatures

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 20 April 2022 17:10 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A69203A0CA9 for <cfrg@ietfa.amsl.com>; Wed, 20 Apr 2022 10:10:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.488
X-Spam-Level:
X-Spam-Status: No, score=0.488 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5ZOLQmxxulid for <cfrg@ietfa.amsl.com>; Wed, 20 Apr 2022 10:10:30 -0700 (PDT)
Received: from mail-yw1-f170.google.com (mail-yw1-f170.google.com [209.85.128.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50E993A08F2 for <cfrg@irtf.org>; Wed, 20 Apr 2022 10:10:30 -0700 (PDT)
Received: by mail-yw1-f170.google.com with SMTP id 00721157ae682-2ec0bb4b715so25430147b3.5 for <cfrg@irtf.org>; Wed, 20 Apr 2022 10:10:30 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=klpito+NHnGGpmxcelkxHt+wq//7MwxoyLfz2B6nvaE=; b=H4wb7qxGnddkhbkmgZYFQhh33igQT2e44BGloEhRyqB23KfOigXmytdT5YPOk7Fo+7 jDHUppNC7aTDx9l8aH+7QuQxKhtrsODVDsZf++5jwFLSHidYB9jjqILfQx60MI2xp9BP 2FzctW+jxBS3UvD4fTSvPoQ7fmef0/ZI21EwvqkbQV/2PxHfrXmWb7y9e+VGLz270tCg jS0dKb8hZESFYOXc8h2SJFN2ahcMGhLqRB6jPXnH130mCsMBrbvCn7Ilo23+aFZ3dXwZ PHIZQpQUqPUJNceIbOoH5VtOoXseSalutSSiYZ4oVRnjtM5C2bxb2Rpelxho4GU7nVA/ IXlA==
X-Gm-Message-State: AOAM53155EnGmBuX3wPUn6fBp2/h8aDF+EIgRJIrq/innvxfh4bBEPBy 06o52clzy3ctUhfZCH3cKeFpBjCrIu0yJcCCL7WywOHh/MU=
X-Google-Smtp-Source: ABdhPJxUc/yShE90o0TS2KSm5CqIH8W5s5GEn3H9qpAuHWjSV/+GkFvfWpBQa4ck+914ZnREmgN/RaFfwf5vfi2ndGE=
X-Received: by 2002:a0d:db86:0:b0:2dc:4494:3f53 with SMTP id d128-20020a0ddb86000000b002dc44943f53mr21914965ywe.217.1650474629415; Wed, 20 Apr 2022 10:10:29 -0700 (PDT)
MIME-Version: 1.0
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 20 Apr 2022 13:10:18 -0400
Message-ID: <CAMm+LwhBJXmtXqDbhibMOPwumzSzOvu40SXwnUXm5QgUsLW58A@mail.gmail.com>
To: IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000ff473b05dd1911b2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/wlIuVws-pmccvbGbBrIBVBhN2GQ>
Subject: [CFRG] Psychic Signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2022 17:10:35 -0000

I am pretty sure that we discussed these attacks at length in the design of
Ed25519 and Ed448.

CVE-2022-21449: Psychic Signatures in Java – Neil Madden
<https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/>
https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/

Given that many, many of us are going to be asked about these attacks, it
would be nice if there was a crisp and authoritative comment on the matter
from this group.

The whole point of going through this exercise as far as I am concerned was
that using common algorithms, common code libs etc, minimizes the attack
surface we need to check. Ed25519 does not need to be the fastest, Ed448
does not need to present the highest work factor, the fact that the city
has one gate instead of ten makes it much harder for attackers to breach it.

So, it would be good if Oracle got the message that they should get with
the program.

v2.23.0 | Report a Bug | By Email