Re: [Cfrg] Suggestions for draft-hao-schnorr

Feng Hao <feng.hao@newcastle.ac.uk> Thu, 05 December 2013 01:38 UTC

Return-Path: <feng.hao@newcastle.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 913861ADFDC for <cfrg@ietfa.amsl.com>; Wed, 4 Dec 2013 17:38:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.479
X-Spam-Level:
X-Spam-Status: No, score=-2.479 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_17=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URI_HEX=1.122] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zUlAvVVJcvm1 for <cfrg@ietfa.amsl.com>; Wed, 4 Dec 2013 17:38:33 -0800 (PST)
Received: from cheviot12.ncl.ac.uk (cheviot12.ncl.ac.uk [128.240.234.12]) by ietfa.amsl.com (Postfix) with ESMTP id CA4CC1ADFD1 for <cfrg@irtf.org>; Wed, 4 Dec 2013 17:38:31 -0800 (PST)
Received: from exhubvm03.ncl.ac.uk ([128.240.234.7] helo=EXHUBVM03.campus.ncl.ac.uk) by cheviot12.ncl.ac.uk with esmtp (Exim 4.63) (envelope-from <feng.hao@newcastle.ac.uk>) id 1VoNtb-0008FT-CS; Thu, 05 Dec 2013 01:38:27 +0000
Received: from EXMBDB02.campus.ncl.ac.uk ([fe80::c039:e17:9d60:9f3]) by EXHUBVM03.campus.ncl.ac.uk ([fe80::517e:5471:8227:7937%10]) with mapi id 14.03.0158.001; Thu, 5 Dec 2013 01:38:14 +0000
From: Feng Hao <feng.hao@newcastle.ac.uk>
To: Robert Ransom <rransom.8774@gmail.com>
Thread-Topic: Suggestions for draft-hao-schnorr
Thread-Index: AQHO8IBlHk9RY+pkA06mEfoGUsiFw5pE1E4A
Date: Thu, 5 Dec 2013 01:38:13 +0000
Message-ID: <CEC57058.22483%feng.hao@newcastle.ac.uk>
In-Reply-To: <CABqy+srcOK0g-M+MNAVRkAFY688W_Vhg7o=1PzKTGRn5CVU5WA@mail.gmail.com>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.10.0.110310
x-originating-ip: [10.4.160.6]
Content-Type: multipart/alternative; boundary="_000_CEC5705822483fenghaonewcastleacuk_"
MIME-Version: 1.0
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Suggestions for draft-hao-schnorr
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2013 01:38:36 -0000

Hi Robert,

Thanks for the suggestions. My response is interleaved below.

On 03/12/2013 23:35, "Robert Ransom" <rransom.8774@gmail.com<mailto:rransom.8774@gmail.com>> wrote:

draft-hao-schnorr-00 is incorrectly labeled as describing the ‘Schnorr
signature’.  The protocol it describes is a non-interactive proof of
knowledge of a discrete logarithm, as required by J-PAKE (and other
protocols); the Schnorr signature IS NOT a proof of knowledge.


Yes, I understand your concern. The term schnorr signature is often used
in the literature to mean two different things: the digital signature obtained from the schnorr signing algorithm and the non-interactive ZKP.

I had wanted to make it clear and explicit in the title that it refers to the latter, but I understand your point that it can still cause confusion. I've changed "Schnorr signature" to "Schnorr NIZK Proof", and have made other changes in both the Schnorr and J-PAKE I-Ds to make everything consistent, including changing SignerID to UserID.

http://homepages.cs.ncl.ac.uk/feng.hao/files/draft-hao-schnorr-01-temp.html

http://homepages.cs.ncl.ac.uk/feng.hao/files/draft-hao-jpake-01-temp.html

I haven't uploaded them to IETF yet. I'm waiting to see if you (and others) have more comments, so that I can make changes in one go.

(Hope you don't mind - I added your name in the acknowledgement.)


In the notation used in the draft, the original Schnorr signature (as
described by Wikipedia, ‘Applied Cryptography’, and a PDF file from
somewhere on the Internet claiming to be a 1991 paper by Schnorr) uses
h = H(Message || g^v).  With that choice of h, an attacker can choose
V with unknown discrete logarithm, choose r and Message arbitrarily,
and compute the X for which the signature is valid; the attacker (and
anyone else who sees the signature) will know the discrete logarithm
of X with respect to V, but not with respect to g.

I suggest replacing “Schnorr signature” with “Schnorr proof of
knowledge” in the titles of Section 4 and the draft itself, and adding
text in the draft warning about the difference between the PoK and the
original signature scheme, to try to reduce the risk that someone will
break a protocol by substituting the original (non-PoK) Schnorr
signature for the PoK you are describing.

I've replaced "Schnorr signature" with "Schnorr NIZK Proof" and added text to warn the difference between the PoK and the original Schnorr signature scheme. The difference is actually subtle, but worth mentioning, as you suggested.


(I don't believe that using the original Schnorr signature in J-PAKE
would break J-PAKE's security, but it's certainly not a good thing to
do.)


Yes, it shouldn't. Alternatively, you could use DSA for the proof of knowledge of the discrete logarithm. Think about the self-signed Certificate Signing Request that you can generate from OpenSSL using DSA. Checking the CSR is equivalent to verifying the proof-of-possession of the private key.

So there are more than one way to verify the knowledge (or possession) of a private key. The Schnorr NIZK is just one of them. I prefer it only because it has easy-to-understand and widely accepted security proofs.


The draft must specify that implementations MUST choose v *uniformly*
at random from Z/qZ,

OK. I changed "at random" to "uniformly at random". There is not much difference in the meaning, but being more explicit is good.

and MUST NOT use the same v for more than one
signature.  (See section 2, subsection ‘Pseudorandom generation of r’
(on pages 8 and 9) of <http://ed25519.cr.yp.to/ed25519-20110926.pdf>
for reasons and references.)

Using a fixed v rather than at random is one of the native mistakes (one that was seen in the sony PS). But there are many other ways to make native implementation errors. We cannot enumerate all such in the I-D. I think stating that v must be chosen uniformly at random should be sufficiently clear.

The draft should specify that
implementations which use long-term signing keys SHOULD arrange to
generate v in a secretly deterministic manner, and protocols in which
long-term signing keys may need to be interoperable between
implementations MUST specify the details of deterministic generation
of v and storage and transport of any extra key material required for
that purpose.


Thanks for the suggestion. However, I feel these are outside the scope for this I-D. The secure implementation of a random number generator, and the key management of the long-term private key (which will probably need a HSM) are important, but do not seem very relevant to the discussion of the how to prove the knowledge of a discrete logarithm. These should not affect the interoperability.

I hope I have addressed all your concerns. But if not, please feel free to let me know. Thanks for your constructive comments.



Robert Ransom