Re: [Cfrg] Suggestions for draft-hao-schnorr
Feng Hao <feng.hao@newcastle.ac.uk> Thu, 05 December 2013 01:38 UTC
Return-Path: <feng.hao@newcastle.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 913861ADFDC for <cfrg@ietfa.amsl.com>; Wed, 4 Dec 2013 17:38:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.479
X-Spam-Level:
X-Spam-Status: No, score=-2.479 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_17=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URI_HEX=1.122] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zUlAvVVJcvm1 for <cfrg@ietfa.amsl.com>; Wed, 4 Dec 2013 17:38:33 -0800 (PST)
Received: from cheviot12.ncl.ac.uk (cheviot12.ncl.ac.uk [128.240.234.12]) by ietfa.amsl.com (Postfix) with ESMTP id CA4CC1ADFD1 for <cfrg@irtf.org>; Wed, 4 Dec 2013 17:38:31 -0800 (PST)
Received: from exhubvm03.ncl.ac.uk ([128.240.234.7] helo=EXHUBVM03.campus.ncl.ac.uk) by cheviot12.ncl.ac.uk with esmtp (Exim 4.63) (envelope-from <feng.hao@newcastle.ac.uk>) id 1VoNtb-0008FT-CS; Thu, 05 Dec 2013 01:38:27 +0000
Received: from EXMBDB02.campus.ncl.ac.uk ([fe80::c039:e17:9d60:9f3]) by EXHUBVM03.campus.ncl.ac.uk ([fe80::517e:5471:8227:7937%10]) with mapi id 14.03.0158.001; Thu, 5 Dec 2013 01:38:14 +0000
From: Feng Hao <feng.hao@newcastle.ac.uk>
To: Robert Ransom <rransom.8774@gmail.com>
Thread-Topic: Suggestions for draft-hao-schnorr
Thread-Index: AQHO8IBlHk9RY+pkA06mEfoGUsiFw5pE1E4A
Date: Thu, 05 Dec 2013 01:38:13 +0000
Message-ID: <CEC57058.22483%feng.hao@newcastle.ac.uk>
In-Reply-To: <CABqy+srcOK0g-M+MNAVRkAFY688W_Vhg7o=1PzKTGRn5CVU5WA@mail.gmail.com>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.10.0.110310
x-originating-ip: [10.4.160.6]
Content-Type: multipart/alternative; boundary="_000_CEC5705822483fenghaonewcastleacuk_"
MIME-Version: 1.0
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Suggestions for draft-hao-schnorr
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2013 01:38:36 -0000
Hi Robert, Thanks for the suggestions. My response is interleaved below. On 03/12/2013 23:35, "Robert Ransom" <rransom.8774@gmail.com<mailto:rransom.8774@gmail.com>> wrote: draft-hao-schnorr-00 is incorrectly labeled as describing the ‘Schnorr signature’. The protocol it describes is a non-interactive proof of knowledge of a discrete logarithm, as required by J-PAKE (and other protocols); the Schnorr signature IS NOT a proof of knowledge. Yes, I understand your concern. The term schnorr signature is often used in the literature to mean two different things: the digital signature obtained from the schnorr signing algorithm and the non-interactive ZKP. I had wanted to make it clear and explicit in the title that it refers to the latter, but I understand your point that it can still cause confusion. I've changed "Schnorr signature" to "Schnorr NIZK Proof", and have made other changes in both the Schnorr and J-PAKE I-Ds to make everything consistent, including changing SignerID to UserID. http://homepages.cs.ncl.ac.uk/feng.hao/files/draft-hao-schnorr-01-temp.html http://homepages.cs.ncl.ac.uk/feng.hao/files/draft-hao-jpake-01-temp.html I haven't uploaded them to IETF yet. I'm waiting to see if you (and others) have more comments, so that I can make changes in one go. (Hope you don't mind - I added your name in the acknowledgement.) In the notation used in the draft, the original Schnorr signature (as described by Wikipedia, ‘Applied Cryptography’, and a PDF file from somewhere on the Internet claiming to be a 1991 paper by Schnorr) uses h = H(Message || g^v). With that choice of h, an attacker can choose V with unknown discrete logarithm, choose r and Message arbitrarily, and compute the X for which the signature is valid; the attacker (and anyone else who sees the signature) will know the discrete logarithm of X with respect to V, but not with respect to g. I suggest replacing “Schnorr signature” with “Schnorr proof of knowledge” in the titles of Section 4 and the draft itself, and adding text in the draft warning about the difference between the PoK and the original signature scheme, to try to reduce the risk that someone will break a protocol by substituting the original (non-PoK) Schnorr signature for the PoK you are describing. I've replaced "Schnorr signature" with "Schnorr NIZK Proof" and added text to warn the difference between the PoK and the original Schnorr signature scheme. The difference is actually subtle, but worth mentioning, as you suggested. (I don't believe that using the original Schnorr signature in J-PAKE would break J-PAKE's security, but it's certainly not a good thing to do.) Yes, it shouldn't. Alternatively, you could use DSA for the proof of knowledge of the discrete logarithm. Think about the self-signed Certificate Signing Request that you can generate from OpenSSL using DSA. Checking the CSR is equivalent to verifying the proof-of-possession of the private key. So there are more than one way to verify the knowledge (or possession) of a private key. The Schnorr NIZK is just one of them. I prefer it only because it has easy-to-understand and widely accepted security proofs. The draft must specify that implementations MUST choose v *uniformly* at random from Z/qZ, OK. I changed "at random" to "uniformly at random". There is not much difference in the meaning, but being more explicit is good. and MUST NOT use the same v for more than one signature. (See section 2, subsection ‘Pseudorandom generation of r’ (on pages 8 and 9) of <http://ed25519.cr.yp.to/ed25519-20110926.pdf> for reasons and references.) Using a fixed v rather than at random is one of the native mistakes (one that was seen in the sony PS). But there are many other ways to make native implementation errors. We cannot enumerate all such in the I-D. I think stating that v must be chosen uniformly at random should be sufficiently clear. The draft should specify that implementations which use long-term signing keys SHOULD arrange to generate v in a secretly deterministic manner, and protocols in which long-term signing keys may need to be interoperable between implementations MUST specify the details of deterministic generation of v and storage and transport of any extra key material required for that purpose. Thanks for the suggestion. However, I feel these are outside the scope for this I-D. The secure implementation of a random number generator, and the key management of the long-term private key (which will probably need a HSM) are important, but do not seem very relevant to the discussion of the how to prove the knowledge of a discrete logarithm. These should not affect the interoperability. I hope I have addressed all your concerns. But if not, please feel free to let me know. Thanks for your constructive comments. Robert Ransom
- [Cfrg] Suggestions for draft-hao-schnorr Robert Ransom
- Re: [Cfrg] Suggestions for draft-hao-schnorr Feng Hao