Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
Dan Brown <dbrown@certicom.com> Mon, 04 May 2015 19:28 UTC
Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 865D01ACE8D for <cfrg@ietfa.amsl.com>; Mon, 4 May 2015 12:28:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oNG8RshVu_pF for <cfrg@ietfa.amsl.com>; Mon, 4 May 2015 12:28:44 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id 5FDBF1ACE87 for <cfrg@irtf.org>; Mon, 4 May 2015 12:28:43 -0700 (PDT)
Received: from xct106cnc.rim.net ([10.65.161.206]) by mhs211cnc.rim.net with ESMTP/TLS/AES128-SHA; 04 May 2015 15:28:42 -0400
Received: from XCT114CNC.rim.net (10.65.161.214) by XCT106CNC.rim.net (10.65.161.206) with Microsoft SMTP Server (TLS) id 14.3.210.2; Mon, 4 May 2015 15:28:41 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT114CNC.rim.net ([::1]) with mapi id 14.03.0210.002; Mon, 4 May 2015 15:28:41 -0400
From: Dan Brown <dbrown@certicom.com>
To: "'alexey.melnikov@isode.com'" <alexey.melnikov@isode.com>
Thread-Topic: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
Thread-Index: AQHQhZJ08xNT0O/SRkGlTQPK83ulIp1qlekAgAGLRyA=
Date: Mon, 04 May 2015 19:28:41 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5DCAEDC@XMB116CNC.rim.net>
References: <5546032D.5070208@isode.com> <A4CD80B2-8E9E-4829-BA60-BD0F789DDEDB@vpnc.org>
In-Reply-To: <A4CD80B2-8E9E-4829-BA60-BD0F789DDEDB@vpnc.org>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0037_01D0867E.FFDDC670"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/zeVnyA70-uiFGEdyc_dH1xh_ZaQ>
Cc: "'cfrg@irtf.org'" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2015 19:28:47 -0000
> -----Original Message----- > From: Alexey Melnikov > > 1. CFRG should stick to randomised signature schemes only. > > 2. CFRG should adopt deterministic signature scheme only. > > 3. De-randomisation should be an optional feature for implementers to > decide upon (i.e. both choices 1 and 2 allowed). > I prefer #3, but with more specific nuance: CFRG should recommend that signers make signature ephemerals depend on the message being signed. Abstractly: signer has some secret s and computes ephemeral as k = F(s,m) for some secure function F (able to avoid any bias), whose details are to be determined. The secret s SHOULD be new, but MAY be old. It MUST be secret, and MUST be guarded to the same degree as the static signing key. It SHOULD be erased after use (i.e., instead of guarded for eternity). Only ever deviate from this if ephemeral public (kG) needs to pre-computed for low-latency signing. (Is this what some call a coupon?) In this case, the message value SHOULD be replaced by a nonce (e.g. date). Reasons (and some counter-reasons in #5) ======================================= The reasons are many, so I've added headings. 1. Actual cause of catastrophic failures ---------------------------------------- The main relevant catastrophic failure I've heard of is due to re-use of signature ephemerals across different messages. I don't know the details of why these happened (even what specifications the implementers were using), but plausible explanations of why this failure happened is: 1a. Unclear specifications and a general lack of education. 1b. Implementers trying to save a scalar multiplication. Perhaps others know another third reason 1c. Note well: point 1a is somewhat self-critical in that I've edited/commented on a few ECDSA standards, as well as written papers on ECDSA. Reason 1a can be fixed by clarifying standards and publicizing potential pitfalls. If the implementers in question had been properly informed, they would have adhered to the specifications by using proper randomization, thereby avoiding this catastrophic failure. Altering technique does not address reason 1a: if the new technique is poorly enough explained, an implementer may sidestep it too. In other words, no crypto can be foolproof. See topic #3 below. Reason 1b is not fixed by making the ephemeral key a deterministic function of the message: the implementer still has an incentive to re-use the ephemeral. 2. Hindsight patching --------------------- De-randomization is a hindsight patch, even assuming we've determined a correct cause. Although it looks like a clear fix, we should also take care and apply foresight to fix similar problems. I try to do so in the next section. 3. De-randomization is an overcorrection ---------------------------------------- De-randomization might introduce new pitfalls for an implementer to trip into: 3a.... More side channels? Suppose attacker asks a target to repeatedly re-use an ephemeral by repeatedly asking for signature on the same message. If the signer does not cache the scalar multiplication result, and the attacks has some kind of side channel acces, does the repeated exposure ampifly the risk, as in a differential side channel attack? 3b... Re-use keys more often, why not always? A naive implementer updating an existing secure signature implementation from randomized to de-randomization might observe that the de-randomized version re-uses ephemeral keys more often. They might reason that the CFRG says this is an improvement, then maybe even more re-use is better. Why not re-use all keys. Sure, we will try to explain not to such a thing! But we could also add an equivalent explanation for randomized signatures. In other words, it's not the technical differences that's more foolproof, but rather the level of instruction. 3c.... De-randomized signing key? If the CFRG recommendation is unclear to the implementers under consideration, the implementer may reason as follows: if randomization is bad for signatures, maybe I should make the long-term signing key deterministic too. Randomization is bad for signatures, right? Again, a well-intentioned, but misinformed, implementer may swing the pendulum too far in the other direction. 3d.... Increased failure to erase ephemerals? Given a deteministic signature specification, an implementer might reason that the ephemerals are derived from the long-term secret using a one-way function, and therefore (!) that is no (or less) need to erase them, or keep them within some security boundary. 3e.... Replay attacks on encryption? We want to minimize re-use ephemeral keys (and nonces) for producing ciphertexts. De-randomization of signatures (for equal messages) seems to suggest that re-use of ephemerals improves security. If the implementers carry this logic from signatures to key exchange or encryption, then they might compromise semantic security because repeated plaintexts could be rendered detectable as repeated ciphertexts. 3f.... Loss of forward secrecy? In ECDH, we want to maintain forward secrecy by not deriving from ephemerals from the static secrets. If an implementer carries over the ephemeral generation from a deterministic signing implementation, then forward secrecy will be undermined. 3g.... Decreased Schnorr message-hiding ability? Some protocols may rely on non-advertised properties of signatures. For example, consider the following definition of a message-hiding property of signatures: the only way that a signature and a public key can be used to learn anything about a message signed is to test the message under the verification algorithm. ECDSA lacks this message-hiding property: given a sequence of signatures under a public key, one can detect repeated messages, even if the repeated message are secret and unguessable, and therefore impossible to verify. Randomized Schnorr signatures seem to have better message-hiding capability: unless I am missing something. But de-randomized Schnorr signatures lose this non-standard property of signatures. This issue is similar to how we now expect collision-resistant hash functions to be like random oracles, which far exceeds their original purpose. 3h.... Provable security: more assumptions to prove unforgeability What is the effect of de-randomization on the security proofs of unforgeability? For example, the recent work of Koblitz and Menezes http://eprint.iacr.org/2015/140 in Section 7.2, touches upon this issue. In particular, they treat the case of ECDSA, and describe two de-randomized variants ECDSA* and ECDSA**, which differ in that ECDSA** does not use the static signing key to derive the ephemeral, but rather a separate indpendent alternative key. Curiously, they argue ECDSA** is at least as good as ECDSA, but they find an obstacle to making a similar argument for ECDSA*. My worry with their ECDSA**, however, is that not quite foolproof: an implementer who is likely to reuse an ephemeral may be just as likely to choose the alternative key poorly. Coron has some results about the limitations of provably security in "unique" signatures. I need to review to the details to see whether making DL signature schemes deterministic renders them "unique", or it Coron's result, or later generalizations, already extend to most DL-based signature schemes. For what little it's worth, I can think of many silly but very weak ways to deteministically derive ephemerals, which merely shows that the some basic assumptions must be made for the mechanism. Do the current proposals even have proofs? Intuitively, we know from lattice attacks on the signatures that rather slighly biases in epehemerals are risky. Furthermore, even correlations between ephemerals are risky. So, we need to be sure that a determinstically-derived ephemerals does not grant the adversary a means to induce this bias by choice of message. If you review the Kobtliz--Menezes proof for ECDSA**, then prove this using a PRF. In my limited understanding, this requires deterministic signature to rely on a stronger assumption: a PRF. By contrast, traditionally signatures only needed a very mild form of PRG, which seems like less harsh threat model than PRF because it does not permit the adversary to query any message. What about collisions? If the attacker can cause the a collision in the deterministic algorithm for generating ephemerals, then the game is over for the signer. Of this function has a key, so it is harder to find collisions than in SHA1. But if one goes to the trouble of avoiding dependence on collision-resistant hash functions like SHA1, then one may want some kind of argument that things do not rely on collision resistance. (This critique is subsumed by the earlier PRF critique: an adversary who can find a collision in a PRF wins, so it can be viewed as a more concrete example of the PRF issue.) Of course, we may well already need PRFs for privacy, but I wouldn't want to some fault in a PRF, e.g. AES, carry over into authentication. 4. What about verification? --------------------------- Signers may ignore the CFRG recommendation, but such ignorance can be detected (and tested for) if the signer generates distinct signatures on the same message. If a verifier sees two different signatures of the same method, then the verifier can deduce CFRG non-compliance. Should the verifier go a step further and reject the signatures, on the grounds of non-compliance? The only wrinkle here is that the issue of secure key generation is not very visible to other parties: it is a non-interop issue; it is purely a security issue. 5. Maybe deterministic signatures help in other ways ---------------------------------------------------- In addition to the heavily advertised property of reducing the risk of the implementaiton fault of an ephemeral re-used across different messages, deterministic signatures may help in other ways, as listed below. Note well, these arguments favor of deterministic signatures, but I do not feel they outweigh the arguments against. 5a.... Information-theoretically each signature, being derived from the private key, potentially leaks some information about the long-term static key. In deterministic signatures, the amount of leakage is potentially reduced, because no new information is available to the attacker. 5b.... As I now recall, some of the provable security arguments [Advances in ECC, Chapter 2] that I found for the security of ECDSA did require a presumption that the signature was a deterministic function of the message.
- [Cfrg] Elliptic Curves - signature scheme: random… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Stephen Farrell
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Salz, Rich
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Paul Hoffman
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andy Lutomirski
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Jacobson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Alyssa Rowan
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Yoav Nir
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… James Cloos
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Jacobson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Damien Miller
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Jacobson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Adam Langley
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Daniel Kahn Gillmor
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Parkinson, Sean
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Paul Lambert
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Olafur Gudmundsson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Russ Housley
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Brian Smith
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Sean Turner
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Leon Gil
- [Cfrg] Summary of the poll: Elliptic Curves - sig… Alexey Melnikov