Re: [MLS] On the Insider Security of MLS

Joel Alwen <jalwen@wickr.com> Mon, 26 October 2020 12:57 UTC

Return-Path: <jalwen@wickr.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35C0A3A0AB8 for <mls@ietfa.amsl.com>; Mon, 26 Oct 2020 05:57:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.146
X-Spam-Level:
X-Spam-Status: No, score=-2.146 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.247, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wickr-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nqgAczQFRlVm for <mls@ietfa.amsl.com>; Mon, 26 Oct 2020 05:57:44 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA26F3A0ABB for <mls@ietf.org>; Mon, 26 Oct 2020 05:57:44 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id a6so7812889edx.6 for <mls@ietf.org>; Mon, 26 Oct 2020 05:57:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wickr-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:autocrypt:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=h1UUaC0XrhNAPUHOrzm0SbVQNLQexSD8L6BMOthWG/g=; b=LO6UjfZGWZXKRnFIUhPUkRHz+sI9VS9gnt9hBd3/SQPTm0txTd5B51Rdg52A8WYMbX DAnVori68WkbPb+lKoaXFsRvOeMKQZVAuFv1dUwo+jCLQWtY8JNV55+d0wSSY4GICjsR buihEam9Mf1VzVELVFcJ8TH/IWEjt0FguDi0J41lqCLblAD6l+DK+YyF3p/MNjHY9oO+ 7ABPiBuqdRyJbGSv4KRqAcoBFECbbeMURtwXiEGasbf3dURm1tuI1W4QU9QGcXjARdwf +6urBAGQgkt1S0qd7M08wobV+f7srkE87MfKQES67yHXnksalows8l11I9k+xp8Mw9Z0 K2Aw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=h1UUaC0XrhNAPUHOrzm0SbVQNLQexSD8L6BMOthWG/g=; b=c3CupOhC8nlDB4mgUV7nDrZZ4MfUN6G0vDpXLIBE7mAKBT4gPoJLf14Vl+CDNx4Zhp Lg4kKRAospBUMvu5SDbPDAofAELPcuF3r8UmhhBFhu52vhPqGy6K0DLTzRzRXDHSvtLX 0W3L1nh4lZSk2hzJhqf0NZPxXX3xIvqmgmu1iY3HAiO2bz4fH/r8DavCUuFZOl5APe05 RgAMNOGwSEnkEGJBld99czFy+P7NkfnrfzWDjA3i7aXtLStY09L5KxlTsnEHVEzIbF05 zhnrql3Yu7SKTbGzaVNMAdKHJVkfRo4CFSDZzvcfRbOofnUVwg2XKS+Kp6Kd4N72wHDD vzKA==
X-Gm-Message-State: AOAM5338MOFUNtJ8P9+b7JfhtH8A/vwMY5yk7JkTD/uxfxqSTXZZMcyf Yg3ryqjrmjqbhgx31XvExx12fQ==
X-Google-Smtp-Source: ABdhPJwzla0QycMAGwAxvl6yh2NyLfZeEkvRc+9x+QdazXkfd4ByItHXKK+6q3IdpukF0XKNpZ3S/A==
X-Received: by 2002:a05:6402:7d3:: with SMTP id u19mr16120226edy.65.1603717062971; Mon, 26 Oct 2020 05:57:42 -0700 (PDT)
Received: from [192.168.1.137] (84-114-27-5.cable.dynamic.surfer.at. [84.114.27.5]) by smtp.gmail.com with ESMTPSA id w1sm5788604ejv.82.2020.10.26.05.57.41 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 26 Oct 2020 05:57:42 -0700 (PDT)
To: =?UTF-8?Q?Paul_R=c3=b6sler?= <paul.roesler@rub.de>, mls@ietf.org
Cc: Jost Daniel <dajost@inf.ethz.ch>, Marta Mularczyk <mumarta@ethz.ch>
References: <mailman.905.1603447209.11144.mls@ietf.org> <ea512940-15e7-75d7-917e-ca3075edfc34@rub.de>
From: Joel Alwen <jalwen@wickr.com>
Autocrypt: addr=jalwen@wickr.com; keydata= mQENBFyIZvABCAC65JupY1w7gzhhNo41ftIk09n7Lid9p31jDR8Jefv9R5sWL+HZFGDeABAY 1J1JvV6vOaMsfdy9iUFfGS1GhMJ3+mh799SIsB3JSfPq/eq6Jut57D2yPtILmc7ZbuJyBHg0 xuYfKCQQAYikW+v2LJQU1Y+BUDbVldpzxSc8Z3PPSfunWdzhY6qAAhyCv+Y8EzJlQivMwD5B f6737krf8SoBsjsqCHQrRo/r+BSj5Wtd5/K3FkmWLOUAFoYK23+cpoFntGJKZfss27gDPhyS gX9ibXcBGQqBEF4qDPEzEHK8iQmXTxLul5Y7lQ6ADf69xH15WM4GmRBeCvR3Uanxcr2/ABEB AAG0HUpvZWwgQWx3ZW4gPGphbHdlbkB3aWNrci5jb20+iQFUBBMBCAA+FiEEYFNg9IH2SV6e 03O3FR5tDZv8eygFAlyIZvICGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ FR5tDZv8eyjSywgApQNIRcL4IKTJ0I4XwcQRhICu1Bht3c2fUnG2YziJXjGf6DZ49uKKtuIu fk8mNS+vKRLoLZ7+u+Pv/Yjmk8jtrr6Saz1vnfsle3GgmXG5JaKOM5cOfeo5JnlNUP3QonR7 LMZwY1qVKg2mzNmwi0jG1zIGgQ5fiAwqe+YTNFli5bc/H1O9LcSmbrLV9OyucARq11DIiAvU fDknZ17OahQls+9mgfAXH5vZjzo296tYvzkOJQ2A6GPxdMHIXGbJM/vjuMe2QJl6C0zaqOtm JvFcx/HpNhmugYI9OsNAd7846HASDp8BKyfY5FYP7bn0/JBuCpg18Aykru6xyFjG3gv0Lw==
Message-ID: <ada77e27-beb3-b582-175a-dcf715a1a434@wickr.com>
Date: Mon, 26 Oct 2020 13:57:41 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <ea512940-15e7-75d7-917e-ca3075edfc34@rub.de>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/IeG3ri2juszkqDRUWCIhIgm2y5w>
Subject: Re: [MLS] On the Insider Security of MLS
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 12:57:46 -0000

Yeah, EdDSA, and especially (randomized) ECDSA, really aren't ideal choices from
a security perspective. But I think their main advantage over other schemes
(like XEdDSA) is that they are widely implemented (at production quality) and
even part of various standards (e.g. FIPS) which people have to adhere to. For
MLS that's available implementations are a must. (Thats why MLS doesn't use UPKE
like in rTreeKEM though the security benefits are clear.)

Do you happen to know if there are any alternative schemes with better
properties (like XEdDSA) that have at least some amount of production quality
implementations?

- Joël

On 23/10/2020 12:36, Paul Rösler wrote:
> Hi Joël,
> 
> this sounds indeed promising and interesting! One point on the security
> of EdDSA:
> 
> On 23.10.20 12:00, Joel Alwen <jalwen@wickr.com> wrote:
>>  2) ECDSA vs. EdDSA : We found that we could have proven stronger security if
>> only EdDSA were used vs. if ECDSA is permitted. ECDSA sigs produced with a bad
>> PRNG (i.e. not enough entropy) can result in sigs that reveal the signing keys.
>> EdDSA signatures are deterministic and so aren't susceptible to this. ECDSA can
>> also be de-randomized (RFC 6979) to avoid the problem.
> 
> While EdDSA (and deterministic ECDSA) is not vulnerable to weak
> randomness, it can be attacked equally devastatingly via fault attacks
> (e.g., bit flips), which we demonstrate in [2]. Since attacks against
> randomness and bit flips during signing can both be practical, a
> compromise between the benefits of both signing variants, like XEdDSA,
> could probably fit better.
> 
> Cheers,
> Paul
> 
> [2] Attacking Deterministic Signature Schemes using Fault Attacks.
> Poddebniak, Somorovsky, Schinzel, Lochter, Rösler.
> https://eprint.iacr.org/2017/1014.pdf
>