Re: [MLS] On the Insider Security of MLS

Paul Rösler <paul.roesler@rub.de> Fri, 23 October 2020 10:36 UTC

Return-Path: <paul.roesler@rub.de>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AABDF3A0B93 for <mls@ietfa.amsl.com>; Fri, 23 Oct 2020 03:36:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.346
X-Spam-Level:
X-Spam-Status: No, score=-2.346 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.247, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rub.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dI5l_HFSKZsk for <mls@ietfa.amsl.com>; Fri, 23 Oct 2020 03:36:47 -0700 (PDT)
Received: from out1.mail.ruhr-uni-bochum.de (out1.mail.ruhr-uni-bochum.de [134.147.53.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC96D3A0B91 for <mls@ietf.org>; Fri, 23 Oct 2020 03:36:47 -0700 (PDT)
Received: from mx1.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by out1.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 4CHgdS3RVxz8S7G; Fri, 23 Oct 2020 12:36:44 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=rub.de; s=mail-2017; t=1603449404; bh=k87lCEFZzMND5aU/JPEKk6c8LHlEvIi4k0QhSQ9C4O0=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=Ba3vtcHk+E+TURzaP47I0pIjEessL3pVKAPAczPW2uP1vKvROZCy/UZnAyKV4PeEK Xo8yNlXYMrBlJ5G28f159lCw5M4DF8uTscHGyYUjW26AJgnUwfkTyk1o2Ps8wfiuIy Lb5O2EvRCDawYnezwXVtnWae+x2H78T9EANNAIMI=
Received: from out1.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by mx1.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 4CHgdS1rjKz8SHq; Fri, 23 Oct 2020 12:36:44 +0200 (CEST)
X-RUB-Notes: Internal origin=134.147.42.236
X-Envelope-Sender: <paul.roesler@rub.de>
Received: from mail2.mail.ruhr-uni-bochum.de (mail2.mail.ruhr-uni-bochum.de [134.147.42.236]) by out1.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTP id 4CHgdR5Vx7z8S5V; Fri, 23 Oct 2020 12:36:43 +0200 (CEST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.102.2 at mx1.mail.ruhr-uni-bochum.de
Received: from [IPv6:2a05:3e00:9:2100:60af:a89b:a0c2:f34c] (dyn-c43f2c0ab98afa0600129000.nds.ipv6.ruhr-uni-bochum.de [IPv6:2a05:3e00:9:2100:60af:a89b:a0c2:f34c]) by mail2.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 4CHgdR5L1wzDh0v; Fri, 23 Oct 2020 12:36:43 +0200 (CEST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.102.4 at mail2.mail.ruhr-uni-bochum.de
To: mls@ietf.org, Joel Alwen <jalwen@wickr.com>
References: <mailman.905.1603447209.11144.mls@ietf.org>
Cc: Jost Daniel <dajost@inf.ethz.ch>, Marta Mularczyk <mumarta@ethz.ch>
From: =?UTF-8?Q?Paul_R=c3=b6sler?= <paul.roesler@rub.de>
Autocrypt: addr=paul.roesler@rub.de; prefer-encrypt=mutual; keydata= mQMuBFMPNo4RCACsEL23jO1k25wZhdphKuPdmEnxvjbtZavn1ZkALMxWJ4bYHPxNkpZWCT9h v0ZizDoosjlIvh0lK0nZgK0MLwjG/swrG/qUoZPIxStbXSVZPPwSdTaa+nzN0HD2y30zDExP 9WtchiEnGPB8WLCjkx5qscrBZV+PzI5akdK2CGBDthVvYzu4oLMZ89akJfM82ap9fGf0pfMh 4Qj4zIH6Vt6PIDn/r3d1GNW00RlEaq+MerAp3WkO+BwZ/2yCM+WJFG4w8tI3p+CjUlZehU2o WBxAmaLLHK3HOrCxiyGWZtIXy5plSfBjDomrlnlIiaDiC0N+MleHF8+IqxAo0XKySXn3AQDm UVBV0DpdIxm8dk2BCT5pMdnZFxzoBbSt57Tv9htwcwgAqpCy5Fhfcm5fVdhkeuaX86izCPfn 1k6FDt/3VUZ7lwcLJL9qYp1treUptfrUJ/DOeZN5LAyULj2Aijjy2Tni3RrDR9+1NvLTla4v bJpndEWI0nof1l8za+sfeQn8YnSylZLFt/Blx3MAe0MnNi9ZbGk50fdKjNsBwCwcZP/1Gyen s05rk2aaL07n5guCz/0bmlQFANCyi3lH+EcHJ0I4wYriBA4xJ3wDJmrCtjhsAtHNnc6pqvgE S2h2J7gAGa7A+ktFJhAxmVSx02GzakjNenx/SWMT2zlIZ/tu1T3wdX3SghUvX62p37FXPObF EbaEJZc9j4jUqnaJHbj/q717Gwf/S3mVyiMaIVzfbxmngGVfaf89vHRh7sWvkt9+TarR7Xen M2Bwi9wKgJ6pshkAnIe6VCGx4+JNH5SUiaxVr6TyrK9GcDkfCEwcVGwDBmeKdtv5Psb2Ho6t tTIWPwj/eQAJn283X18izF1xYYDFSct835R3hG6baP1FJZmMSm+CxV8C+uZXB/Yom/p4NblJ ujLJPGVampAZYs3ZVLrQBuxrXhGrDimFY9TLgO3ZN4gN4gQ3OvvBzmagwGMJdszTaRNE3JGE /qzvlvIs3KTLpQzybxZWwl7SO8b7A+i6+Yp9uN6thrpX7/TdnKcvnMezNYMRjuXvRGmaZ7c2 thgDF83fY7QvUGF1bCBSw7ZzbGVyICh1bml2ZXJzaXR5KSA8cGF1bC5yb2VzbGVyQHJ1Yi5k ZT6IewQTEQgAIwUCVAXA1QIbIwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEBbS1xKc azdG8XQBANG5xd6Uukm6eXmJRQoSoeax2AfsW7CU7oTb1svXQkqDAPkBhHVZXPjA52Y9en+d brtzeMJsONBXZ/HkU7BexNZ5SrQiUGF1bCBSw7ZzbGVyIDxwYXVsLnJvZXNsZXJAcnViLmRl Poh7BBMRCAAjBQJTDzbHAhsjBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQFtLXEpxr N0adkwD+KNzRjN+3gxZvDrOY47ABAFB06XM4lFzRYQy+JDJDgJYA+wa7pcSo2W8PnxbRGva5 Q1X/hB609vglzwzuw7qgMj1FuQINBFMPNo4QCACURJWG4Av5adB3/YMbhXGSSjNbANrLN2m8 /ovdqBx/pvF+1EeVg8UaHoqzmTCNOWjf5b11fQ/MzqsBp5OHWEmzXPv3en9IojoLXzgb9F4Z LFl/j+xfU4uOmyurKIKxbG2HzC/yFr2E0s0icXeMDp+kmdrtVWHikTTkSVzkEiRf6BfIZ3gu 0xR36vegSN5vqF8fF0zRo7C/96QmpjmjQxl02NDpsnyjtisp+nWYsbp1hcZr3PecSaNtcn/v hiBlKlO0aDUOj65o4JTgC8Pe4G8Hzk9bIiFqwKg6eI2HvrYcGEMMa70bJEZedAEjP/6BA2O5 dPNS8AJnYCFCxwOVnaqfAAMHCACGChurcAtQIbsN4ukQr27Bkky32sYl9HCWPlhp9dvrqQJG 4s46ArNKPL7t/k5hB6L5vLFhzT78kpPGFohF4sM/+Jp+b8TZvqfSQqvOet0K78TAn6rky3Ks uVQd5js0RWNVmFjD3NovonkR3gQl9s5gzOi9A+QnesMsKqz+mFimDVh3X6oajU4OMtcLxOEF ++hIv+kuG98fEvI9ABOm5PitWE1rdGwxx5DiM1UovlK8nC6iataAVTK15FAu3XYzoOOZpR5N cdKe1+qNBXLz7WsL+TVSFXfnK4ZQxsOY8vl1wZZi9hdGpMEoLf00xe0gIzzNMFNOUaEynZlz P6WRrstHiGEEGBEIAAkFAlMPNo4CGwwACgkQFtLXEpxrN0bDswEA2Aq8+20ke9jg6DBbiJ5W TfRAWsgy0qEM+vSIlyhvNqMA/0G4l/CwYBH/MTSUHJG0K8nKY1iGy3kd/0WK1jicEnZG
Message-ID: <ea512940-15e7-75d7-917e-ca3075edfc34@rub.de>
Date: Fri, 23 Oct 2020 12:36:43 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <mailman.905.1603447209.11144.mls@ietf.org>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/e_eJjQArgypq48JbV8H6O62bFjo>
Subject: Re: [MLS] On the Insider Security of MLS
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Oct 2020 10:36:50 -0000

Hi Joël,

this sounds indeed promising and interesting! One point on the security
of EdDSA:

On 23.10.20 12:00, Joel Alwen <jalwen@wickr.com> wrote:
>  2) ECDSA vs. EdDSA : We found that we could have proven stronger security if
> only EdDSA were used vs. if ECDSA is permitted. ECDSA sigs produced with a bad
> PRNG (i.e. not enough entropy) can result in sigs that reveal the signing keys.
> EdDSA signatures are deterministic and so aren't susceptible to this. ECDSA can
> also be de-randomized (RFC 6979) to avoid the problem.

While EdDSA (and deterministic ECDSA) is not vulnerable to weak
randomness, it can be attacked equally devastatingly via fault attacks
(e.g., bit flips), which we demonstrate in [2]. Since attacks against
randomness and bit flips during signing can both be practical, a
compromise between the benefits of both signing variants, like XEdDSA,
could probably fit better.

Cheers,
Paul

[2] Attacking Deterministic Signature Schemes using Fault Attacks.
Poddebniak, Somorovsky, Schinzel, Lochter, Rösler.
https://eprint.iacr.org/2017/1014.pdf