Re: [openpgp] Disadvantages of Salted Signatures

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sat, 09 December 2023 15:40 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4871C14F5FD for <openpgp@ietfa.amsl.com>; Sat, 9 Dec 2023 07:40:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.008
X-Spam-Level:
X-Spam-Status: No, score=-2.008 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XjkWqwVT8_0x for <openpgp@ietfa.amsl.com>; Sat, 9 Dec 2023 07:40:55 -0800 (PST)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2133.outbound.protection.outlook.com [40.107.21.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3A95C14F5F7 for <openpgp@ietf.org>; Sat, 9 Dec 2023 07:40:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=N3b0muvRKGaVQywfBdd0BwxoWjcNrpv4uAU4/7mLr14dL8ynzLawV7yPZWys6rfu1tRs7IhfkejOLjQ4s3Xt2fdrWu77EoDPWw/LGWSseNkZaE9+xzPLLeKBNQYYZreZnwv7MjfAM9L1A8D0UAkRsSGA11XCtUeIU8/ZtyyMY6dnGYhxR6YmhZYuMsqNDWwjsEoJZrVgXR9jfjNRpJxB+PQq1NJoTPn8OYnKkzkJsJdmL1xPHZax5WZfiYBk3633FwE088CF5L2lSN54AiejSPbnQM2SaRVSL/os2Fhl9XYYCW5VyOmRVqer84EEI7fGS+DQPLJxlUn2e6fxsUcTYA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tY6pDSgt41rd2R1Wmf1EidWssQcmH5L3ft98rGWPckM=; b=WY/eUG/D3EOIN62N67kOJDWipHi1jMxwbocxQU5x27Flz91loWtcI3IhS+ZcDHF+qw5Z94FCsUj5hhBWQMAO34lKapILxydBBvheb/QhU4ITQPZjlfPfwIe75XRPLET+OyTFVNSKOfpCxTiY3BsDE6WPmn140QesJEvI/009GsBrEAFhUrwmr3wTDKJP8daLXlcZItuZw3lClkgZI/J43JfdaFMoKToOgyrjoAYElla7mA3s902vGTPVieF5fi5Un8JEDjIlegEgx21gzyHnRl8ZGKOHB1fM+k8bq+zewSkqkQjkwQ88Hug9/CsP42YhdYdNiXpeCOhpye2l0dVJgg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tY6pDSgt41rd2R1Wmf1EidWssQcmH5L3ft98rGWPckM=; b=ozJtXRJDBlJzN9MvUGjbY2MKORevKABmvX+yVG2QBSlt8Y6mliiEyMTX6fBJTXmwC4S0mf+LNW78FajB18chNSbDTJDmfIwgegugPh4kGtyQlNlQ0HQU+9Tb6UCxQrJ/Q+mDgMlGE9TuEY3vBNj0TZYCUA1v46VYgDRIHqBzVm96btzE7LnvAoKLVFvBJIHoNVv6pkyIrBWQPgopuLI64EazXVn5D4CaTfyTLD27/hzdGcoXKl1vPxzS2qoK11W/ls7jhG0YjQalNRZAFeIjTzatlqPm3AwTSXfjVvVPVdV9RKDi37JEO/AMJms5waSgsIbWvSnIeY6V31o3My3CiQ==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by DU0PR02MB9100.eurprd02.prod.outlook.com (2603:10a6:10:464::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7068.29; Sat, 9 Dec 2023 15:40:50 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::d7cb:f7b5:ad53:c139]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::d7cb:f7b5:ad53:c139%5]) with mapi id 15.20.7068.029; Sat, 9 Dec 2023 15:40:50 +0000
Message-ID: <8b5f251f-ae52-4937-9500-ddedb9fbef73@cs.tcd.ie>
Date: Sat, 09 Dec 2023 15:40:47 +0000
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Stephan Verbücheln <verbuecheln@posteo.de>, openpgp@ietf.org
References: <077dd27cef0c7d3968967fc4c3a880081b8bd9dd.camel@posteo.de>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <077dd27cef0c7d3968967fc4c3a880081b8bd9dd.camel@posteo.de>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------06c4nnhcYU00Oy9zhdrydn02"
X-ClientProxiedBy: DBBPR09CA0010.eurprd09.prod.outlook.com (2603:10a6:10:c0::22) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB7PR02MB5113:EE_|DU0PR02MB9100:EE_
X-MS-Office365-Filtering-Correlation-Id: b26ff73a-9b32-4716-3919-08dbf8cd383a
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: XCbf3QirIbpeuiDHqTrXxI+cfxiHVwpCuO+2sxVoOYqNJLJylZXVd4fAGJFlVH1bO3aC5DRSu6VmCwoGIBLjQmEZeGcfZvxUMBmCpJVr7mBdDAIkBYcY9AUhVUun7/NudzetAebrTiazBgghAppkdnH9l7AaulPGCY7X5VoIktWtGGr+N8SscNZuDbtaNalPNMVo4vnN8HANLljNXzjBGYXX0bM7OP2eg60tg7NoOJp0f5b1RTtfQ9PFPV0P6iXDrLgA1bfNcJJD+jAkHmfnBdJg2t5cv5T9jI1vLjsFxSZ+WgDW33SticaPywNzD+rynxDIRssPV8LfGcWeAu+k9ZgvXVm55zVNUFdQpfxf7bIoIomEZMjMU5/+IF5/KqQ/AV4+qR6iUHTQmWse7Lro9m102RyaQ+Ogqsheb5Q2fs+9K84oeQq2TLqMx99/TpcIsWO3FNxoVbSb1B2QoAPFQQ6FlhkXyghDhD1/o+liNpyzeRzYcksjQvs9/gm8R38Y+AKzHTTYZLUJ7qJdpjvgidRSs0oYsZO2bJ6MEE1uf8WD8kQZeb7P+reyMyoKSpAHMezGy5pAVZmXe3cPZGwPI2SfNu3HNJT87Nuh4V7EOgsLB7ogDFfGFANptJD+jFAeuqJZ9gdd5f7AiMbwxSpwew==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(346002)(396003)(136003)(366004)(376002)(39860400002)(230922051799003)(451199024)(186009)(1800799012)(64100799003)(66574015)(21480400003)(83380400001)(86362001)(31696002)(41300700001)(38100700002)(44832011)(235185007)(5660300002)(8936002)(8676002)(786003)(66946007)(66556008)(6512007)(316002)(66476007)(53546011)(2616005)(478600001)(966005)(6486002)(6666004)(6506007)(33964004)(2906002)(36756003)(31686004)(43740500002)(45980500001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: UaW98nFFRpeVAZczJ5NqcCjb4aZGi1gHizjL8xakL8Ym0f+N587OaeBNWS2Qyd03+OVL5rE+cuQaoam/pTJlBM56kz3NrGlQy6nRINC3E2YI2g0rhsyoqdn+L+8YcdpE9RkkDVji6iDNT39tsTIKjoEhdnwEqicbWbE9NwmlZM8FDQB4TZhn1wYMv06Gj+9Ah2wrypD88CKWLucUTFBTbuoF3px0gYLcEAt4PizNviSiw6BupDiUsUGdUr0PMJd9mXYr7mBXKeeM/XNL7M3Vb2Ee5QutmWcZ95MHkEd8SMJs9Ktmd5s3xoSNQR2CMJUSeN7DiRXXhMkrKcfX+ujE1b90cz4CxA0WPF/vjxVelwzzlo9f6Woo9sfPYBXcMw0j1JszoCmDSxG27jHV8kuFfJjle9eg4y0N5hBpsbCFwUtU7icRA04w5SWNkPfajLyPl8l5SJ0Bvejoas5K++ETeI7x1Do4ZpMoahlsDBNd4PHK//HoxOfGNuTQgB8R3Eqdpkqj67+JDyXaqmBAZaFNJuM6HtIZROrf9h6WHdlXht5EKYQTXWOi/UnaM/lwit+lM+3cUqp85Xwg1WlLfnit3cLCU+Ev+ggpHImZKW7c0pH0jGzbB0x8QddYsA4uVuhUVIwbcDuxFPAwhHXMc4bIMfdIeohJuUjkz5vsDTgPf2r89MwTex1JRYahb39tKACSbzxsCIQ96Kz4+EPBvl4BjYjidBc86W82Lqr5d7CDsQHyyjKbo3KOFsxT2ijepSLT2T2mHxt8MIVUaOyQIz1161js5o75yL+eauZBCwDOBWU6wcjndFLdDiQV3bSKmv+QqY3Nc8pZfHqxLfrGxLyt+c4SXZ3Tv1OYIhPlfviv2O1II/P8TZKNz/DsxvhoflqLhiqgCgE5EHg1IA8Kz4ElDez/PVhBaEEwYRPS32TF0WWyeYjzV2j+KWiuZocG0QYDoZjt7x9NkHPutRjVORHX0hAFFGpscWx9gC5cTTSJuWNeehvzA/mNm83PMMonGTQI2HfAtRXcRGPiZuvdkuOsuEHNrVt/unr0rwUdf8DkIh4pqt5jRp2qGbXCtjayEhyR0gEQ9vpqsgEKVw3x4XjzPUPgETCOY5t45qyacR1Gd471vOvTeRBU5ONGzFeYlmvxCUij4bNLN2s/4kMC9gSwxHlKuhWx7wol/TNZr9S4HzJJFA0vgU9VS6SkUc0ei2exA0wTBmeUaVQph06aQcnrltw4DfkU+vXSePYX8wo/S3c1aarjMZ7pHakZnynlOhShdXq6wQy3wwy6PdXGp9pLYKir6V+M/+e5cf0VarEDcsNJVJ9VuEiwbBmTpeloJBl6KJSDew20DNfajAjGevyR56at/0xsyN7DmIzkVmRd5dK05dq6U5Ny6cYw7TlZyrElH+KZ/wIhLiw8LosqxbgT0ro+Sy+yElqhdgDxC0A+WJg7U6VLXXjD6JPbpXlVM/NVfMw9/BxhEMMuDTQmWjuwbCGU+Ir0vhgBORhD0QmSYAEbZLXz3ORjDcFlIxC4Sz5PfZBX49sH3EZN/B//MMvsBQK9v1XcC8XTsVtwYWApSbCkAEaRHhWnQHmCYyH5FsGrqGSXDX5mWvkzuPn3LePLqF4TiK+y6JABSfIRg088hJSDTAT4DnTLmQgwT3XR++f5
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: b26ff73a-9b32-4716-3919-08dbf8cd383a
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Dec 2023 15:40:50.2287 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: u777nXquYwhq29RtFon8VCL51LJ6fdVAXEZPACsJOSAcKKAM7mA1JBF854l+Fow8
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0PR02MB9100
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/4SdJy3bwiylh5d1gC4eOvSiX6Ro>
Subject: Re: [openpgp] Disadvantages of Salted Signatures
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Dec 2023 15:40:59 -0000

Hiya,

On 09/12/2023 09:04, Stephan Verbücheln wrote:
> Alternative title: Advantages of Deterministic Signatures

Interesting that you put it borh ways. A similar topic came up in the
LAKE WG, but from the other direction - in that WG there were concerns
about using deterministic signatures given potential fault injection
attacks. I started a thread on the CFRG list [1] to try get some more
general guidance - can't say that thread ended that conclusively (it
descended a bit into some silly rancour). There was also a discussion
about adopting [2] a draft [3] that attempted to improve matters but
I'm not sure where that's at. I ended up making a few slides [4] to
try summarise things and presented those at the subsequent CFRG meeting
(@IETF-113) but (so far at least) we've never really got clear guidance
on the general topic from crypto folks.

Cheers,
S.

[1] https://mailarchive.ietf.org/arch/msg/cfrg/Ev8hgyojKeObXMZ7SF2m3_yekMo/
[2] https://mailarchive.ietf.org/arch/msg/cfrg/wjPxMqYDeNQoVVb258geUpsDqfM/
[3] 
https://datatracker.ietf.org/doc/draft-mattsson-cfrg-det-sigs-with-noise/
[4] 
https://datatracker.ietf.org/meeting/113/materials/slides-113-cfrg-signatures-deterministic-vs-randomized-00

> 
> Hello everyone
> 
> Deterministic signatures have their own value. Especially with the
> increasing popularity of ECC algorithms, because these are in
> particular vulnerable to kleptographic attacks.
> 
> What is a kleptographic attack? The term kleptographic attack was
> coined by Adam Young and Moti Yung more than 25 years ago for discrete-
> logarithm-based signature schemes.[1]
> 
> A kleptographic attack can be summarized as follows:
> 1. A malicious blackbox implementation (e.g. PGP smartcard) can choose
> the nonce in a way that allows the attacker to compute the secret key
> from two signatures.
> 2. This is not news. Everyone here probably knows about nonce reuse and
> related problems. However, the attacker can generate these two nonces
> in a way that is provably impossible to detect (i.e., without breaking
> the security of a cryptographically secure pseudorandom number
> generator).
> 3. The attacker uses his own secret key which is required to detect
> malicious nonces and compute the victim's secret key.
> 4. The core requirement for this attack is that the attacker beforehand
> knows the Diffie-Hellman (DH) group parameters which are used for the
> key and signatures. While with classic DSA, each PGP key basically has
> its own DH group, elliptic-curve-based keys select one of a few
> predefined curves. This makes the attack even more feasible.
> 
> Some years ago, I wrote down how the attack works on Bitcoin
> transactions, which are basically ECDSA-signed messages.[2] The same
> can be applied to signed PGP messages.
> 
> Deterministic signatures can be helpful to detect this kind of attacks.
> For instance, if a PGP key is imported into multiple smartcards, then
> they should give the same result when signing the same data.
> In fact, the current version of GnuPG is doing exactly that when using
> EdDSA (with the same timestamp).
> 
> 
> In section 13.2. (Advantages of Salted Signatures) of the draft
> draft-ietf-openpgp-crypto-refresh-12, there are two motivations
> mentioned for salted signatures.
> The first is resistance to hash collision attacks with reference to
> "SHA-1 Is A Shambles". This analysis seems to be plain wrong. I do not
> see how the salt would make collision attacks any harder, let alone
> raise the cost to second-preimage levels.
> But even if they would, this is only relevant for almost broken hash
> algorithms which should be avoided in the first place. SHA-1 was
> reaching its end of life because 80 bits of attack complexity were not
> unfeasible any more. The algorithm's additional weaknesses discovered
> by some smart cryptographers made it crack a few years earlier, but it
> would have been cracked soon anyway.
> The second motivation is resilience to fault attacks. Here, the salt
> looks to me like an effective countermeasure. However, this attack
> appears to be quite exotic and requires the attacker to have some
> access to the victim's vulnerable machine (e.g., shared cloud
> hardware).
> It further requires the victim to sign the same data over and over
> again, which is not realistic in a practical scenario on the PGP layer
> because the timestamp will be different for each signature. There is no
> point in signing the same data with the same timestamp over and over
> again because it will always have the same result. In the far-fetched
> use case where the PGP user wants to sign over and over again with the
> same timestamp but different results, he is free to add a salt to his
> data.
> 
> 
> As a conclusion, I would rather recommend against salted signatures.
> 
> Best regards
> Stephan
> 
> 
> [1]
> https://www.researchgate.net/publication/221354983_The_Prevalence_of_Kleptographic_Attacks_on_Discrete-Log_Based_Cryptosystems
> 
> [2] https://arxiv.org/abs/1501.00447
> 
> 
> 
> 
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp