Re: [openpgp] Disadvantages of Salted Signatures

Stephan Verbücheln <verbuecheln@posteo.de> Sun, 10 December 2023 13:46 UTC

Return-Path: <verbuecheln@posteo.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37D80C239600 for <openpgp@ietfa.amsl.com>; Sun, 10 Dec 2023 05:46:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qqm1q3BX-Rkb for <openpgp@ietfa.amsl.com>; Sun, 10 Dec 2023 05:46:41 -0800 (PST)
Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7634C14CE27 for <openpgp@ietf.org>; Sun, 10 Dec 2023 05:46:39 -0800 (PST)
Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id F2D42240028 for <openpgp@ietf.org>; Sun, 10 Dec 2023 14:46:36 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1702215997; bh=K0/u0O/6VIeAC9uUId9t03dclRsyKalU2lQZWUqDYq4=; h=Message-ID:Subject:From:To:Date:Content-Transfer-Encoding: MIME-Version:From; b=Q8UowfKwSS5ageMleBfFk6kWx1CNiDdSkTK/YXMZh2IOfr4VMQBEH56PSIJK04z/B wUswWCCBc6EM7zaAXrzhnXX2qwpZcPPzSkq1PtzUyaA4eC1UE/12p6+AIXG6Uokg84 GElJdBrI6DZEhkzzQrUVr3j6IRiuJKhhxAp6BE9UISBCZaWCiDdI0cIxnRE9+pUZoD hDEQdBSg0tmhCDdDMiYxSu9a1KaRJzdODgHn4OKoDCS4r4JrDt2YtaHB0/uVcwWhDM 2qqUJV4K0mYjLVdgcblGWS/D4LCU5y1m9hbkxFGtzVL1XNUqUViGoMca66Wjw1DJg4 Nfzsglxw3KK1Q==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Sp5l03z20z9rxL for <openpgp@ietf.org>; Sun, 10 Dec 2023 14:46:36 +0100 (CET)
Message-ID: <709995498037ba59fb1a14d75ffa819702566d83.camel@posteo.de>
From: Stephan Verbücheln <verbuecheln@posteo.de>
To: openpgp@ietf.org
Date: Sun, 10 Dec 2023 13:46:35 +0000
In-Reply-To: <8b5f251f-ae52-4937-9500-ddedb9fbef73@cs.tcd.ie>
References: <077dd27cef0c7d3968967fc4c3a880081b8bd9dd.camel@posteo.de> <8b5f251f-ae52-4937-9500-ddedb9fbef73@cs.tcd.ie>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/ML3tEwaraQTeItMfsJ9CE8yZ3Go>
Subject: Re: [openpgp] Disadvantages of Salted Signatures
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Dec 2023 13:46:45 -0000

Hello Stephen

Thank you for the interesting references. Some of the comments sound
like there were many things wrong with deterministic signatures.
However, after reading various threads, it all came down back to the
fault attack. I could not find any reference to other problems of
deterministic signatures.

2022-01-25 at 10:19 -0500, Rene Struik wrote [on lake@ietf.org]:
> With IoT-style devices, such errors can be quite easily created (via
> so-called glitches). Moreover, these errors can be created in such a
> way that, even if one were to only release a signature that was just
> produced after first checking this via ordinary signature
> verification (at ~3x the signing cost)), this would still not help:
> the attack can be tweaked to foil this countermeasure. The culprit
> here is the determinism in the signing operation. There are non-fault
> attacks as well, but single-fault attacks are the most lethal, since
> do not require any SCA-attack expertise except putting a
> computational error spoke in the wheel.
> While most fault attacks described in the literature assume physical 
> access to the device, some can be carried out remotely (e.g.,
> spin-offs of the so-called Rowhammer attack). Most attacks are
> non-destructive, i.e., can be carried out without destroying the
> device at all: in other words, equipment users would not necessarily
> notice.

This does not sound plausible to me. Why should IOT-style devices be
more vulnerable to fault attacks? The attack scenario for a fault
attack like Rowhammer is shared hardware, for instance malicious
software on a workstation or server, or malicious servers in a shared
virtualization environment.

If IOT-style devices are known for anything, then it is for bad random
number generators. Especially IOT-style devices will have trouble to
securely choose random salts and nonces. They profit from the
deterministic nonce in EdDSA.

This all sounds like some people got scared by a single attack which is
real but relatively exotic, and now argue basic cryptography parameters
because they could make such an attack harder, even those measures are
not addressing the real hardware problems in the first place. In my
opinion, the scenario is exotic (at least for the PGP use case) because
it requires signing of the same data with the same timestamp multiple
times.

What I am missing is a balanced discussion about the costs and benefits
of deterministic vs. salted signatures in the PGP use case.

Regards
Stephan