Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

Hanno Böck <hanno@hboeck.de> Sun, 07 August 2016 06:57 UTC

Return-Path: <hanno@hboeck.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09C3D12D09A for <tls@ietfa.amsl.com>; Sat, 6 Aug 2016 23:57:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NxlksvEcQp72 for <tls@ietfa.amsl.com>; Sat, 6 Aug 2016 23:57:24 -0700 (PDT)
Received: from zucker2.schokokeks.org (zucker2.schokokeks.org [178.63.68.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3201512B03D for <tls@ietf.org>; Sat, 6 Aug 2016 23:57:23 -0700 (PDT)
Received: from pc1 (wsip-24-120-54-20.lv.lv.cox.net [::ffff:24.120.54.20]) (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 256bits, ECDHE-RSA-AES256-GCM-SHA384) by zucker.schokokeks.org with ESMTPSA; Sun, 07 Aug 2016 08:57:20 +0200 id 0000000000000051.0000000057A6DBD0.00001AF8
Date: Sat, 6 Aug 2016 23:57:16 -0700
From: Hanno =?UTF-8?B?QsO2Y2s=?= <hanno@hboeck.de>
To: tls@ietf.org
Message-ID: <20160806235716.726a0e4e@pc1>
In-Reply-To: <CAFewVt5CyooWhOWHwD+sLv9qVqS8YQJMnFLRFbLZtJVVDF6RvQ@mail.gmail.com>
References: <CAFewVt5CyooWhOWHwD+sLv9qVqS8YQJMnFLRFbLZtJVVDF6RvQ@mail.gmail.com>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.30; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-6904-1470553040-0001-2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/4StoFPru-RwaKyweMAT4NLbYHD4>
Subject: Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Aug 2016 06:57:27 -0000

Hi,

On Sat, 6 Aug 2016 18:54:56 -1000
Brian Smith <brian@briansmith.org>; wrote:

> Also, I think it would be great if people working on proofs of
> security for TLS could take into consideration the fact that
> some--perhaps many--implementations will intentionally or accidentally
> use some form of deterministic or less-than-random salt generation for
> RSA-PSS. For example, it would be great to see a "What if the salt(s)
> in the RSA PSS signature(s) were generated deterministically?" section
> of papers describing such proofs.

Actually there is some info on that in the PSS spec [1]. What I write
here is my limited understanding, but roughly I'd interpret it as this:
It says that if you use a non-random salt the security gets reduced to
the security of full domain hashing, which was kinda the predecessor of
PSS.
I'd conclude from that that even in a situation where the salt
generation is a non-random value nothing really bad happens. The
security of a PSS scheme without randomness is still better than that
of a PKCS #1 1.5 signature.

Maybe some more knowledgable people want to add something, but the
bottom line is I think that we don't need to worry too much about the
randomness part here. Unlike with other situations (e.g. ecdsa/dsa) the
randomness is not a piece that once you take it away everything blows
up.


[1] https://tools.ietf.org/html/rfc3447

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42