Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA

Rene Struik <rstruik.ext@gmail.com> Sun, 07 August 2016 15:41 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0373612B03A for <tls@ietfa.amsl.com>; Sun, 7 Aug 2016 08:41:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GTm3bii6_UF8 for <tls@ietfa.amsl.com>; Sun, 7 Aug 2016 08:41:47 -0700 (PDT)
Received: from mail-qt0-x232.google.com (mail-qt0-x232.google.com [IPv6:2607:f8b0:400d:c0d::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEEEF128874 for <tls@ietf.org>; Sun, 7 Aug 2016 08:41:47 -0700 (PDT)
Received: by mail-qt0-x232.google.com with SMTP id 52so194229115qtq.3 for <tls@ietf.org>; Sun, 07 Aug 2016 08:41:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=Okgji6aLoakGWYfXLkCw0m2qBxDQtvKWLNkUOpHG3Vk=; b=LrgZp8fKYzmJ2V1eKzgNaNnGGA/Ad5cKqDDa+JNqn0XpnGM6CM/nimgwEou1L3z1LP 1MI0wgQ6EhMKuYe8yBM38scapFDioJTzSbTusG6CHPJO3tCqJpqOhVAxFDH/LThHkYDa UAk09/r/UmRgu+iMdMRWIGd2PrtxOmrVffY0TCvJMuZFPH9kNI0J8mt6f3saxH2U+Uj0 IPktwZqnDS5d6mc9VPE1xJ7ZSGdM17Z8BUnzVPrLp8eUMMq23Z3GjTyXr/Z3qUqBC1EJ JU2xDbPGKMCs64E3R9RpYZoD1gA9VlWm6VbBbgKNMdXxt4RJlDZM6kLzEUcH2brNvAfq 2fNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=Okgji6aLoakGWYfXLkCw0m2qBxDQtvKWLNkUOpHG3Vk=; b=Qa40L734ZUGmdMA1uxxDL4wDbODuJDXIm5l1mRciS+Lzvh/a7tcwLAIEWQRoNfikvz /j1DevtkZpxOxxxvJ+JxjxV1TVUayXuutKOG/0ZgCe5rsipISaBQ/9Sm/NqfqQf8Pn8j 6vx6ml+7r9rGjLslDAaLKpcutgizi1xbBc2EuzRZCidZQJ9NYQ5xRnQvYdUDJDMSt5Yt tR1wwycN1DsvpyIapLDoF7+HxrgbPy0aNGlXOc/T1lTMTMuoQC3ao1kjch+BOf4EYOGK Uh8b6M54JiKBCnF50DZiOf/V+wpPuKGmp283kKYZDtJ2x7EsR2FssrtIqNBMXykzuqJb ewTg==
X-Gm-Message-State: AEkoouvm+HcgkhqGTr+gO/JbBybi2sotdMdBFwtJxKt17y7qDqd8mgn0H1tT/5kLHG7kOQ==
X-Received: by 10.200.53.24 with SMTP id y24mr23711212qtb.16.1470584506538; Sun, 07 Aug 2016 08:41:46 -0700 (PDT)
Received: from [10.205.168.38] ([209.226.201.240]) by smtp.gmail.com with ESMTPSA id m10sm15139501qta.31.2016.08.07.08.41.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 07 Aug 2016 08:41:45 -0700 (PDT)
To: =?UTF-8?Q?Hanno_B=c3=b6ck?= <hanno@hboeck.de>, tls@ietf.org
References: <CAFewVt5CyooWhOWHwD+sLv9qVqS8YQJMnFLRFbLZtJVVDF6RvQ@mail.gmail.com> <20160806235716.726a0e4e@pc1>
From: Rene Struik <rstruik.ext@gmail.com>
Message-ID: <782287ea-f491-0298-baa6-aa82e650fe6e@gmail.com>
Date: Sun, 7 Aug 2016 11:41:40 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <20160806235716.726a0e4e@pc1>
Content-Type: multipart/alternative; boundary="------------36296EF7808E1064D1336B81"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nxnXvJBOX9Wk4wd8KvHrN6fh208>
Subject: Re: [TLS] TLS 1.3: Deterministic RSA-PSS and ECDSA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Aug 2016 15:41:50 -0000

Hi Hanno:

The papers [1] and [2] may be of interest here. In [2], Section 3.3, 
Alfred Menezes and Neil Koblitz compare FDH-hash RSA signatures, PSS 
(lots of randomness in the salt), and a scheme by Wang and Katz that 
only contains one bit of randomness with signing and is claimed to have 
tight reductions (see also [1]) and argue a "Pass on PSS".

[1] Signature Schemes - Efficient, with Tight Security Reductions 
(Jonathan Katz, Nan Wang, CCCS 2003). Available from 
https://www.cs.umd.edu/~jkatz/papers/CCCS03_sigs.pdf
[2] Provable Security, Another Look at (Alfred Menezes, Neal Koblitz, 
IACR ePrint 2004-152). Available from https://eprint.iacr.org/2004/152

On 8/7/2016 2:57 AM, Hanno Böck wrote:
> Hi,
>
> On Sat, 6 Aug 2016 18:54:56 -1000
> Brian Smith <brian@briansmith.org> wrote:
>
>> Also, I think it would be great if people working on proofs of
>> security for TLS could take into consideration the fact that
>> some--perhaps many--implementations will intentionally or accidentally
>> use some form of deterministic or less-than-random salt generation for
>> RSA-PSS. For example, it would be great to see a "What if the salt(s)
>> in the RSA PSS signature(s) were generated deterministically?" section
>> of papers describing such proofs.
> Actually there is some info on that in the PSS spec [1]. What I write
> here is my limited understanding, but roughly I'd interpret it as this:
> It says that if you use a non-random salt the security gets reduced to
> the security of full domain hashing, which was kinda the predecessor of
> PSS.
> I'd conclude from that that even in a situation where the salt
> generation is a non-random value nothing really bad happens. The
> security of a PSS scheme without randomness is still better than that
> of a PKCS #1 1.5 signature.
>
> Maybe some more knowledgable people want to add something, but the
> bottom line is I think that we don't need to worry too much about the
> randomness part here. Unlike with other situations (e.g. ecdsa/dsa) the
> randomness is not a piece that once you take it away everything blows
> up.
>
>
> [1] https://tools.ietf.org/html/rfc3447
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363