[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] HS desc replay protection and ed25519 malleability

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] HS desc replay protection and ed25519 malleability
From: Watson Ladd <watsonbladd@xxxxxxxxx>
Date: Wed, 18 Apr 2018 06:21:10 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 18 Apr 2018 09:21:23 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=+wBclESH2pugY7jXqs5ocrFl2MWaLmCx+rUuze5o8+w=; b=i6XMmmOeUxcO74kxqGkONg7MoWzIpBGSC9ojnMnZSVs2m+xQPdYWe1Z0hdv7gqDjOT PDJHxoSrWAhXGsv1TcmdJIR4QT1gKqg+l2k1n5bKm6Gsv80Wohi/LVbFGEd+zE59olN6 hcuum3nwF9dd0HPNNNgVWQcpmaAtAwKJ2rk4jo61fo9c39Qq7nfvkGkG2y4wN7gJ6JFP y7tDcHyWemlRc1n81X40KqqG3dGYOMGjww5ykUHwQxFRZFUZGIH8NuKiTLW7HPeXLm+x BiuJRVAy2wKe425EhHBnOp1aF7rWjl2mc/PoFvxuehvNce1vhxzKD7zwj4NgRoJafq9d U5Cw==
In-reply-to: <877ep4hczs.fsf@riseup.net>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <877ep4hczs.fsf@riseup.net>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On Wed, Apr 18, 2018 at 6:15 AM, George Kadianakis <desnacked@xxxxxxxxxx> wrote:
> Hello Ian, isis, and other crypto people around here!
>
> Here is an intro: In HSv3 we've been using revision counters
> (integers++) to do HS desc replay protection, so that bad HSDirs cannot
> replay old descs to other HSDirs. We recently learned that this is a bad
> idea from a scalability prespective (multiple sites need to track rev
> counter...), and also it's needless complexity in the code (tor needs to
> cache the counters etc.). See ticket #25552 for more details:
>       https://trac.torproject.org/projects/tor/ticket/25552
>       https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt#n1078
>
> In #25552 we've been making plans to ditch the rev counters and replace
> them with a casual replay cache. (These replay caches also don't need to
> be big, since descriptors are only replayable for a day before the
> ephemeral blinded key changes, and the cache can be reset).
>
> Anyhow, now we've been playing the game of "which part of the desc
> should we use in the replay cache"? The latest plan here has been to use
> the ed25519 descriptor signature since it's something small, simple and
> necessarily changes with every fresh descriptor. And this is how we
> entered the ed25519 malleability scene.
>
> The basic question here is, can we use the ed25519 signature in our
> replay cache and consider it immutable by attackers without the private
> key? And should we use R, or S, or both?
>
> According to RFC8032:
>
>              Ed25519 and Ed448 signatures are not malleable due to the
>              check that decoded S is smaller than l.  Without this
>              check, one can add a multiple of l into a scalar part and
>              still pass signature verification, resulting in malleable
>              signatures.
>
> However, neither donna or ref10 include such a check explicitly
> IIUC. Instead they check whether (RS[63] & 224), which basically ensures
> that the high 3 bits of S are zeroed, which ensures S < 2^253. Is that
> equivalent to the RFC check? Because if I'm counting right, for most
> legit S values you can still add a single l as the attacker and get an
> S' = S + l < 2^253 equivalent signature (you can't add 2*l tho).

This seems right. Malleability is not part of the standard security
definition for signatures.
>
> So what's the state of ed25519 malleability? I know that after the
> Bitcoin incident, people have thought about this a lot, so I doubt we
> are in a broken state, but I just wanted to make sure that we will not
> mess something up. :)
>
> Thanks for the help! :)
> _______________________________________________
> tor-dev mailing list
> tor-dev@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] HS desc replay protection and ed25519 malleability
  - From: George Kadianakis

References:
- [tor-dev] HS desc replay protection and ed25519 malleability
  - From: George Kadianakis

Prev by Author: Re: [tor-dev] Notes from 12 April 2018 Simple Bandwidth Scanner Meeting
Previous by thread: [tor-dev] HS desc replay protection and ed25519 malleability
Next by thread: Re: [tor-dev] HS desc replay protection and ed25519 malleability
Index(es):
- Author
- Thread