[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on Photuris



I was out sick last week and am now catching up on the discussion.

Although Ashar does have some valid points, several of his arguments
are against straw men in my opinion. For example, his assumption of
the identity function as the hash when signing. Tricking people into
signing arbitrary things of the attacker's choosing is a well-known
vulnerability of RSA and other digital signature algorithms. And this
is easily avoided: you never sign anything directly, you always sign
its crypto hash instead.

Ashar's most valid objection involves the provision for arbitrary
values of g and p in the protocol. I put that feature in because it
seems to fit the well-accepted Internet practice of always leaving
yourself an escape hatch. One countermeasure is to require that if you
do accept an arbitrary {g,p} tuple from someone else, you generate a
unique random exponent just for that transaction.

But the vulnerability is serious enough that I would now recommend
that we limit ourselves to a pre-published list of {g,p} tuples.  We
could start by standardizing a single value of p that's 1024 bits long
and add other lengths (e.g., 512 or 768 bits) later as desired.  All
standard published p's would be strong primes, which everyone would be
free to verify for him/herself.

Of course, limiting the protocol to a small, standard list of generators
and moduli also simplifies the protocol considerably and increases the
opportunity to precompute stuff, which I still think has considerable
practical appeal.

And I still think that the best countermeasure to all of the attacks
that Amir has talked about is to keep generating new random exponents
early and often to limit the exposure of any one exponent. Again,
precomputation of the public component and the signature helps make
this tolerable in practice.

More later when I've caught up some more.

Phil


References: