1
0
mirror of https://github.com/golang/go synced 2024-11-11 21:00:23 -07:00
The Go programming language
Go to file
David Leon Gil a8049f58f9 crypto/ecdsa: make Sign safe with broken entropy sources
ECDSA is unsafe to use if an entropy source produces predictable
output for the ephemeral nonces. E.g., [Nguyen]. A simple
countermeasure is to hash the secret key, the message, and
entropy together to seed a CSPRNG, from which the ephemeral key
is derived.

Fixes #9452

--

This is a minimalist (in terms of patch size) solution, though
not the most parsimonious in its use of primitives:

   - csprng_key = ChopMD-256(SHA2-512(priv.D||entropy||hash))
   - reader = AES-256-CTR(k=csprng_key)

This, however, provides at most 128-bit collision-resistance,
so that Adv will have a term related to the number of messages
signed that is significantly worse than plain ECDSA. This does
not seem to be of any practical importance.

ChopMD-256(SHA2-512(x)) is used, rather than SHA2-256(x), for
two sets of reasons:

*Practical:* SHA2-512 has a larger state and 16 more rounds; it
is likely non-generically stronger than SHA2-256. And, AFAIK,
cryptanalysis backs this up. (E.g., [Biryukov] gives a
distinguisher on 47-round SHA2-256 with cost < 2^85.) This is
well below a reasonable security-strength target.

*Theoretical:* [Coron] and [Chang] show that Chop-MD(F(x)) is
indifferentiable from a random oracle for slightly beyond the
birthday barrier. It seems likely that this makes a generic
security proof that this construction remains UF-CMA is
possible in the indifferentiability framework.

--

Many thanks to Payman Mohassel for reviewing this construction;
any mistakes are mine, however. And, as he notes, reusing the
private key in this way means that the generic-group (non-RO)
proof of ECDSA's security given in [Brown] no longer directly
applies.

--

[Brown]: http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-54.ps
"Brown. The exact security of ECDSA. 2000"

[Coron]: https://www.cs.nyu.edu/~puniya/papers/merkle.pdf
"Coron et al. Merkle-Damgard revisited. 2005"

[Chang]: https://www.iacr.org/archive/fse2008/50860436/50860436.pdf
"Chang and Nandi. Improved indifferentiability security analysis
of chopMD hash function. 2008"

[Biryukov]: http://www.iacr.org/archive/asiacrypt2011/70730269/70730269.pdf
"Biryukov et al. Second-order differential collisions for reduced
SHA-256. 2011"

[Nguyen]: ftp://ftp.di.ens.fr/pub/users/pnguyen/PubECDSA.ps
"Nguyen and Shparlinski. The insecurity of the elliptic curve
digital signature algorithm with partially known nonces. 2003"

New tests:

  TestNonceSafety: Check that signatures are safe even with a
    broken entropy source.

  TestINDCCA: Check that signatures remain non-deterministic
    with a functional entropy source.

Updated "golden" KATs in crypto/tls/testdata that use ECDSA suites.

Change-Id: I55337a2fbec2e42a36ce719bd2184793682d678a
Reviewed-on: https://go-review.googlesource.com/3340
Reviewed-by: Adam Langley <agl@golang.org>
2015-01-28 01:39:51 +00:00
api runtime: add GODEBUG=gccheckmark=0/1 2015-01-12 16:36:50 +00:00
doc doc: update go1.5.txt 2015-01-19 00:00:46 +00:00
include cmd/gc: simplify code for c2go 2015-01-26 20:00:30 +00:00
lib/time remove the obsolete lib/codereview. 2014-12-08 07:51:54 +00:00
misc misc/makerelease: send file size when uploading 2015-01-20 04:09:23 +00:00
src crypto/ecdsa: make Sign safe with broken entropy sources 2015-01-28 01:39:51 +00:00
test cmd/gc: treat non-local vars inlined into wrapper as escaping 2015-01-22 03:25:12 +00:00
.gitattributes .gitattributes: prevent all magic line ending changes 2014-12-12 23:14:54 +00:00
.gitignore all: tighten overly-broad runtime/z* gitignore line 2014-12-10 00:45:47 +00:00
AUTHORS A+C: add another email address for Emil Hessman 2014-11-12 10:01:23 -08:00
CONTRIBUTING.md doc: direct people to the mailing list 2015-01-18 21:27:07 +00:00
CONTRIBUTORS C: add Nick Cooper (Google CLA). 2014-11-14 17:03:17 +11:00
favicon.ico godoc: update favicon 2012-10-11 17:02:36 +11:00
LICENSE doc: update licensing text one more time 2012-03-27 15:09:13 +11:00
PATENTS
README.md README: emphasize that we don't accept pull requests 2015-01-08 18:50:47 +00:00
robots.txt godoc: serve robots.txt raw 2011-02-19 05:46:20 +11:00

The Go Programming Language

Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.

Gopher image

For documentation about how to install and use Go, visit https://golang.org/ or load doc/install-source.html in your web browser.

Our canonical Git repository is located at https://go.googlesource.com/go. (There is a mirror of the repository at https://github.com/golang/go.)

Please report issues here: https://golang.org/issue/new

Go is the work of hundreds of contributors. We appreciate your help!

To contribute, please read the contribution guidelines: https://golang.org/doc/contribute.html

Please note that we do not use pull requests.

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

--

Binary Distribution Notes

If you have just untarred a binary Go distribution, you need to set the environment variable $GOROOT to the full path of the go directory (the one containing this file). You can omit the variable if you unpack it into /usr/local/go, or if you rebuild from sources by running all.bash (see doc/install-source.html). You should also add the Go binary directory $GOROOT/bin to your shell's path.

For example, if you extracted the tar file into $HOME/go, you might put the following in your .profile:

export GOROOT=$HOME/go
export PATH=$PATH:$GOROOT/bin

See https://golang.org/doc/install or doc/install.html for more details.