[tor-dev] HS desc replay protection and ed25519 malleability
Ian Goldberg
iang at cs.uwaterloo.ca
Wed Apr 18 14:31:30 UTC 2018
[Warning: recovering from illness. Brain may not be operating at
nominal capacity. :-p ]
On Wed, Apr 18, 2018 at 04:53:59PM +0300, George Kadianakis wrote:
> Thanks for the help!
>
> Hmm, so everyone gets a shot at a single malleability "attack" with
> everye d25519 sig? What's the point of the (RS[63] & 224) check then?
>
> In this case, we can't use S as the replay cache index since the
> attacker can mutate it and still get the sig to verify.
You could still use (S mod l) as the cache index, though, right?
> Can we use R as the replay cache index then? Can an attacker given
> (R,S) find (R',S') such that the sig still verifies?
Using R itself should, AFAICT, be safe against malleability. More
concretely, whatever representation of R is used in the hash H(R,A,M)
used to compute S (and to verify the signature). But is malleability
the only attack you should be worried about? What if one party produces
two descriptors for two different services, but reuses R to cause a
cache collision? Presumably some untoward badness would result.
Perhaps use the *output* of the hash H(R,A,M)? Or the pair
(R, S mod l)?
It's also not true that malleability is not part of the standard
security definition for signatures. That's exactly the difference
between the WUF and SUF (weakly / strongly unforgeable) security
properties. In a WUF system, the attacker, given a signing oracle,
cannot produce a valid signature on a message she does not present to
the signing orable. In a SUF system, the attacker cannot produce a
valid (message,signature) _pair_ she does not send to / receive from the
signing oracle. A system with malleable signatures can be WUF, but
cannot be SUF.
- Ian
More information about the tor-dev
mailing list