crypto/ecdsa: make Sign safe with broken entropy sources

ECDSA is unsafe to use if an entropy source produces predictable output for the ephemeral nonces. E.g., [Nguyen]. A simple countermeasure is to hash the secret key, the message, and entropy together to seed a CSPRNG, from which the ephemeral key is derived. Fixes #9452 -- This is a minimalist (in terms of patch size) solution, though not the most parsimonious in its use of primitives: - csprng_key = ChopMD-256(SHA2-512(priv.D||entropy||hash)) - reader = AES-256-CTR(k=csprng_key) This, however, provides at most 128-bit collision-resistance, so that Adv will have a term related to the number of messages signed that is significantly worse than plain ECDSA. This does not seem to be of any practical importance. ChopMD-256(SHA2-512(x)) is used, rather than SHA2-256(x), for two sets of reasons: *Practical:* SHA2-512 has a larger state and 16 more rounds; it is likely non-generically stronger than SHA2-256. And, AFAIK, cryptanalysis backs this up. (E.g., [Biryukov] gives a distinguisher on 47-round SHA2-256 with cost < 2^85.) This is well below a reasonable security-strength target. *Theoretical:* [Coron] and [Chang] show that Chop-MD(F(x)) is indifferentiable from a random oracle for slightly beyond the birthday barrier. It seems likely that this makes a generic security proof that this construction remains UF-CMA is possible in the indifferentiability framework. -- Many thanks to Payman Mohassel for reviewing this construction; any mistakes are mine, however. And, as he notes, reusing the private key in this way means that the generic-group (non-RO) proof of ECDSA's security given in [Brown] no longer directly applies. -- [Brown]: http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-54.ps "Brown. The exact security of ECDSA. 2000" [Coron]: https://www.cs.nyu.edu/~puniya/papers/merkle.pdf "Coron et al. Merkle-Damgard revisited. 2005" [Chang]: 50860436.pdf "Chang and Nandi. Improved indifferentiability security analysis of chopMD hash function. 2008" [Biryukov]: 70730269.pdf "Biryukov et al. Second-order differential collisions for reduced SHA-256. 2011" [Nguyen]: ftp://ftp.di.ens.fr/pub/users/pnguyen/PubECDSA.ps "Nguyen and Shparlinski. The insecurity of the elliptic curve digital signature algorithm with partially known nonces. 2003" New tests: TestNonceSafety: Check that signatures are safe even with a broken entropy source. TestINDCCA: Check that signatures remain non-deterministic with a functional entropy source. Updated "golden" KATs in crypto/tls/testdata that use ECDSA suites. Change-Id: I55337a2fbec2e42a36ce719bd2184793682d678a Reviewed-on: https://go-review.googlesource.com/3340 Reviewed-by: Adam Langley <agl@golang.org>
2025-04-04 12:37:35 +03:00 · 2015-01-26 23:00:21 -08:00 · 2015-01-26 23:00:21 -08:00 · 531f0d0055
commit 531f0d0055
parent b180ba8f9b
9 changed files with 475 additions and 477 deletions
--- a/testdata/Client-TLSv10-ClientCert-ECDSA-ECDSA
+++ b/testdata/Client-TLSv10-ClientCert-ECDSA-ECDSA
@ -8,11 +8,11 @@
 00000060  19 00 0b 00 02 01 00 00  0d 00 0a 00 08 04 01 04  |................|
 00000070  03 02 01 02 03 ff 01 00  01 00                    |..........|
 >>> Flow 2 (server to client)
-00000000  16 03 01 00 59 02 00 00  55 03 01 53 04 f1 03 46  |....Y...U..S...F|
-00000010  0f 84 c4 cb 55 ef 85 f6  4f d7 0e e1 4b 10 d4 bb  |....U...O...K...|
-00000020  35 87 2d f3 d7 18 ec 4e  95 4b f4 20 28 82 94 d9  |5.-....N.K. (...|
-00000030  df c4 fc ee 21 23 c1 e2  76 3e 7b 09 af 2c 39 23  |....!#..v>{..,9#|
-00000040  f8 46 6c 31 88 42 f0 79  de 37 2b 00 c0 09 00 00  |.Fl1.B.y.7+.....|
+00000000  16 03 01 00 59 02 00 00  55 03 01 8e e5 cd c8 24  |....Y...U......$|
+00000010  aa 56 53 50 51 e2 d3 6f  6d 8a 03 11 e8 f1 ff f5  |.VSPQ..om.......|
+00000020  7c f4 30 9c fb 39 cb c5  18 79 cf 20 04 38 5d d9  ||.0..9...y. .8].|
+00000030  d4 68 64 85 e7 5a 6d bb  0c de 1e 42 e0 78 57 67  |.hd..Zm....B.xWg|
+00000040  9c 75 3c 47 42 1f a7 06  24 8f 18 11 c0 09 00 00  |.u<GB...$.......|
 00000050  0d ff 01 00 01 00 00 0b  00 04 03 00 01 02 16 03  |................|
 00000060  01 02 0e 0b 00 02 0a 00  02 07 00 02 04 30 82 02  |.............0..|
 00000070  00 30 82 01 62 02 09 00  b8 bf 2d 47 a0 d2 eb f4  |.0..b.....-G....|
@ -47,21 +47,21 @@
 00000240  13 83 0d 94 06 bb d4 37  7a f6 ec 7a c9 86 2e dd  |.......7z..z....|
 00000250  d7 11 69 7f 85 7c 56 de  fb 31 78 2b e4 c7 78 0d  |..i..|V..1x+..x.|
 00000260  ae cb be 9e 4e 36 24 31  7b 6a 0f 39 95 12 07 8f  |....N6$1{j.9....|
-00000270  2a 16 03 01 00 d5 0c 00  00 d1 03 00 17 41 04 4f  |*............A.O|
-00000280  47 16 72 98 9e 9f 2e 8e  78 e9 0f fe 95 83 7b aa  |G.r.....x.....{.|
-00000290  e5 3d c0 7d cf 83 bd 22  0b fd 48 f1 a7 49 a5 7d  |.=.}..."..H..I.}|
-000002a0  8e 0c 83 7f e1 2d 71 03  cc 90 09 ab f7 35 81 48  |.....-q......5.H|
-000002b0  a4 1e 7d 87 21 23 12 58  2c 47 f3 af c7 6c 71 00  |..}.!#.X,G...lq.|
-000002c0  8a 30 81 87 02 42 00 b4  03 38 60 43 d9 32 ef 64  |.0...B...8`C.2.d|
-000002d0  5a 9c 91 95 0d 10 21 53  c7 78 f8 bf 50 ed 13 5d  |Z.....!S.x..P..]|
-000002e0  c3 e7 71 d6 11 04 f1 e4  9d ce 17 99 8d 1a 87 1f  |..q.............|
-000002f0  cb dd f8 1b ae cd bc 4a  77 ab 7c 50 bf 73 c3 ea  |.......Jw.|P.s..|
-00000300  d6 df 88 56 f6 b1 03 83  02 41 66 3d fb 4e 7e af  |...V.....Af=.N~.|
-00000310  4e c1 60 fe 09 fa 7e 74  99 66 7f de b4 b2 74 89  |N.`...~t.f....t.|
-00000320  1c a4 cf 74 1a 55 a5 be  74 f9 36 21 3d ae c8 c3  |...t.U..t.6!=...|
-00000330  24 8e ad db a3 26 67 8f  98 27 e3 93 ee d9 5c fb  |$....&g..'....\.|
-00000340  85 82 e2 13 c3 50 ab e9  f6 39 2b 16 03 01 00 0e  |.....P...9+.....|
-00000350  0d 00 00 06 03 01 02 40  00 00 0e 00 00 00        |.......@......|
+00000270  2a 16 03 01 00 d6 0c 00  00 d2 03 00 17 41 04 9e  |*............A..|
+00000280  7c 82 c3 eb d9 2f 1a 2c  35 32 70 b3 64 7f dd 16  ||..../.,52p.d...|
+00000290  0d 28 91 0b b0 b0 30 a8  c7 4c 4f 10 b3 42 84 a4  |.(....0..LO..B..|
+000002a0  b7 a1 f6 38 e6 63 47 95  1a 0a 3e f0 96 4a 10 10  |...8.cG...>..J..|
+000002b0  45 fd 66 27 e5 ef 0b 44  d8 da 20 61 47 e3 b8 00  |E.f'...D.. aG...|
+000002c0  8b 30 81 88 02 42 01 b9  39 36 f9 73 6d 2c f1 1f  |.0...B..96.sm,..|
+000002d0  5f 8d 1d 49 d4 8c f9 19  7c 18 f8 ed 41 77 01 40  |_..I....|...Aw.@|
+000002e0  30 27 a0 64 a8 c9 08 fb  09 69 eb 13 24 1f cf af  |0'.d.....i..$...|
+000002f0  d2 32 c6 ae 76 52 ac 96  31 4b 63 2c 56 55 af f8  |.2..vR..1Kc,VU..|
+00000300  c6 cc 56 07 f5 8b fa 82  02 42 01 9e a8 fd 78 34  |..V......B....x4|
+00000310  f3 d1 53 8c e2 19 37 df  05 8e b7 46 84 ee 66 cc  |..S...7....F..f.|
+00000320  48 d9 8e 22 c0 70 bf 98  3a 40 37 82 a2 bb df 75  |H..".p..:@7....u|
+00000330  84 4b dc 31 e9 57 70 98  7f 50 81 9b 75 55 9c f6  |.K.1.Wp..P..uU..|
+00000340  9f ad 69 e6 2b 05 6a 0d  48 7b 99 83 16 03 01 00  |..i.+.j.H{......|
+00000350  0e 0d 00 00 06 03 01 02  40 00 00 0e 00 00 00     |........@......|
 >>> Flow 3 (client to server)
 00000000  16 03 01 02 0a 0b 00 02  06 00 02 03 00 02 00 30  |...............0|
 00000010  82 01 fc 30 82 01 5e 02  09 00 9a 30 84 6c 26 35  |...0..^....0.l&5|
@ -100,30 +100,30 @@
 00000220  51 88 35 75 71 b5 e5 54  5b 12 2e 8f 09 67 fd a7  |Q.5uq..T[....g..|
 00000230  24 20 3e b2 56 1c ce 97  28 5e f8 2b 2d 4f 9e f1  |$ >.V...(^.+-O..|
 00000240  07 9f 6c 4b 5b 83 56 e2  32 42 e9 58 b6 d7 49 a6  |..lK[.V.2B.X..I.|
-00000250  b5 68 1a 41 03 56 6b dc  5a 89 16 03 01 00 90 0f  |.h.A.Vk.Z.......|
-00000260  00 00 8c 00 8a 30 81 87  02 42 00 c6 85 8e 06 b7  |.....0...B......|
-00000270  04 04 e9 cd 9e 3e cb 66  23 95 b4 42 9c 64 81 39  |.....>.f#..B.d.9|
-00000280  05 3f b5 21 f8 28 af 60  6b 4d 3d ba a1 4b 5e 77  |.?.!.(.`kM=..K^w|
-00000290  ef e7 59 28 fe 1d c1 27  a2 ff a8 de 33 48 b3 c1  |..Y(...'....3H..|
-000002a0  85 6a 42 9b f9 7e 7e 31  c2 e5 bd 66 02 41 4b 49  |.jB..~~1...f.AKI|
-000002b0  c6 cd 02 e3 83 f7 03 50  18 6d b4 c9 51 02 c0 ab  |.......P.m..Q...|
-000002c0  87 bc e0 3e 4b 89 53 3a  e2 65 89 97 02 c1 87 f1  |...>K.S:.e......|
-000002d0  67 d0 f2 06 28 4e 51 4e  fd f0 01 be 41 3c 52 42  |g...(NQN....A<RB|
-000002e0  10 44 73 88 3e 44 24 bb  2e 77 01 77 6f a8 ac 14  |.Ds.>D$..w.wo...|
-000002f0  03 01 00 01 01 16 03 01  00 30 a3 da 45 22 96 83  |.........0..E"..|
-00000300  59 90 e9 6b ec 3b 77 50  05 89 e6 0c 61 d1 1d 2b  |Y..k.;wP....a..+|
-00000310  da d4 49 bf b9 c6 dd ad  c3 9c 82 bd 53 62 e8 57  |..I.........Sb.W|
-00000320  a4 6a e7 9f b1 d5 39 77  88 6d                    |.j....9w.m|
+00000250  b5 68 1a 41 03 56 6b dc  5a 89 16 03 01 00 91 0f  |.h.A.Vk.Z.......|
+00000260  00 00 8d 00 8b 30 81 88  02 42 01 3a 26 83 6d 4a  |.....0...B.:&.mJ|
+00000270  e0 87 d4 5e 54 98 f1 8e  a5 23 5f be ce 7b 31 76  |...^T....#_..{1v|
+00000280  9e f9 93 53 3f b7 a2 4a  80 9f cf ab 64 dc ed 91  |...S?..J....d...|
+00000290  14 26 27 07 f9 00 64 76  06 a3 84 ea 5f f2 43 f7  |.&'...dv...._.C.|
+000002a0  35 e1 db ff 53 af 9d 18  00 7f fb ad 02 42 01 fe  |5...S........B..|
+000002b0  56 93 31 ad c3 c3 dc 35  02 66 76 4e 8f 70 f2 10  |V.1....5.fvN.p..|
+000002c0  84 9c 4b e1 93 7d 7a 7a  0b 4e 0e ae 82 17 17 dd  |..K..}zz.N......|
+000002d0  8a d0 ba 97 7a 6f 9d 2d  d3 20 88 a5 2f 3a 01 ff  |....zo.-. ../:..|
+000002e0  14 17 94 d0 81 dc 9d 36  52 72 e9 47 57 4b f4 e5  |.......6Rr.GWK..|
+000002f0  14 03 01 00 01 01 16 03  01 00 30 68 55 dd 97 80  |..........0hU...|
+00000300  5b 94 75 02 9c c1 19 f6  c4 04 c1 8a ad 8f 16 f2  |[.u.............|
+00000310  b6 d6 c1 3b 35 f6 13 ab  e3 d1 b7 e4 f9 a9 d5 5f  |...;5.........._|
+00000320  37 9c 3b d8 39 95 2b 66  73 e6 54                 |7.;.9.+fs.T|
 >>> Flow 4 (server to client)
-00000000  14 03 01 00 01 01 16 03  01 00 30 a4 45 dd 99 df  |..........0.E...|
-00000010  66 ae f5 c7 bd 1a eb 6a  ff ac a6 38 14 81 b5 07  |f......j...8....|
-00000020  86 24 80 f1 09 59 ad 33  3d 43 ed 9e 43 b1 1e 9f  |.$...Y.3=C..C...|
-00000030  bd 8c b3 e0 41 83 a1 34  91 c5 a1                 |....A..4...|
+00000000  14 03 01 00 01 01 16 03  01 00 30 92 07 14 a3 fa  |..........0.....|
+00000010  a6 8f 52 9b bf ae 2b 87  b6 c4 74 44 0f d2 c4 32  |..R...+...tD...2|
+00000020  70 02 a3 48 a5 d0 e5 4d  3c c0 2e 56 e1 45 df b7  |p..H...M<..V.E..|
+00000030  8a fb 84 7e 32 2c 94 cc  37 66 66                 |...~2,..7ff|
 >>> Flow 5 (client to server)
-00000000  17 03 01 00 20 ae e3 ae  7f 2d e3 a2 f7 1b 4e 69  |.... ....-....Ni|
-00000010  cb 18 c6 68 42 f8 de 61  92 4c fa d6 19 7c 8c 09  |...hB..a.L...|..|
-00000020  82 e2 f2 32 19 17 03 01  00 20 2a 77 65 1f c1 fd  |...2..... *we...|
-00000030  5e 37 b7 15 f6 1f 4c 7f  5f 89 52 b4 32 27 4d 17  |^7....L._.R.2'M.|
-00000040  33 c6 e8 50 ac 70 c8 b9  2d 0a 15 03 01 00 20 e0  |3..P.p..-..... .|
-00000050  cb ce 07 80 55 a0 46 ca  a7 25 4c 5f 9d 7c 73 37  |....U.F..%L_.|s7|
-00000060  de 72 6d 36 a8 e4 be fd  2a e7 f8 8d 14 80 b7     |.rm6....*......|
+00000000  17 03 01 00 20 89 e2 cc  e6 b6 9f 3f 60 b4 c6 88  |.... ......?`...|
+00000010  33 4d 0e 05 e6 0f 31 3c  87 7c a1 d5 2b 96 1e b6  |3M....1<.|..+...|
+00000020  e1 dd 72 5e a1 17 03 01  00 20 f7 53 3e de 51 fc  |..r^..... .S>.Q.|
+00000030  f0 dd 93 88 62 25 c0 d4  4f dd 4a ea c5 3c d7 51  |....b%..O.J..<.Q|
+00000040  68 72 50 fc be ed 57 80  c5 10 15 03 01 00 20 68  |hrP...W....... h|
+00000050  6f f8 4e c9 c0 cd 9b ab  71 41 b3 97 87 5c 00 99  |o.N.....qA...\..|
+00000060  50 46 20 a2 48 29 14 30  63 46 84 5b 96 7e 79     |PF .H).0cF.[.~y|