7

The Republic of Brutopia are updating the design of their library cards with a new security feature: a 2D barcode containing a cryptographically signed copy of the human-readable fields on the card. This will allow anyone to verify that a card is genuine and has not been tampered with.

Unfortunately, the library card is the principal form of government-issued ID in Brutopia. You'll probably show yours to almost-random strangers several times a day, whether you want to buy beer, open a bank account, or pick up a package at the post office. And now civil rights advocates and conspiracy theorists alike are up in arms about the privacy implications of using the new barcoded cards for that. Who can really know if the barcode only contains the data about you that you can see for yourself on the face of the card?

It didn't help the government that they published full specifications for the barcode content, including a DSA signature at the end. The critics pointed out that a DSA signature contains an ostensibly-random nonce, and there is no way you can check that it is really all random and doesn't secretly code for personally identifiable data.

It appears that what the government needs is to use something else than DSA for signing the cards. As far as I can make out, what we would ideally want here is a public-key signature scheme with the additional property that

It should be infeasible to construct a valid public key $K_p$, a message $M$, and two different signatures $S_1$ and $S_2$ such that $S_1$ and $S_2$ are both valid signatures for $M$ under key $K_p$.

Does this property (or something like it) have a name?

And are there generally accepted signature schemes that provide this?

Naively I would expect that RSA, with the input being a hash of the message, padded to the modulus length in some deterministic way, might work -- but apparently best practice is always to use some random padding when using RSA for anything, so I'm not sure whether that would be vulnerable somehow.

hmakholm left over Monica
  • 550
  • 4
  • 10
  • 1
    There is no proof for the non-existance of some covert communication channel for a real system. – tylo Nov 15 '16 at 19:24
  • 2
    I call that property "verifiably deterministic", but I don't know if that's a standard name. – CodesInChaos Nov 15 '16 at 21:00
  • I think BLS is another system with that property. – CodesInChaos Nov 15 '16 at 21:00
  • DSA can be made deterministic http://crypto.stackexchange.com/questions/20538/rfc-6979-why-not-simply-hash-the-message-the-private-key-for-deterministic- http://security.stackexchange.com/questions/46939/dsa-generates-different-signatures-with-the-same-data http://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys – dave_thompson_085 Nov 16 '16 at 07:43
  • 1
    @dave_thompson_085 But without knowing the private key, you can't verify if the signer used the deterministic approach, so it's useless for preventing the signer from embedding hidden information in the signature. (You probably could use some fancy zero-knowledge proof for that, but that's far more complicated than switching to another signature algorithm) – CodesInChaos Nov 16 '16 at 11:38
  • @CodesInChaos: oops, I didn't think that through. Thanks. – dave_thompson_085 Nov 17 '16 at 15:00

2 Answers2

7

Sending information covertly when using legitimate systems is a well-studied field. As another question mentions, key words are covert channel and subliminal channel.

Designing systems with no covert channels is difficult, but not impossible. The main difficulty is to ensure that if any randomness is sampled incorrectly, the legitimate recipient must detect and reject.

For your case, deterministic signatures (as you had almost arrived at yourself) would be sufficient. The main interesting system is RSA-FDH (full-domain hash) which is trivially deterministic. There are also systems that have deterministic signature generation (if you sign the same message twice, you get the same signature), but where someone with the signing key could generate different signatures without the verification algorithm noticing.

For more complicated systems, this becomes much more difficult. For some symmetric cryptosystems, you can use counters instead of random nonces.

CodesInChaos
  • 24,841
  • 2
  • 89
  • 128
K.G.
  • 4,617
  • 16
  • 32
  • For RSA-FDH, do you need a special-purpose hash function with a wide enough output to cover the entire domain, or is it sufficient for security to hash the message with a standard hash (say, SHA-3) and subsequently expand it to the RSA modulus length using a CSPRNG? The Wikipedia article doesn't seem to say so clearly. – hmakholm left over Monica Nov 17 '16 at 15:41
  • Using a standard hash and then expanding it is sufficient. Note that you need a bit more than a CSPRNG (in the sense that it is possible to design a CSPRNG that won't give you security), you need a random-oracle-like function. – K.G. Nov 18 '16 at 10:44
6

RSA with PKCS#1 v1.5 padding for signature genernation would work, as the algorithm is fully deterministic. The random padding is only used for RSA with PKCS#1 v1.5 padding for encryption which is different from the padding for signature generation.

Note that both OAEP and PSS are not deterministic either; they both rely on a random number generator.

I guess the name of the property is a covert channel / without a covert channel. A covert channel is a channel that can be used to communicate between parties that are not meant to communicate (in the protocol). Within cryptography subliminal channel is a specific covert channel that can be used in signatures such as DSA.

Determinism was already mentioned above. If all inputs are known then the outcome of the algorithm is known as well.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313