Key related attacks and unforgeability

[tlepoint]

As pointed out in https://github.com/chris-wood/draft-dew-cfrg-signature-key-blinding/issues/14, ECDSA with multiplicative key blinding is not unforgeable in the RKA model. Applied to the Rate-Limited Token Issuance Protocol, this gives the following unusual settings.

• Client 1 generates an ECDSA keypair pk_sign, sk_sign, and registers to the Attester with pk_sign;
• Client 1 interacts correctly with the attester, and following the notation of Sec 7.1.2, it signs

  context = concat(0x0003, token_key_id, ..., encrypted_origin_name)

  with sk_sign and sk_blind. In particular, this yields a valid ECDSA signature (r, s) under a public key blind_key = pk_blind = (sk_blind * sk_sign) * G where G is the base point. Both the attester and issuer will accept this valid signature.

Now, consider a second client

• Client 2 registers to the attester with pk2 = alpha^(-1) * pk_blind, for a random alpha.

Note that client 2 does not know the secret key associated with its public key pk2. However, it can send the same context and (r, s) as above, and a randomizer sk_blind2 = alpha to the attester. The attester will reconstruct pk_blind2 = sk_blind2 * pk2 = pk_blind, and verify the signature (r, s) against pk_blind, which is valid!

We end up in a setting where a client has sent a valid signature on a message without knowing the secret key. This is the same message context and signature as above.

Alternatively, client 2 could generate a context

context2 =  concat(0x0003, token_key_id2, ..., encrypted_origin_name2)

compute beta = H(context2)/H(context) mod q, and register with public key pk3 = alpha^(-1) * beta * pk_blind, and provide randomizer sk_blind3 = alpha and signature (r, beta * s mod q). Once again, the client doesn't know the secret key sk3 associated to pk3. Since this is an ECDSA signature, it holds that

beta * s = k^(-1) (beta * H(context) + beta * sk_blind * sk_sign * r) mod q
              = k^(-1) ( H(context2) + sk3 * r ) mod q

It seems that the notion used in this part of the protocol does not rely on the unforgeability of the signature in the related key attack model. It would be valuable to specify which security properties are used from the ECDSA key blinding protocol, and what security properties they enable to prove for the rate-limited token issuance protocol.

[tfpauly]

@chris-wood can we close this now?

[chris-wood]

Yeah, I think we can close this out based on the backing analysis.