From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <vt@altlinux.org>
Date: Tue, 4 Dec 2018 09:54:45 +0300
From: Vitaly Chikunov <vt@altlinux.org>
To: Open-source aspects of GOST Cryptography
 <oss-gost-crypto@lists.altlinux.org>
Message-ID: <20181204065445.gcaguhhvh7z6gajf@sole.flsd.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
User-Agent: NeoMutt/20171215-106-ac61c7
Subject: [oss-gost-crypto] EC-RDSA and a key substitution attack
X-BeenThere: oss-gost-crypto@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Open-source aspects of GOST Cryptography
 <oss-gost-crypto@lists.altlinux.org>
List-Id: Open-source aspects of GOST Cryptography
 <oss-gost-crypto.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/oss-gost-crypto>, 
 <mailto:oss-gost-crypto-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/oss-gost-crypto>
List-Post: <mailto:oss-gost-crypto@lists.altlinux.org>
List-Help: <mailto:oss-gost-crypto-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/oss-gost-crypto>, 
 <mailto:oss-gost-crypto-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Dec 2018 06:54:46 -0000
Archived-At: <http://lore.altlinux.org/oss-gost-crypto/20181204065445.gcaguhhvh7z6gajf@sole.flsd.net/>
List-Archive: <http://lore.altlinux.org/oss-gost-crypto/>

Hi,

В превью к ISO/IEC 14888-3:2018 сказано 

  https://www.iso.org/obp/ui/#!iso:std:76382:en

  "NOTE 5 The mechanisms of EC-DSA, EC-GDSA. EC-RDSA and EC-FSDSA may be
  vulnerable to a key substitution attack[10]. The attack is realized if
  an adversary can find two distinct public keys and one signature such
  that the signature is valid for both public keys. There are several
  approaches of avoiding this attack and its possible impact on the
  security of a cryptographic system. For example, the public key
  corresponding to the private signing key can be added into the message
  to be signed."

Где EC-RDSA это ГОСТ Р 34.10-2001 (а значит и 34.10-2012).

На сколько эта атака актуальна для ГОСТа или это очередной наговор на
российскую криптографию в стиле Н. Куртуа?

Добавить signing key к message не сложно, но я исхожу из того, что этого
делать не надо, так как в ГОСТе такого нет. Но если бы был
рекомендованный метод формирования подписи с учетом этой атаки, то
другое дело.