1

I am working on an application where I have a physical product identification label containing a block of public, low-entropy data (~50 bytes) such as serial number and other info, all readily available right on the label. I would like to use a hash-based signature algorithm to provide an authenticity check that the product is valid.

  1. Is this a reasonable idea? Does the low-entropy data cause problems?
  2. How many of these product labels would someone have to obtain in order to derive the secret key?

EDIT: A better question might be, can this signature be faked without having the secret key?

  1. Is there a way to do this securely with only 256 bits of output data?
malaal
  • 11
  • 3

2 Answers2

3
  1. Is this a reasonable idea?

Sounds good, as long as:

  • You use a strong RSA key (e.g. at least 2048 bits)

  • You use a good RSA signature padding method

  • You somehow prevent the attacker from modifying the RSA public key you use to verify with

Does the low-entropy data cause problems?

No, the low-entropy data does not present a problem.

  1. How many of these product labels would someone have to obtain in order to derive the secret key?

There is no known way to recover the RSA private key, even if you give the attacker an Oracle to sign an arbitrary number of arbitrary messages (which is a much stronger attack scenario than what you have).

poncho
  • 154,064
  • 12
  • 239
  • 382
0

As said in the other answer: yes this is a reasonable idea, RSA allows secure signature of the low-entropy public data, that can be verified openly as matching said data, but can't be generated without the private key. Examples of valid signatures and the public key will not reveal the private key, or ways to produce other signatures. Several standardized signatures schemes do this routinely (but of course there is nothing to prevent copy of the public data and it's signature).

Now the question adds:

Is there a way to do this securely with only 256 bits of output data?

Not with RSA. A 256-bit RSA signature would be insecure, because these are (within few bits) as wide as the public modulus, and 256-bit is way too small (384-bit was already too small in the 1990's, and there's been considerable progress since then, see this).

256-bit is near the verge, and rather on the wrong side, of what well-vetted signature schemes can give with high security. I recently asked about this, making an inventory of what I know among standardized schemes, with nothing below 384-bit at the 128-bit security level commonly recommended for high-security in the next decades.

On the other hand, if one is happy with like 90-bit security (which would still put the projected attack cost using today's means into the billions euro), and don't need something standardized, it's possible to use short Schnorr signature (which nominally would be 270-bit) and a few tricks to trade a longer signature generation and/or verification time against a few less bits of signature. I can detail that if needed.

Another option would be BLS signature e.g. on curve BN254 or BN256, which fits the size goal and would be at least comparably as secure according to these comments, but that's out of my comfort zone.

fgrieu
  • 149,326
  • 13
  • 324
  • 622