[Cfrg] EC signature: next steps
Dan Brown <dbrown@certicom.com> Mon, 31 August 2015 16:26 UTC
Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A979E1B564F for <cfrg@ietfa.amsl.com>; Mon, 31 Aug 2015 09:26:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.1
X-Spam-Level:
X-Spam-Status: No, score=0.1 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4rRVE-3qxqTt for <cfrg@ietfa.amsl.com>; Mon, 31 Aug 2015 09:26:09 -0700 (PDT)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) by ietfa.amsl.com (Postfix) with ESMTP id 33F681B5641 for <cfrg@irtf.org>; Mon, 31 Aug 2015 09:26:07 -0700 (PDT)
Received: from xct102cnc.rim.net ([10.65.161.202]) by mhs215cnc.rim.net with ESMTP/TLS/AES128-SHA; 31 Aug 2015 12:26:06 -0400
Received: from XCT113CNC.rim.net (10.65.161.213) by XCT102CNC.rim.net (10.65.161.202) with Microsoft SMTP Server (TLS) id 14.3.210.2; Mon, 31 Aug 2015 12:26:06 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT113CNC.rim.net ([::1]) with mapi id 14.03.0210.002; Mon, 31 Aug 2015 12:26:05 -0400
From: Dan Brown <dbrown@certicom.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: EC signature: next steps
Thread-Index: AdDj/znvP4oPbNicS12E46vPuxcYJw==
Date: Mon, 31 Aug 2015 16:26:05 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5E3749A@XMB116CNC.rim.net>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0000_01D0E3E8.34742890"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/0FHzTLdAZUuwY-4JstrxmAPb1_0>
Subject: [Cfrg] EC signature: next steps
X-BeenThere: cfrg@mail.ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.mail.ietf.org>
List-Unsubscribe: <https://mail.ietf.org/mailman/options/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@mail.ietf.org>
List-Help: <mailto:cfrg-request@mail.ietf.org?subject=help>
List-Subscribe: <https://mail.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Aug 2015 16:26:11 -0000
Dear CFRG chairs, Please clarify the initialize-update-finalize (IUF) requirements. Below, I found some off-list text that might be useful to clarify the issue. > -----Somebody once said [with my edits]----- > > CFRG has decided it wants IUF. So the schemes you mention below will > not be able to put pre-hash = identity and meet CFRG requirements. > > Here is some context to the quoted text: > On 30/07/2015 13:26, "Dan Brown" <dbrown@certicom.com> wrote: > > >put pre-hash=identity, e.g. PureEdDSA, or Ilari's proposal. > > > >That option does _not_ support IUF. > > > >The whole message must be received to compute R, and then processed > >again, requiring two IUF passes, or buffer a huge message. > > > >If CFRG is allowing these non-IUF options then I'd add one to my > >proposal. Here is some further discussion: At least two of the remaining proposals, EdDSA and Ilari Liusvaara's, have modes that fail to meet _strict_ IUF requirements: the modes in which the pre-hash is the identity. By _strict_ I mean that IUF that has a fixed size memory buffer; that's the whole point of IUF, isn't it? I see these proposals as meeting the IUF poll option #3, but fail to meet IUF option #1. I believe the proposers think that these are IUF modes, so are working under a _lax_ IUF requirements that permits a large buffer. But, the CFRG chairs have not yet ruled against these modes. Coincidentally, these non-strict IUF modes also happen to be the proposal's collision-resilient modes. In my proposal, I would also like to have an option to place as R prefix instead of a suffix, for _better_ collision resilience (or collision resilience instead of collision resistance, if you prefer stricter terminology, see below for further discussion). I still have no idea of whether I am allowed to have such an option, despite mentioning this a few times on the list. My understanding was that the IUF poll choice #3 was to have a non-IUF mode as an option in the signature. I recall voting for #3. But because the chairs rule for choice #1, I understood that such a non-IUF to be forbidden, so my proposal accordingly did not include a non-IUF option. Brief technical comparison: In the strict IUF mode (i.e. pre-hash = hash), the EdDSA and Liusvaara proposals have the form H(R,H(M)) whereas mine has H(M,R). Mine is simpler, and _if_ one believes all the wide-pipe hash hype, seems securer. Of course, _if_ one does not want to credit wide pipes anything, then they seem about equally secure. In the non-strict IUF modes, if allowed, my proposal's message hashing would converge to a perfect unison with these proposals in the form H(R,M) but of course the proposal vary on several other features. If CFRG recommends a scheme with two modes are allowed, then the users must decide a trade-off between them, trading some efficiency IUF for some security collision-resilience. That's where one can argue about H(M,R)+SIUF versus H(R,M)-SIUF (S=strict), and consider all the arguments that DJB and I had. Note: the verifier can do strict IUF in all the current proposals, since the verifier does not compute the PRF (though this requires the verifier receiving the signature before the message). But the verifier should probably not do IUF because of its security risks: partial verification is unwise (see the EdDSA proposal for details). Indeed, the verifier would prefer signed message packets (as DJB suggested), if enough computational resources are available. By contrast, the signer might slightly prefer IUF over signing message packets, lest the message packets be taken out of context.
- [Cfrg] EC signature: next steps Alexey Melnikov
- Re: [Cfrg] EC signature: next steps Simon Josefsson
- Re: [Cfrg] EC signature: next steps Watson Ladd
- [Cfrg] EC signature: next steps Dan Brown
- Re: [Cfrg] EC signature: next steps Ilari Liusvaara
- Re: [Cfrg] EC signature: next steps Stephen Farrell
- Re: [Cfrg] EC signature: next steps Dan Brown
- Re: [Cfrg] EC signature: next steps Simon Josefsson
- Re: [Cfrg] EC signature: next steps Ilari Liusvaara
- [Cfrg] Side inputs to signature systems D. J. Bernstein
- Re: [Cfrg] Side inputs to signature systems Natanael
- Re: [Cfrg] EC signature: next steps Simon Josefsson
- Re: [Cfrg] Side inputs to signature systems Michael Hamburg
- Re: [Cfrg] EC signature: next steps Rene Struik
- Re: [Cfrg] EC signature: next steps David Jacobson
- Re: [Cfrg] EC signature: next steps Mike Hamburg
- Re: [Cfrg] EC signature: next steps William Whyte
- Re: [Cfrg] EC signature: next steps Stephen Farrell
- Re: [Cfrg] EC signature: next steps Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] EC signature: next steps Ilari Liusvaara
- Re: [Cfrg] EC signature: next steps Stephen Farrell
- Re: [Cfrg] EC signature: next steps Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] EC signature: next steps Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] EC signature: next steps Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] key as message prefix => multi-key sec… Dan Brown
- [Cfrg] key as message prefix => multi-key security D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… Paterson, Kenny
- Re: [Cfrg] key as message prefix => multi-key sec… Sven Schäge
- Re: [Cfrg] key as message prefix => multi-key sec… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] key as message prefix => multi-key sec… William Whyte
- Re: [Cfrg] key as message prefix => multi-key sec… Bill Cox
- Re: [Cfrg] key as message prefix => multi-key sec… Andrey Jivsov
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… Eike Kiltz
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… Simon Josefsson