IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Fri, 22 May 2015 15:48 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 129911A1B18 for <cfrg@ietfa.amsl.com>; Fri, 22 May 2015 08:48:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mtKyBhsPeOTD for <cfrg@ietfa.amsl.com>; Fri, 22 May 2015 08:48:39 -0700 (PDT)
Received: from emh04.mail.saunalahti.fi (emh04.mail.saunalahti.fi [62.142.5.110]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 834D51A0053 for <cfrg@irtf.org>; Fri, 22 May 2015 08:48:38 -0700 (PDT)
Received: from LK-Perkele-VII (a91-155-194-207.elisa-laajakaista.fi [91.155.194.207]) by emh04.mail.saunalahti.fi (Postfix) with ESMTP id B0A9A1A2743; Fri, 22 May 2015 18:48:36 +0300 (EEST)
Date: Fri, 22 May 2015 18:48:36 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Tony Arcieri <bascule@gmail.com>
Message-ID: <20150522154836.GA26595@LK-Perkele-VII>
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com> <9A043F3CF02CD34C8E74AC1594475C73AB028273@uxcn10-tdc05.UoA.auckland.ac.nz> <20150521201444.GA3791@localhost> <CACsn0ck8gTCWqt+B7vOKQVzBrUkxW5YJgkDQ+9eJQrDFeTM8rA@mail.gmail.com> <CAHOTMVKi0e2qMUqndYAN0ZVpHXe5=ODQMrS6kRiFPBx_xqbFeA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAHOTMVKi0e2qMUqndYAN0ZVpHXe5=ODQMrS6kRiFPBx_xqbFeA@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/3DEp6oSxTYwt88QlZM9KbtWlDpU>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2015 15:48:42 -0000

On Thu, May 21, 2015 at 07:17:48PM -0700, Tony Arcieri wrote:
> On Thu, May 21, 2015 at 3:49 PM, Watson Ladd <watsonbladd@gmail.com> wrote:
> 
> > On the contrary, 3 would hurt unless properly designed. The danger is
> > that the same key could produce a valid signature under two different
> > algorithms, thus leading to potential exploitation.
> 
> 
> Something that strikes me as a bit strange is if we do hash the input prior
> to feeding it into #2, doesn't that defeat the point? Collisions in the
> first hash are still collisions. So wouldn't any collision in the hash
> function undo any collision-resistance that #2 provides? Am I missing
> something here?

Yeah, collisions in first hash cause signature collisions.
 
> How about option #5(?): provide both #1 + #2. Implementation-wise you could
> share the overwhelming majority of the code between both interfaces. The
> difference between them seems trivial enough that providing both should be
> easy. And to Watson's point, if we do it that way there shouldn't be any
> chance of confusing the two as they should produce completely distinct
> signatures.

Add input for hash domain (with special value for "identity"):
- This is not hashed.
- This is SHA-256 output
- This is SHA-384 output
- This is SHA-512 output
- This is Blake2b-512 output
...
?

That also prevents mismatching hashes between signer and verifier.

Also, I thought that was #3 (can choose between online and offline)?

> #2 seems very nice for the TLS use case, especially as we've seen
> collisions in older hash functions being used in real-world attacks against
> TLS (e.g. Flame). I'm not saying I expect to see collisions in SHA-256 any
> time soon, but I would hate to see #2 rendered unavailable because we can't
> otherwise meet the requirements of low-memory devices signing large amounts
> of data (FWIW, I think in most real-world use cases in those environments
> the data is always going to be hashed in advance, probably by another
> computer which actually has the memory to compute the hash)

The only signature in TLS (including TLS 1.3 as of editor's copy) that is
actually over nontrival amount of data is TLS 1.0-1.2 Client certificate
verify.

And if the PRF-hash in TLS is not CR, one gets problems...


-Ilari

v2.23.0 | Report a Bug | By Email