IETF Logo Mail Archive

Re: [Cfrg] Summary of the poll: Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

Taylor R Campbell <campbell+cfrg@mumble.net> Fri, 19 June 2015 22:59 UTC

Return-Path: <campbell@mumble.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DE2A1A8780 for <cfrg@ietfa.amsl.com>; Fri, 19 Jun 2015 15:59:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PmBDg9t72HFe for <cfrg@ietfa.amsl.com>; Fri, 19 Jun 2015 15:59:58 -0700 (PDT)
Received: from jupiter.mumble.net (jupiter.mumble.net [74.50.56.165]) by ietfa.amsl.com (Postfix) with ESMTP id 470751B2BD9 for <cfrg@irtf.org>; Fri, 19 Jun 2015 15:58:56 -0700 (PDT)
Received: by jupiter.mumble.net (Postfix, from userid 1014) id 26A5060682; Fri, 19 Jun 2015 22:57:51 +0000 (UTC)
From: Taylor R Campbell <campbell+cfrg@mumble.net>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
In-reply-to: <D1AA03C5.1AD55%uri@ll.mit.edu>
Date: Fri, 19 Jun 2015 22:58:55 +0000
Sender: Taylor R Campbell <campbell@mumble.net>
User-Agent: IMAIL/1.21; Edwin/3.116; MIT-Scheme/9.1.99
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20150619225751.26A5060682@jupiter.mumble.net>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/3xCWp2F68uEWRZrKfHjLSZBT9V4>
Cc: Adam Langley <agl@imperialviolet.org>, cfrg@irtf.org
Subject: Re: [Cfrg] Summary of the poll: Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2015 22:59:59 -0000

   Date: Fri, 19 Jun 2015 21:40:30 +0000
   From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>

   On 6/19/15, 17:32 , "Adam Langley" <agl@imperialviolet.org> wrote:

   >Ponder, for a second, a world in which CFRG specified two schemes:
   >Ed25519(m) and Ed25519(H(m))...

This is why I and others pointed out that you need to sign the choice
of H along with H(m) if you want to do this seriously:

Ed25519(`literal' || m)
Ed25519(`SHA3-512' || SHA3-512(m))
r || Ed25519(`BLAKE2S-PRF' || r || BLAKE2S-PRF_r(m))

   >I, the attacker, can register a domain name and get a certificate for
   >it. The CA happens to sign with Ed25519(H(m)), even though the
   >messages aren't very large. So, offline, I iterate over many domain
   >names and pick one where the hash of the certificate structure for
   >that name and my public-key looks like a valid CRL message. I need to
   >fix the first byte to be one, probably fix a few other length bytes,
   >and obviously my fake CRL has to be exactly the length of a hash, but
   >the work-factor is pretty plausible.

   Good point. But doesn't that imply the ability to create collisions in H()
   at will?

No, just the ability to find a message whose hash's first few bytes
are the same as the first few bytes of a valid CRL message.  If you
want to specify n bits exactly, it takes 2^n tries on average.

v2.23.0 | Report a Bug | By Email