IETF Logo Mail Archive

Re: [Cfrg] testability of signature input/output parameters

Nico Williams <nico@cryptonector.com> Thu, 04 June 2015 20:02 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C188E1A907B for <cfrg@ietfa.amsl.com>; Thu, 4 Jun 2015 13:02:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.034
X-Spam-Level: *
X-Spam-Status: No, score=1.034 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ab_pCNm8BsiA for <cfrg@ietfa.amsl.com>; Thu, 4 Jun 2015 13:02:47 -0700 (PDT)
Received: from homiemail-a110.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id E33451A8F40 for <cfrg@irtf.org>; Thu, 4 Jun 2015 13:02:47 -0700 (PDT)
Received: from homiemail-a110.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTP id 604382005E810; Thu, 4 Jun 2015 13:02:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=k6LZbIoGgFOVcF wh23W7tiUdxQE=; b=po9HXUHSrv0RiX0s7lcf4j0FhLpZuJaUKu5qPzcOC2brAz s3NaamGQKxyxUaK7El+UOKHt4yOOh5RM7zqoTT9RVw+rfdppPZKUSXwo6XKA9ubJ 5/7p8MHhDprHoM3ntL+oEvKINYFPv7nL3b1xKz7m9uzidfVv24ZZe1s96JtqA=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTPA id 436E12005E80C; Thu, 4 Jun 2015 13:02:46 -0700 (PDT)
Date: Thu, 04 Jun 2015 15:02:45 -0500
From: Nico Williams <nico@cryptonector.com>
To: Rene Struik <rstruik.ext@gmail.com>
Message-ID: <20150604200244.GP18760@localhost>
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com> <556F8811.2070101@cs.tcd.ie> <20150604065658.GA14531@LK-Perkele-VII> <55705C19.4040600@gmail.com> <20150604183631.GL18760@localhost> <5570A53D.7020207@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5570A53D.7020207@gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/4OqlC1ua0UtX52QAWsRdSJz_Rgo>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] testability of signature input/output parameters
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jun 2015 20:02:48 -0000

On Thu, Jun 04, 2015 at 03:21:33PM -0400, Rene Struik wrote:
> I think one lesson one can draw from "piecemeal polls" is that it
> might make it harder to consider system-wide trade-offs.

This sub-poll became clearly necessary after the poll as to determinism
started, since that's when the online vs. CR matter came up.  Even if
the chairs had foreseen that outcome and produced a more complete single
poll, the overall outcome would probably still have been that we want a
deterministic signature scheme because the alternative hasn't worked out
well in practice and it's easy to see how it is very difficult to make
it work out well in practice.  And once all these polls are done I
suppose the chairs could well ask to confirm the overall outcome, but
there's nothing wrong with organic discovery of consensus.

Incidentally, Watson L. pointed out earlier in this poll that maybe we
can't get a deterministic, online, and CR (independent of the hash
function) signature scheme.  Nothing has changed since then on that
front.

The trade-offs come out the same for me: deterministic is the first
priority, so we're down to choosing between online and CR.

Since one can always make an online and not-CR scheme out of an offline
scheme, that's clearly what we should do, and everyone can be pleased.
(There's an extra hashing step in this case, but if bulk data is the
source of the online requirement, then the extra hash step is a
performance non-issue.)

For me the only question left is whether we should specify an online
scheme tightly integrated with the off-line scheme #3.  At first I was
in favor of this, now I'm in favor of #2 alone.  Online by generic
construction will do.  But I'm not opposed to #3 either.  I'm just
opposed to #1 on account of the past failures we have seen with online
signature schemes: the hash functions we've used have had a bad history
on the CR front, and we don't really have the confidence we need on the
current batch of hash functions.

Perhaps *after* a decade of SHA-3 cryptanalysis research we'll find that
SHA-3 is good enough for an online signature scheme and then we might be
sad about the choice to have an offline scheme back in 2015, but that
sadness will not be due to the scheme becoming insecure as a result, but
just that we could have been less paranoid.  I can live with that.

Nico
--

v2.23.0 | Report a Bug | By Email