IETF Logo Mail Archive

Re: [Cfrg] Internal collisions

"D. J. Bernstein" <djb@cr.yp.to> Fri, 31 July 2015 16:36 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE8E31B2E3D for <cfrg@ietfa.amsl.com>; Fri, 31 Jul 2015 09:36:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.496
X-Spam-Level: ***
X-Spam-Status: No, score=3.496 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, J_CHICKENPOX_14=0.6, RCVD_IN_DNSWL_NONE=-0.0001, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zM5qofud_xjV for <cfrg@ietfa.amsl.com>; Fri, 31 Jul 2015 09:36:45 -0700 (PDT)
Received: from calvin.win.tue.nl (calvin.win.tue.nl [131.155.70.11]) by ietfa.amsl.com (Postfix) with SMTP id 0F3BD1B2E46 for <cfrg@irtf.org>; Fri, 31 Jul 2015 09:36:44 -0700 (PDT)
Received: (qmail 5170 invoked by uid 1017); 31 Jul 2015 16:37:04 -0000
Received: from unknown (unknown) by unknown with QMTP; 31 Jul 2015 16:37:04 -0000
Received: (qmail 21018 invoked by uid 1000); 31 Jul 2015 16:36:36 -0000
Date: Fri, 31 Jul 2015 16:36:36 -0000
Message-ID: <20150731163636.21016.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <D1DFC4DD.512B0%kenny.paterson@rhul.ac.uk> <810C31990B57ED40B2062BA10D43FBF5E1B4F4@XMB116CNC.rim.net> <20150727180148.GA20149@LK-Perkele-VII> <55B66F2E.8070105@sbcglobal.net> <810C31990B57ED40B2062BA10D43FBF5E1B345@XMB116CNC.rim.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/6lQK9x_wCaqoIxyPYbjxBY0Mk_E>
Subject: Re: [Cfrg] Internal collisions
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2015 16:36:47 -0000

David Jacobson writes:
> Why can't we just bless making M be the hash of the
> message and use some otherwise non-IUF signature schemes?

As Ilari mentioned, that's how three of the proposals are structured.
However, using a prehash in this way isn't satisfactory for people who
are concerned about the possibility of hash-function collisions; that's
why the same three proposals also offer collision-resilient options
where the prehashing is skipped.

Signing long messages always has one of the following bottlenecks,
depending on which proposal we're talking about:

   * H(M).
   * H(seed,M) and in parallel H(M,R).
   * H(seed,M) followed by H(R,M).

Speed evaluation:

   * H(M): Obviously best.

   * H(seed,M) and in parallel H(M,R): Two hash calls per block. Also a
     data-flow constraint, namely knowing the seed in advance.

   * H(seed,M) followed by H(R,M): Two hash calls per block. Also
     data-flow constraints, namely knowing the seed in advance and
     reading twice through the message---so a stateless deterministic
     IUF interface requires a variable-length buffer or a limited
     message length. (Ilari's proposal has an easily fixable bug here,
     reading three times through the message, as I mentioned briefly at
     the CFRG meeting.)

Security evaluation:

   * H(seed,M) followed by H(R,M): Collision-resilient. Serious defense
     against the possibility of collisions in H.

   * H(seed,M) and in parallel H(M,R): _Not_ collision-resilient;
     resilient only to external collisions, not internal collisions.
     This is not much safer than simply using H(M).

   * H(M): Not collision-resilient.

What three proposals actually do is take the "H(seed,M) followed by
H(R,M)" approach for maximum security, optionally wrapped in the H(M)
prehashing approach for people who need maximum performance and aren't
worried about collisions. The other two proposals focus on the middle
option, which I see as an unhappy combination of close-to-worst speed
and close-to-worst security.

Dan Brown writes:
> If 2^256 is the best/expected number of steps for an internal
> collision on 256-bit wide pipe hash

Do 24 rounds of SHA-512 provide 2^128 times more security than 24 rounds
of SHA-256? Does MD5 have security level 2^64? This metric isn't useful.

>From a risk-assessment perspective, there's no difference between
generic attacks taking time 2^128 and generic attacks taking 2^256;
they're simply not going to happen. What matters are the _non-generic_
attacks, and those produce internal collisions by the same techniques as
external collisions.

> Quantitatively, if H proves to be weaker than expected, then replace
> the 2^256 steps above by 2^(256-w) steps for some relative weakness
> measure w.

I explained earlier that existing feasible collision attacks against 24
rounds of SHA-512 are IV-independent, so they break 24 rounds of, e.g.,
SHA-384(M,R). They don't break 24 rounds of SHA-512(R,M).

You're now suggesting that downgrading the competition from SHA-512(R,M)
to SHA-256(R,M) will produce a comparable level of "weakness". But if
this is true then where's the attack against 24 rounds of SHA-256(R,M)?

---Dan

v2.23.0 | Report a Bug | By Email