Re: [Cfrg] Internal collisions
"D. J. Bernstein" <djb@cr.yp.to> Fri, 31 July 2015 16:36 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE8E31B2E3D for <cfrg@ietfa.amsl.com>; Fri, 31 Jul 2015 09:36:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.496
X-Spam-Level: ***
X-Spam-Status: No, score=3.496 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, J_CHICKENPOX_14=0.6, RCVD_IN_DNSWL_NONE=-0.0001, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zM5qofud_xjV for <cfrg@ietfa.amsl.com>; Fri, 31 Jul 2015 09:36:45 -0700 (PDT)
Received: from calvin.win.tue.nl (calvin.win.tue.nl [131.155.70.11]) by ietfa.amsl.com (Postfix) with SMTP id 0F3BD1B2E46 for <cfrg@irtf.org>; Fri, 31 Jul 2015 09:36:44 -0700 (PDT)
Received: (qmail 5170 invoked by uid 1017); 31 Jul 2015 16:37:04 -0000
Received: from unknown (unknown) by unknown with QMTP; 31 Jul 2015 16:37:04 -0000
Received: (qmail 21018 invoked by uid 1000); 31 Jul 2015 16:36:36 -0000
Date: Fri, 31 Jul 2015 16:36:36 -0000
Message-ID: <20150731163636.21016.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <D1DFC4DD.512B0%kenny.paterson@rhul.ac.uk> <810C31990B57ED40B2062BA10D43FBF5E1B4F4@XMB116CNC.rim.net> <20150727180148.GA20149@LK-Perkele-VII> <55B66F2E.8070105@sbcglobal.net> <810C31990B57ED40B2062BA10D43FBF5E1B345@XMB116CNC.rim.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/6lQK9x_wCaqoIxyPYbjxBY0Mk_E>
Subject: Re: [Cfrg] Internal collisions
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2015 16:36:47 -0000
David Jacobson writes: > Why can't we just bless making M be the hash of the > message and use some otherwise non-IUF signature schemes? As Ilari mentioned, that's how three of the proposals are structured. However, using a prehash in this way isn't satisfactory for people who are concerned about the possibility of hash-function collisions; that's why the same three proposals also offer collision-resilient options where the prehashing is skipped. Signing long messages always has one of the following bottlenecks, depending on which proposal we're talking about: * H(M). * H(seed,M) and in parallel H(M,R). * H(seed,M) followed by H(R,M). Speed evaluation: * H(M): Obviously best. * H(seed,M) and in parallel H(M,R): Two hash calls per block. Also a data-flow constraint, namely knowing the seed in advance. * H(seed,M) followed by H(R,M): Two hash calls per block. Also data-flow constraints, namely knowing the seed in advance and reading twice through the message---so a stateless deterministic IUF interface requires a variable-length buffer or a limited message length. (Ilari's proposal has an easily fixable bug here, reading three times through the message, as I mentioned briefly at the CFRG meeting.) Security evaluation: * H(seed,M) followed by H(R,M): Collision-resilient. Serious defense against the possibility of collisions in H. * H(seed,M) and in parallel H(M,R): _Not_ collision-resilient; resilient only to external collisions, not internal collisions. This is not much safer than simply using H(M). * H(M): Not collision-resilient. What three proposals actually do is take the "H(seed,M) followed by H(R,M)" approach for maximum security, optionally wrapped in the H(M) prehashing approach for people who need maximum performance and aren't worried about collisions. The other two proposals focus on the middle option, which I see as an unhappy combination of close-to-worst speed and close-to-worst security. Dan Brown writes: > If 2^256 is the best/expected number of steps for an internal > collision on 256-bit wide pipe hash Do 24 rounds of SHA-512 provide 2^128 times more security than 24 rounds of SHA-256? Does MD5 have security level 2^64? This metric isn't useful. >From a risk-assessment perspective, there's no difference between generic attacks taking time 2^128 and generic attacks taking 2^256; they're simply not going to happen. What matters are the _non-generic_ attacks, and those produce internal collisions by the same techniques as external collisions. > Quantitatively, if H proves to be weaker than expected, then replace > the 2^256 steps above by 2^(256-w) steps for some relative weakness > measure w. I explained earlier that existing feasible collision attacks against 24 rounds of SHA-512 are IV-independent, so they break 24 rounds of, e.g., SHA-384(M,R). They don't break 24 rounds of SHA-512(R,M). You're now suggesting that downgrading the competition from SHA-512(R,M) to SHA-256(R,M) will produce a comparable level of "weakness". But if this is true then where's the attack against 24 rounds of SHA-256(R,M)? ---Dan
- [Cfrg] Internal collisions D. J. Bernstein
- Re: [Cfrg] Internal collisions Dan Brown
- Re: [Cfrg] Internal collisions David Jacobson
- Re: [Cfrg] Internal collisions Ilari Liusvaara
- Re: [Cfrg] Internal collisions Dan Brown
- Re: [Cfrg] Internal collisions Paterson, Kenny
- Re: [Cfrg] Internal collisions D. J. Bernstein
- Re: [Cfrg] Internal collisions Dan Brown
- Re: [Cfrg] Internal collisions D. J. Bernstein
- Re: [Cfrg] Internal collisions Dan Brown
- Re: [Cfrg] Internal collisions Bryan Ford
- Re: [Cfrg] Internal collisions D. J. Bernstein