IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

Dan Brown <dbrown@certicom.com> Fri, 22 May 2015 14:20 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D62321A00B1 for <cfrg@ietfa.amsl.com>; Fri, 22 May 2015 07:20:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S3s68xNhKrVE for <cfrg@ietfa.amsl.com>; Fri, 22 May 2015 07:20:29 -0700 (PDT)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) by ietfa.amsl.com (Postfix) with ESMTP id DD86F1A0381 for <cfrg@irtf.org>; Fri, 22 May 2015 07:20:28 -0700 (PDT)
Received: from smtp-pop.rim.net (HELO XCT104CNC.rim.net) ([10.65.161.204]) by mhs213cnc.rim.net with ESMTP/TLS/AES128-SHA; 22 May 2015 10:20:24 -0400
Received: from XCT114CNC.rim.net (10.65.161.214) by XCT104CNC.rim.net (10.65.161.204) with Microsoft SMTP Server (TLS) id 14.3.210.2; Fri, 22 May 2015 10:20:23 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT114CNC.rim.net ([::1]) with mapi id 14.03.0210.002; Fri, 22 May 2015 10:20:22 -0400
From: Dan Brown <dbrown@certicom.com>
To: "'djb@cr.yp.to'" <djb@cr.yp.to>, "'cfrg@irtf.org'" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
Thread-Index: AQHQk0IrT8E0rjGGQEe03AKdACH5GJ2GnkSAgACD1ICAACs/AIAAsvGA///9GrA=
Date: Fri, 22 May 2015 14:20:21 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5DDF705@XMB116CNC.rim.net>
References: <CACsn0ck8gTCWqt+B7vOKQVzBrUkxW5YJgkDQ+9eJQrDFeTM8rA@mail.gmail.com> <20150522092959.4599.qmail@cr.yp.to>
In-Reply-To: <20150522092959.4599.qmail@cr.yp.to>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.251]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0000_01D09478.E8913080"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/78mnHM7EfzGQqzS_MWoFbomwaB4>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2015 14:20:34 -0000


> -----Original Message-----
> From: D. J. Bernstein
> 
> Watson Ladd writes:
> > It seems as though determinism, one pass schemes, and avoiding
> > collision resistance are at odds, unfortunately
> 
> Probably one can split a message into
> 
>    * packet p0 plus a signature s0 of ("start",p0);
>    * packet p1 plus a signature s1 of ("middle",s0,p1);
>    * packet p2 plus a signature s2 of ("middle",s1,p2);
>    * ...;
>    * last packet pn plus a signature of ("end",previous s,pn).
> 

That's quite interesting!

---

I interpreted the chairs' #3 proposal to be something like this:

final_signature(m) 
= 
"0"|raw_signature("1pass", hash(message))
 or
"1"|raw-signature("2pass", message)
                    
The initial bit can be conveyed within the signature, or in the signer's
certificate if the signer is going to stick to one mode.

---

The goal of avoiding collision resistance seems worthwhile: at least, it
does when I think of MD5.

To reduce the reliance on collision-resistance in the 1pass case, the signer
can serialize the message, which we can codify, as in the example below.  

---

During initialization of the signature, the signer selects an unpredictable
value, such as

serializer=PRF(serializer_key, time | counter) 

The signer prepends serializer to the message, and then proceeds to sign as
usual.  

The signer either makes sure that every message it signs is serialized, or
else embeds an initial bit indicator prefix into the message to distinguish
between serialized and non-serialized signatures.

The verifier treats the serializer as part of the message, and does nothing
differently, except ignore the serializer.

The message suffers from some expansion, but the signature does not.  

The signature is still a deterministic function of the serialized message:
the signer has not touched any secret in the log space of the discrete
group, so we needn't worry about the usual repeated-ephemerals or
leak-and-lattice attacks, etc.

If the signer fails to implement the message serialization correctly, then
collision resistance is again needed, but not much else goes wrong.

---

Message serialization should not be confused with the signature's internal
ephemeral key/per-message secret/secret nonce, hence I've used a different
term.

v2.23.0 | Report a Bug | By Email