Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
Dan Brown <dbrown@certicom.com> Fri, 22 May 2015 14:20 UTC
Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D62321A00B1 for <cfrg@ietfa.amsl.com>; Fri, 22 May 2015 07:20:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S3s68xNhKrVE for <cfrg@ietfa.amsl.com>; Fri, 22 May 2015 07:20:29 -0700 (PDT)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) by ietfa.amsl.com (Postfix) with ESMTP id DD86F1A0381 for <cfrg@irtf.org>; Fri, 22 May 2015 07:20:28 -0700 (PDT)
Received: from smtp-pop.rim.net (HELO XCT104CNC.rim.net) ([10.65.161.204]) by mhs213cnc.rim.net with ESMTP/TLS/AES128-SHA; 22 May 2015 10:20:24 -0400
Received: from XCT114CNC.rim.net (10.65.161.214) by XCT104CNC.rim.net (10.65.161.204) with Microsoft SMTP Server (TLS) id 14.3.210.2; Fri, 22 May 2015 10:20:23 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT114CNC.rim.net ([::1]) with mapi id 14.03.0210.002; Fri, 22 May 2015 10:20:22 -0400
From: Dan Brown <dbrown@certicom.com>
To: "'djb@cr.yp.to'" <djb@cr.yp.to>, "'cfrg@irtf.org'" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
Thread-Index: AQHQk0IrT8E0rjGGQEe03AKdACH5GJ2GnkSAgACD1ICAACs/AIAAsvGA///9GrA=
Date: Fri, 22 May 2015 14:20:21 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5DDF705@XMB116CNC.rim.net>
References: <CACsn0ck8gTCWqt+B7vOKQVzBrUkxW5YJgkDQ+9eJQrDFeTM8rA@mail.gmail.com> <20150522092959.4599.qmail@cr.yp.to>
In-Reply-To: <20150522092959.4599.qmail@cr.yp.to>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.251]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0000_01D09478.E8913080"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/78mnHM7EfzGQqzS_MWoFbomwaB4>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2015 14:20:34 -0000
> -----Original Message----- > From: D. J. Bernstein > > Watson Ladd writes: > > It seems as though determinism, one pass schemes, and avoiding > > collision resistance are at odds, unfortunately > > Probably one can split a message into > > * packet p0 plus a signature s0 of ("start",p0); > * packet p1 plus a signature s1 of ("middle",s0,p1); > * packet p2 plus a signature s2 of ("middle",s1,p2); > * ...; > * last packet pn plus a signature of ("end",previous s,pn). > That's quite interesting! --- I interpreted the chairs' #3 proposal to be something like this: final_signature(m) = "0"|raw_signature("1pass", hash(message)) or "1"|raw-signature("2pass", message) The initial bit can be conveyed within the signature, or in the signer's certificate if the signer is going to stick to one mode. --- The goal of avoiding collision resistance seems worthwhile: at least, it does when I think of MD5. To reduce the reliance on collision-resistance in the 1pass case, the signer can serialize the message, which we can codify, as in the example below. --- During initialization of the signature, the signer selects an unpredictable value, such as serializer=PRF(serializer_key, time | counter) The signer prepends serializer to the message, and then proceeds to sign as usual. The signer either makes sure that every message it signs is serialized, or else embeds an initial bit indicator prefix into the message to distinguish between serialized and non-serialized signatures. The verifier treats the serializer as part of the message, and does nothing differently, except ignore the serializer. The message suffers from some expansion, but the signature does not. The signature is still a deterministic function of the serialized message: the signer has not touched any secret in the log space of the discrete group, so we needn't worry about the usual repeated-ephemerals or leak-and-lattice attacks, etc. If the signer fails to implement the message serialization correctly, then collision resistance is again needed, but not much else goes wrong. --- Message serialization should not be confused with the signature's internal ephemeral key/per-message secret/secret nonce, hence I've used a different term.
- [Cfrg] Elliptic Curves - signature scheme: friend… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Adam Langley
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Jim Schaad
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Peter Gutmann
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Mike Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Laurens Van Houtven
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Salz, Rich
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… David Leon Gil
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Taylor R Campbell
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Rene Struik
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Taylor R Campbell
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Stephen Farrell
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tom Yu
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Rene Struik
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Yoav Nir
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- [Cfrg] square roots Rene Struik
- [Cfrg] testability of signature input/output para… Rene Struik
- Re: [Cfrg] testability of signature input/output … Ilari Liusvaara
- Re: [Cfrg] testability of signature input/output … Rene Struik
- Re: [Cfrg] square roots David Jacobson
- Re: [Cfrg] testability of signature input/output … Watson Ladd
- Re: [Cfrg] testability of signature input/output … Taylor R Campbell
- Re: [Cfrg] square roots Ilari Liusvaara
- Re: [Cfrg] testability of signature input/output … Derek Atkins
- Re: [Cfrg] testability of signature input/output … Rene Struik
- Re: [Cfrg] testability of signature input/output … Mike Hamburg
- Re: [Cfrg] testability of signature input/output … Yoav Nir
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Rene Struik
- Re: [Cfrg] testability of signature input/output … Watson Ladd
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Ilari Liusvaara
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Watson Ladd
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- [Cfrg] Summary of the poll: Elliptic Curves - sig… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Watson Ladd
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Nico Williams
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… D. J. Bernstein
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… D. J. Bernstein
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alyssa Rowan
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Paterson, Kenny
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Björn Edström
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Adam Langley
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Adam Langley
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Paul Hoffman
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Taylor R Campbell
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Paterson, Kenny
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Andrey Jivsov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Taylor R Campbell
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alyssa Rowan
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Andrey Jivsov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Dan Brown
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Stephen Farrell