IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

"Jim Schaad" <ietf@augustcellars.com> Thu, 21 May 2015 04:44 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 138F71AD06A for <cfrg@ietfa.amsl.com>; Wed, 20 May 2015 21:44:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lwmuMpnOYMfo for <cfrg@ietfa.amsl.com>; Wed, 20 May 2015 21:44:47 -0700 (PDT)
Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 318F61A92E3 for <cfrg@irtf.org>; Wed, 20 May 2015 21:44:47 -0700 (PDT)
Received: from HoldOver (c-24-21-96-37.hsd1.or.comcast.net [24.21.96.37]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 1EBF62C9B5; Wed, 20 May 2015 21:44:45 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Alexey Melnikov' <alexey.melnikov@isode.com>, cfrg@irtf.org
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com>
In-Reply-To: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com>
Date: Wed, 20 May 2015 21:44:54 -0700
Message-ID: <007e01d09380$e2a140a0$a7e3c1e0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQGL38j/U+tlIZC9dpxp80B2uN8WS54PQaHQ
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/97SUsRyVjM59w6uB4x6MbggOnBs>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 04:44:49 -0000


> -----Original Message-----
> From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Alexey Melnikov
> Sent: Wednesday, May 20, 2015 2:16 PM
> To: cfrg@irtf.org
> Subject: [Cfrg] Elliptic Curves - signature scheme: friendliness to low
memory
> implementations (ends on June 3rd)
> 
> Signature schemes have, traditionally, hashed the message to be signed to
a
> representative value and then actually signed that value. This has led to
APIs
> that follow the Init, Update*, Final (IUF) pattern that allows for
fragmented or
> very large messages to be signed with constant memory usage.
> 
> Alternatively, some signature schemes hash the message to be signed twice,
> where a prefix of the second hash depends on the result of the first.
> Ed25519 is an example of a scheme of this type. This typically allows the
> signature scheme to require fewer assumptions about the strength of the
hash
> function that is employed. However, this approach implies that the signing
> algorithm would have to buffer the entire message. That could lead to
> unacceptable memory usage for applications that sign very large messages.
> 
> Penalising large messages might be seen as a positive by some because
signing
> arbitrarily large messages invites implementations to process
unauthenticated
> data because of its potential size. Also, designs that really wish to do
this can
> always define that the message to be signed is actually a hash of the
data. In
> doing so they would reintroduce the requirement that the hash function be
> collision resistant, but can implement an IUF API in constant space again.
> 
> On the other hand, if we wish a signature primitive to be easy to
substitute into
> existing protocols then supporting a constant-space IUF API might be seen
as a
> requirement.
> 
> Chairs wish to poll the group on the following topic (please pick one):
> 
> #1: The signature scheme should follow the traditional model of hashing
the
> message to be signed, thus trivially supporting IUF APIs in
constant-space, at
> the cost of requiring collision resistant hash functions.
> 
> #2: The signature scheme should not depend on collision resistance, at the
cost
> of the signing algorithm having to buffer messages to be signed.
> 
> #3: option #2, but with an additional "large message" mode defined for
> protocols that feel that they need it, where the message to be signed is
actually
> a hash of the true message.

#1 is fine as is #2.

I have no problems with being unfriendly to low memory implementations that
think they want to deal with large messages.  For a signing device, it can
be dealt with by sending the message through it twice and having it compute
both hashes the second time to make sure the same message is given.

Jim

> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email