Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 03 June 2015 23:04 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D814C1B304B for <cfrg@ietfa.amsl.com>; Wed, 3 Jun 2015 16:04:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cd2OgRMhCxxk for <cfrg@ietfa.amsl.com>; Wed, 3 Jun 2015 16:04:53 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C53961B303E for <cfrg@irtf.org>; Wed, 3 Jun 2015 16:04:52 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 8C802BF0B; Thu, 4 Jun 2015 00:04:51 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2mDdVNhtlxVX; Thu, 4 Jun 2015 00:04:49 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.46.31.250]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id C8149BF08; Thu, 4 Jun 2015 00:04:49 +0100 (IST)
Message-ID: <556F8811.2070101@cs.tcd.ie>
Date: Thu, 04 Jun 2015 00:04:49 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Alexey Melnikov <alexey.melnikov@isode.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com>
In-Reply-To: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/CisittTkgM1S6AvahNmWr-_-Tw8>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2015 23:04:55 -0000
I'd hate to miss one of Alexey's polls:-) I'm almost neutral on this one. While we have historically preferred #1 for the reason noted in the subject line, there are really very few cases where that turns out to be a real issue, as opposed to being a theoretical one. So I think we could probably live with #2, and that could suffice for TLS and DNSSEC and other applications, even though #2 would mean that users of the signature scheme (e.g. IETF protocol developers) may need to learn something new, which is a downside. While #3 seems superficially attractive, my guess is it'd cause more confusion and interop issues, and is of course offering a choice to users of the scheme and so I don't like that one:-) So put me down for (#2 or #1) for this one, with a very very tiny preference for #2 and documenting that one ought not use this for signing large things directly (which one probably ought not do in any case). But #1 would also be an acceptable outcome from my POV since we're in practice already dependent on the collision resistance of all the relevant hash functions and that won't ever really go away as long as there are RSA/SHA256 certificates out there which'll be the case for years and maybe decades to come. So the security benefit of #2 isn't so great, although it's real. If, later on, there is a real need for signing a large thing in a very memory constrained device, or for verifying such a signature in such a device, then we could always just define another set of codepoints and OIDs, etc. for that and treat it as just another signature scheme that happens to involve the same curve and hash function but used in a different manner. (And I would guess there'll be more work to do in this space, if not for that, then for a signature scheme with message recovery, probably for the just-forming cose wg would be my bet at the moment, but we'll see what we see.) Cheers, S. On 20/05/15 22:16, Alexey Melnikov wrote: > Signature schemes have, traditionally, hashed the message to be signed to > a representative value and then actually signed that value. This has led > to APIs that follow the Init, Update*, Final (IUF) pattern that allows for > fragmented or very large messages to be signed with constant memory usage. > > Alternatively, some signature schemes hash the message to be signed twice, > where a prefix of the second hash depends on the result of the first. > Ed25519 is an example of a scheme of this type. This typically allows the > signature scheme to require fewer assumptions about the strength of the > hash function that is employed. However, this approach implies that the signing > algorithm would have to buffer the entire message. That could lead to > unacceptable memory usage for applications that sign very large messages. > > Penalising large messages might be seen as a positive by some because > signing arbitrarily large messages invites implementations to process > unauthenticated data because of its potential size. Also, designs that > really wish to do this can always define that the message to be signed is > actually a hash of the data. In doing so they would reintroduce the > requirement that the hash function be collision resistant, but can > implement an IUF API in constant space again. > > On the other hand, if we wish a signature primitive to be easy to > substitute into existing protocols then supporting a constant-space IUF > API might be seen as a requirement. > > Chairs wish to poll the group on the following topic (please pick one): > > #1: The signature scheme should follow the traditional model of hashing > the message to be signed, thus trivially supporting IUF APIs in > constant-space, at the cost of requiring collision resistant hash > functions. > > #2: The signature scheme should not depend on collision resistance, at the > cost of the signing algorithm having to buffer messages to be signed. > > #3: option #2, but with an additional "large message" mode defined for > protocols that feel that they need it, where the message to be signed is > actually a hash of the true message. > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] Elliptic Curves - signature scheme: friend… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Adam Langley
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Jim Schaad
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Peter Gutmann
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Mike Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Laurens Van Houtven
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Salz, Rich
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… David Leon Gil
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Taylor R Campbell
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Rene Struik
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Taylor R Campbell
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Stephen Farrell
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tom Yu
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Rene Struik
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Yoav Nir
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- [Cfrg] square roots Rene Struik
- [Cfrg] testability of signature input/output para… Rene Struik
- Re: [Cfrg] testability of signature input/output … Ilari Liusvaara
- Re: [Cfrg] testability of signature input/output … Rene Struik
- Re: [Cfrg] square roots David Jacobson
- Re: [Cfrg] testability of signature input/output … Watson Ladd
- Re: [Cfrg] testability of signature input/output … Taylor R Campbell
- Re: [Cfrg] square roots Ilari Liusvaara
- Re: [Cfrg] testability of signature input/output … Derek Atkins
- Re: [Cfrg] testability of signature input/output … Rene Struik
- Re: [Cfrg] testability of signature input/output … Mike Hamburg
- Re: [Cfrg] testability of signature input/output … Yoav Nir
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Rene Struik
- Re: [Cfrg] testability of signature input/output … Watson Ladd
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Ilari Liusvaara
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Watson Ladd
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- [Cfrg] Summary of the poll: Elliptic Curves - sig… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Watson Ladd
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Nico Williams
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… D. J. Bernstein
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… D. J. Bernstein
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alyssa Rowan
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Paterson, Kenny
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Björn Edström
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Adam Langley
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Adam Langley
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Paul Hoffman
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Taylor R Campbell
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Paterson, Kenny
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Andrey Jivsov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Taylor R Campbell
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alyssa Rowan
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Andrey Jivsov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Dan Brown
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Stephen Farrell