IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)

David Leon Gil <coruus@gmail.com> Wed, 13 May 2015 23:53 UTC

Return-Path: <coruus@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B7AA1B3199 for <cfrg@ietfa.amsl.com>; Wed, 13 May 2015 16:53:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.1
X-Spam-Level: *
X-Spam-Status: No, score=1.1 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, J_CHICKENPOX_39=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KhIe9LyvQ4Fb for <cfrg@ietfa.amsl.com>; Wed, 13 May 2015 16:53:22 -0700 (PDT)
Received: from mail-ig0-x236.google.com (mail-ig0-x236.google.com [IPv6:2607:f8b0:4001:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93E461B3198 for <cfrg@irtf.org>; Wed, 13 May 2015 16:53:22 -0700 (PDT)
Received: by igbpi8 with SMTP id pi8so153628700igb.1 for <cfrg@irtf.org>; Wed, 13 May 2015 16:53:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=kb/9oFRW3TTBOqnYihovvh3S/zjMTjdsYOnG5TVUzyA=; b=dkiG+TNkwCa/pjULo16yaBgoR0T4LjYKV4o+QcDZGm1sxyjUz5fLyY5LtTD21RwqxK yyqtG79yyO8o+MUKiJCG+HMgjItqKvcATHGXN5ibsJZpHSUlZxg53rr4xfYLy4oDpxfV 2zvbWChCDDBJ8DI8LOxN3KyQvaoHYSPdN84AL0ktz9o2oUEnENU/hEPyPgiK48yDJrN3 Wu5BQ2ci6DyaRQdwH9G5eQRo/AO8DZ3Jx6frOTuoGh5O6ps1q3zp9IWPhew0muPBHIQS dner3sCsy7bywrl1FmycuqGBvQk6QXUZmqG0O1CE+AVRcge5vwdPu6sLk3nqdWf571D2 YnwA==
X-Received: by 10.50.62.148 with SMTP id y20mr31263140igr.17.1431561202007; Wed, 13 May 2015 16:53:22 -0700 (PDT)
MIME-Version: 1.0
References: <5546032D.5070208@isode.com> <55464BB2.5040101@sbcglobal.net> <CACEhwkSdzb-g7Q7uBASp4QB3g_9AGM_nUuXVypdzxGUYypxDaQ@mail.gmail.com> <55468C6E.6070101@sbcglobal.net>
In-Reply-To: <55468C6E.6070101@sbcglobal.net>
From: David Leon Gil <coruus@gmail.com>
Date: Wed, 13 May 2015 23:53:21 +0000
Message-ID: <CAA7UWsXJq+o9BV+0JaN41zD=ZemFb_g3J8An1hA1bLgUEEGaAQ@mail.gmail.com>
To: David Jacobson <dmjacobson@sbcglobal.net>, Mihir Bellare <mihir@eng.ucsd.edu>
Content-Type: multipart/alternative; boundary="047d7bdcab34eb88c80515ff5081"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/DSySG8k1b9f8kaEDLhPt94caW4U>
Cc: Payman Mohassel <pmohassel@yahoo-inc.com>, "cfrg@irtf.org" <cfrg@irtf.org>, "garay@yahoo-inc.com" <garay@yahoo-inc.com>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2015 23:53:24 -0000

4, 2

--

I'm not sure I understand David's argument about 4. See Koblitz and
Meneze's rather dull recent paper for the details of how to do this:
http://eprint.iacr.org/2015/140

(And, indeed, OpenSSL and Go use similar constructions, both of which
predate the KM paper.)

--

Also, there is a need for encrypt-and-sign under some circumstances:
Suppose that (as for encrypted email in some cases) you want a mail server
to verify that mail is signed under an authorized public key, but not be
able to decrypt the mail.

In this case, it is easy to ensure unlinkability by an adversary who does
not know the public key by encrypting the message under the signature.
(Robert Ransom is credited for the observation that this should be
blindingly obvious in Bernstein's Elligator paper.)

In fact, one can achieve a slightly stronger goal with, e.g.:

h = hash(publickey || message || r)
p = hash(publickey || message)

sig' = (r || s) ^ p

where `hash` is an indifferentiable hash function with sufficient output
length, and `r` is the public nonce. (A slightly different construction is
needed for PRFs.)

In this case, an adversary must know *both* the public key and the message
to decrypt the signature.[*]

And the cost of achieving unlinkability is a single XOR.

--

Many thanks to Payman Mohassel and Juan Garay for very helpful
conversations on this and some related constructions.

Prior cites appreciated.

- David

[*] Note, however, that a construction like:

p = mac(publickey, hash(message))
h = mac(r, s)

does not achieve as strong as a goal. (This should be clear if you consider
the first construction as an AONT of the public key and message with the
signature.)
On Sun, May 3, 2015 at 2:00 PM David Jacobson <dmjacobson@sbcglobal.net>
wrote:

> On 5/3/15 9:50 AM, Mihir Bellare wrote:
>
>   If someone was foolish enough to do encrypt and sign, then there would
>> be a need to make identical plaintext not have identical signatures.  If
>> anyone feels that we need to accommodate this, then it would be good to
>> allow an optional random
>>
>
>  The usual goal is that one wants IND-CPA privacy. The attack one is
> trying to prevent here is loss of IND-CPA due to the ability to detect
> repeats, meaning an adversary knowing messages M1,M2 and their ciphertexts
> C2,C2 can test whether or not M1=M2. Signature randomization does not help
> prevent this, because signatures are verifiable given the public key and
> this can be used to detect repeats even with randomization. So this would
> not appear to be a good reason to keep randomization in the signature.
>
>  Mihir
>
>
>
>
>
> Mihir is right.
>
> In addition, I have a suspicion based on information theory that if a
> signature allows randomization, the size of size of the signature will need
> to be larger.  Here is an intuitive argument.  Suppose that the size of the
> signature is 256 bits.  Somehow the message and the private key map
> somewhat uniformly onto those 256 bits.  For any given message and key,
> only one signature value is correct.  Now, I we add 256 bits of randomness,
> and them mix in in the obvious way.  Now for a fraction of about (1-1/e) of
> the signature space, there is a value of the input randomness that could
> have generated it.  That means that the verifier can't reject most
> signature values.  To avoid this, we have to have a larger signature, so
> valid values (for a given message and key) are sparse.  Consider that ECDSA
> with P-256 has 512 bit signatures.
>
> For this reason, I think allowing optional randomness as in proposal #4 is
> not just not helpful, but forces larger signatures.  For many uses, small
> signature are desirable.  So I retract my original support for #4.  Now I'm
> only supporting #2.
>
>
>   --David Jacobson
>
>
>
>
>
>  _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email