IETF Logo Mail Archive

Re: [Cfrg] Internal collisions

Bryan Ford <brynosaurus@gmail.com> Tue, 04 August 2015 09:00 UTC

Return-Path: <brynosaurus@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17AA91B35B9 for <cfrg@ietfa.amsl.com>; Tue, 4 Aug 2015 02:00:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_14=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MKS3wVcYF1by for <cfrg@ietfa.amsl.com>; Tue, 4 Aug 2015 02:00:37 -0700 (PDT)
Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com [IPv6:2a00:1450:400c:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F36B1A8A75 for <cfrg@irtf.org>; Tue, 4 Aug 2015 02:00:37 -0700 (PDT)
Received: by wibxm9 with SMTP id xm9so156306594wib.0 for <cfrg@irtf.org>; Tue, 04 Aug 2015 02:00:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=H8SgdnbnuIx9ApujR1+w08uFm25+Wv330g0qeu0tHRw=; b=OoIfrGFguVMmImA61yQYyhn+pqSkFtws7bZ2cdQM6nOzDra/vIDwRWaQotmZvLeQ6N 4U7ceB+52y0Oy4px/73r9uU5M13ve7lX2bl0Kh5ueZ+L5DysGcMt58HlL5O2I35W9/DI PmDopVJdATNJezgyfr5wbszK4vdGzN4ZJcobPpSPdNanv2HBtHutqR1e13Q3SkBoz0lm QlIHGzdCuKQXf/x1fQBdMhUGOcJxgSacPFCcVEAcU1dw2eaOrES9O/xuUU/ngizP8pvp FxixkA6DePah8Ny9LuAIvISkD7+cXWEVqbuHi/9wuNFAXYBGGttH23JcEgNdMjU55fq+ 7gbA==
X-Received: by 10.194.24.196 with SMTP id w4mr5650167wjf.137.1438678836091; Tue, 04 Aug 2015 02:00:36 -0700 (PDT)
Received: from tsf-436-wpa-4-133.epfl.ch (tsf-436-wpa-4-133.epfl.ch. [128.179.140.133]) by smtp.gmail.com with ESMTPSA id j7sm694257wjz.11.2015.08.04.02.00.34 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 04 Aug 2015 02:00:34 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_518E97C3-A80D-4295-B952-52372830A6A8"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
From: Bryan Ford <brynosaurus@gmail.com>
In-Reply-To: <20150731163636.21016.qmail@cr.yp.to>
Date: Tue, 04 Aug 2015 11:00:33 +0200
Message-Id: <835167F7-82CB-439F-98BC-CE5502DC830E@gmail.com>
References: <20150731163636.21016.qmail@cr.yp.to>
To: "D. J. Bernstein" <djb@cr.yp.to>
X-Mailer: Apple Mail (2.2102)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/KPoGhcri1Hs5_wjssQ1vh-sUpKw>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Internal collisions
X-BeenThere: cfrg@mail.ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.mail.ietf.org>
List-Unsubscribe: <https://mail.ietf.org/mailman/options/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@mail.ietf.org>
List-Help: <mailto:cfrg-request@mail.ietf.org?subject=help>
List-Subscribe: <https://mail.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2015 09:00:39 -0000

Hi Dan,

> On Jul 31, 2015, at 6:36 PM, D. J. Bernstein <djb@cr.yp.to> wrote:
> 
> Security evaluation:
> 
>   * H(seed,M) followed by H(R,M): Collision-resilient. Serious defense
>     against the possibility of collisions in H.
> 
>   * H(seed,M) and in parallel H(M,R): _Not_ collision-resilient;
>     resilient only to external collisions, not internal collisions.
>     This is not much safer than simply using H(M).
> 
>   * H(M): Not collision-resilient.

I would like to hear your thoughts on how these security considerations change when H is not a traditional hash but a sponge-based hash, where the internal “pipe” state consists of both the ‘rate’ bits and the always-internal ‘capacity’ bits (say, chosen to be twice the security parameter).

In particular, I’d like to hear your thoughts on the security properties of my earlier ‘edshake’ proposal (see http://www.ietf.org/mail-archive/web/cfrg/current/msg07112.html <http://www.ietf.org/mail-archive/web/cfrg/current/msg07112.html>).  It seems to have nice performance characteristics for both small and large messages, and intuitively seems to have nice internal collision-resistance properties due to the sponge design, but I’m not an expert on security analysis of symmetric ciphers.

Thanks
Bryan

v2.23.0 | Report a Bug | By Email