IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)

Michael Hamburg <mike@shiftleft.org> Sun, 03 May 2015 22:09 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7D051A8A72 for <cfrg@ietfa.amsl.com>; Sun, 3 May 2015 15:09:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.556
X-Spam-Level: *
X-Spam-Status: No, score=1.556 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z8crLOb-APa8 for <cfrg@ietfa.amsl.com>; Sun, 3 May 2015 15:09:52 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 657B21A8A6C for <cfrg@irtf.org>; Sun, 3 May 2015 15:09:52 -0700 (PDT)
Received: from [192.168.1.142] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id CB495F210A; Sun, 3 May 2015 15:09:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1430690980; bh=T/lomM1ua3AlBKySgQagGwvP27P9fnx431r01ELZ2/g=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=AX5oOdL3EwgKvuByUxNTHvFUQDEwzmCEZlzzrg9KjcPtFgaXbXlKERg5VaETEG/Id SGiOp+N3D1edXZRTdNTlxXWu07z3dFvIlWGjlZI74fbevjjWTPVgJdiri1NSo1DS/b su9HFOB7zBUJscTmV6zCt/9AY8/cDYsP7UjeGhvg=
Content-Type: multipart/alternative; boundary="Apple-Mail=_9899733E-6AE2-4C2A-90B5-C3DE17802A9E"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <55468C6E.6070101@sbcglobal.net>
Date: Sun, 03 May 2015 15:09:51 -0700
Message-Id: <B3B0DA6C-8C27-4A67-BE8D-AC010E5889B3@shiftleft.org>
References: <5546032D.5070208@isode.com> <55464BB2.5040101@sbcglobal.net> <CACEhwkSdzb-g7Q7uBASp4QB3g_9AGM_nUuXVypdzxGUYypxDaQ@mail.gmail.com> <55468C6E.6070101@sbcglobal.net>
To: David Jacobson <dmjacobson@sbcglobal.net>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/NQFEdgPhWtKkL4GJVCoi2j5aDTg>
Cc: Mihir Bellare <mihir@eng.ucsd.edu>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 May 2015 22:09:53 -0000

> On May 3, 2015, at 2:00 PM, David Jacobson <dmjacobson@sbcglobal.net> wrote:
> 
> On 5/3/15 9:50 AM, Mihir Bellare wrote:
>>  If someone was foolish enough to do encrypt and sign, then there would be a need to make identical plaintext not have identical signatures.  If anyone feels that we need to accommodate this, then it would be good to allow an optional random
>> 
>> The usual goal is that one wants IND-CPA privacy. The attack one is trying to prevent here is loss of IND-CPA due to the ability to detect repeats, meaning an adversary knowing messages M1,M2 and their ciphertexts C2,C2 can test whether or not M1=M2. Signature randomization does not help prevent this, because signatures are verifiable given the public key and this can be used to detect repeats even with randomization. So this would not appear to be a good reason to keep randomization in the signature. 
>> 
>> Mihir
>> 
>> 
>> 
>> 
> 
> Mihir is right.  
> 
> In addition, I have a suspicion based on information theory that if a signature allows randomization, the size of size of the signature will need to be larger.  Here is an intuitive argument.  Suppose that the size of the signature is 256 bits.  Somehow the message and the private key map somewhat uniformly onto those 256 bits.  For any given message and key, only one signature value is correct.  Now, I we add 256 bits of randomness, and them mix in in the obvious way.  Now for a fraction of about (1-1/e) of the signature space, there is a value of the input randomness that could have generated it.  That means that the verifier can't reject most signature values.  To avoid this, we have to have a larger signature, so valid values (for a given message and key) are sparse.  Consider that ECDSA with P-256 has 512 bit signatures.
> 
> For this reason, I think allowing optional randomness as in proposal #4 is not just not helpful, but forces larger signatures.  For many uses, small signature are desirable.  So I retract my original support for #4.  Now I'm only supporting #2.
> 
>   --David Jacobson

Do you actually have a 2*WF ECC signature scheme in mind?  The only ones I know of use pairings, and the 3*WF and 4*WF ones I know of are all randomized (but can and should be derandomized).

— Mike Hamburg

v2.23.0 | Report a Bug | By Email