IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)

David Jacobson <dmjacobson@sbcglobal.net> Sun, 03 May 2015 21:00 UTC

Return-Path: <dmjacobson@sbcglobal.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB8A51A88D7 for <cfrg@ietfa.amsl.com>; Sun, 3 May 2015 14:00:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H5w0mCUHj6F5 for <cfrg@ietfa.amsl.com>; Sun, 3 May 2015 14:00:32 -0700 (PDT)
Received: from nm10-vm3.access.bullet.mail.gq1.yahoo.com (nm10-vm3.access.bullet.mail.gq1.yahoo.com [216.39.63.68]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 490261A88D5 for <cfrg@irtf.org>; Sun, 3 May 2015 14:00:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s2048; t=1430686831; bh=fczDVzD0pYVak7Ncu7WertbvRPhse8cwS8LK6hVdWnM=; h=Date:From:To:CC:Subject:References:In-Reply-To:From:Subject; b=lTnIs3ONU2//X85GhTqTIXN1rtq6IFRNPfWNXB3+dqrFpipemoyAJ6FcAWbWyNeE3Z3EfhIXfvkpB3XaCQ8A0W+sUW6NEXVPZOomrHEvpVJ0CktrTxYlVeioR6PUraI7qTNTJVruIi9b60SFYBciE+y7+w3TZGtzXFgAVAvqPK/G63F0qPhPowmrenl8fKLeuzd7Yf3TtcvJxQiJJTrkGzztxtP6NEQKOqPaakfB7drZMw4jUFQrKUSFQezNnmZPV/ZU1fQToswFukJ0kXm9JSqpyjc6yZddOm97P5020weC0thvL9pA4QrWBeIkRW1UPNR2T8pAq7bgGV4IaVbRUA==
Received: from [216.39.60.167] by nm10.access.bullet.mail.gq1.yahoo.com with NNFMP; 03 May 2015 21:00:31 -0000
Received: from [67.195.22.113] by tm3.access.bullet.mail.gq1.yahoo.com with NNFMP; 03 May 2015 21:00:31 -0000
Received: from [127.0.0.1] by smtp115.sbc.mail.gq1.yahoo.com with NNFMP; 03 May 2015 21:00:31 -0000
X-Yahoo-Newman-Id: 846901.9982.bm@smtp115.sbc.mail.gq1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: TnRo3WcVM1m5xTj0pilpsEFwxxOmraGpTh2QwnERmAq9zrT lyseXinmSo6UIWkh2HfxwikIOv5sA5U2cubKIykfNjJspk5qyHebZ_nEAXQM VTzO3x.nnjL4Trw0AVjS25BnCKy4GUyk.WoCarLUvcWEp8hUI_AS0jmHm31v MO3BsMfK2x81vloOcEOzyTYeeDMI7oxgjqz67Cx23z.flU6yZUzMMlK6S71f _WhYWvo.NjW0bLGiQ4p5d7beLWfsGnEvPRm21VqVOLMgFyNwgc2JvTSjwDff vUKc1WV2vltSRLUYXHkTUbCLpbUHFaJjGeLEHc17YV5HS0uXqRyZnsFEZpYZ r3wzB202CebACNRAOiOd4CBdC6XcEfbbIWATx0gowfykV77Jp_RhXaDwvFS1 ntAD7T_5Y5pjq1dvHHd.CXL3gng5q0E8MuboAh8eb6qwptl1TjPAWG7UcKLO 1W0A6z0VWd6xyQ46pILY.xcs4KFXbP9jKZeq1r6j0SmvGfNhJxIlR0sr2MJd Wtqu_jqQqPamBgOEqhs.YI19LXRgRuXqgB_gLSSz9YKTYRxvahjzRK2Lm
X-Yahoo-SMTP: nOrmCa6swBAE50FabWnlVFUpgFVJ9Gbi__8U5mpvhtQq7tTV1g--
Message-ID: <55468C6E.6070101@sbcglobal.net>
Date: Sun, 03 May 2015 14:00:30 -0700
From: David Jacobson <dmjacobson@sbcglobal.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Mihir Bellare <mihir@eng.ucsd.edu>
References: <5546032D.5070208@isode.com> <55464BB2.5040101@sbcglobal.net> <CACEhwkSdzb-g7Q7uBASp4QB3g_9AGM_nUuXVypdzxGUYypxDaQ@mail.gmail.com>
In-Reply-To: <CACEhwkSdzb-g7Q7uBASp4QB3g_9AGM_nUuXVypdzxGUYypxDaQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------030504070801050100080802"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/R4m6xzdIrS3zuu0niVH3GF4BCb8>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 May 2015 21:00:34 -0000

On 5/3/15 9:50 AM, Mihir Bellare wrote:
>
>      If someone was foolish enough to do encrypt and sign, then there
>     would be a need to make identical plaintext not have identical
>     signatures.  If anyone feels that we need to accommodate this,
>     then it would be good to allow an optional random
>
>
> The usual goal is that one wants IND-CPA privacy. The attack one is 
> trying to prevent here is loss of IND-CPA due to the ability to detect 
> repeats, meaning an adversary knowing messages M1,M2 and their 
> ciphertexts C2,C2 can test whether or not M1=M2. Signature 
> randomization does not help prevent this, because signatures are 
> verifiable given the public key and this can be used to detect repeats 
> even with randomization. So this would not appear to be a good reason 
> to keep randomization in the signature.
>
> Mihir
>
>
>
>

Mihir is right.

In addition, I have a suspicion based on information theory that if a 
signature allows randomization, the size of size of the signature will 
need to be larger.  Here is an intuitive argument.  Suppose that the 
size of the signature is 256 bits.  Somehow the message and the private 
key map somewhat uniformly onto those 256 bits.  For any given message 
and key, only one signature value is correct.  Now, I we add 256 bits of 
randomness, and them mix in in the obvious way. Now for a fraction of 
about (1-1/e) of the signature space, there is a value of the input 
randomness that could have generated it.  That means that the verifier 
can't reject most signature values.  To avoid this, we have to have a 
larger signature, so valid values (for a given message and key) are 
sparse.  Consider that ECDSA with P-256 has 512 bit signatures.

For this reason, I think allowing optional randomness as in proposal #4 
is not just not helpful, but forces larger signatures.  For many uses, 
small signature are desirable.  So I retract my original support for 
#4.  Now I'm only supporting #2.

   --David Jacobson

v2.23.0 | Report a Bug | By Email