IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

Laurens Van Houtven <_@lvh.io> Thu, 21 May 2015 15:41 UTC

Return-Path: <_@lvh.cc>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DA211AD241 for <cfrg@ietfa.amsl.com>; Thu, 21 May 2015 08:41:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gH5XXWU19W0X for <cfrg@ietfa.amsl.com>; Thu, 21 May 2015 08:41:47 -0700 (PDT)
Received: from mail-pd0-f179.google.com (mail-pd0-f179.google.com [209.85.192.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BB961B29B1 for <cfrg@irtf.org>; Thu, 21 May 2015 08:41:34 -0700 (PDT)
Received: by pdbqa5 with SMTP id qa5so112149436pdb.0 for <cfrg@irtf.org>; Thu, 21 May 2015 08:41:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:subject:mime-version:content-type:from :in-reply-to:date:cc:message-id:references:to; bh=dOsMNGxkbsxpQdrA0LByymFLMSue5lyAOlnD5z4x6QA=; b=It0zyoPafEGFirzGZ0QUqrK6kmCBnUCi8LckNdxv8l/hUAatp5yccsrx8nKchdCLsa AVcEkuFk/QrDK+hBE33n8lG4pVh/C9OXr7tJmYUwknBBseoJkCZgK9D5zOf68twlTHzG MazahAowsUS10mp0o5cdINgRN/wqeE+ZQQmyLUi5H6rWmpNkfazRmg8lP6LRWt4ltQtq 2YyXNUFeuaFouHgvqNepIosZw5Bbedgls/BFFHVtpJCiyk20NCFSlhtJJqVYeMV6UYqz tu0qAxgvKAObH/VK9s9EBKg58IGkXsNf4Eh+Yy2EWvtLqqSAfxZLhuAjX4NAmDmxUoVa 6Z0A==
X-Gm-Message-State: ALoCoQmLKWcVyXFea5XezLlIABGybXOSyw7uDBVA0PieEykAGwod9ododhcguEb0+NjdnVACL/95
X-Received: by 10.68.136.134 with SMTP id qa6mr6930056pbb.66.1432222893858; Thu, 21 May 2015 08:41:33 -0700 (PDT)
Received: from ?IPv6:2601:9:4681:20a6:710b:bf3:1d26:e0a0? ([2601:9:4681:20a6:710b:bf3:1d26:e0a0]) by mx.google.com with ESMTPSA id nb10sm19629606pdb.76.2015.05.21.08.41.32 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 21 May 2015 08:41:32 -0700 (PDT)
Sender: Laurens Van Houtven <_@lvh.cc>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Content-Type: multipart/signed; boundary="Apple-Mail=_4513F21D-2100-40AB-9B62-EAF495898210"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.5b6
From: Laurens Van Houtven <_@lvh.io>
In-Reply-To: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com>
Date: Thu, 21 May 2015 08:41:34 -0700
Message-Id: <761B50E2-036B-4517-B6DD-ABA671CC4C5F@lvh.io>
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/T6Z8nb_bYkx5Eogk4vPL6pGCuoE>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 15:44:52 -0000

Picking 1: #1. In order of preference: #1, #3, #2.

#2, for reasons already elucidated, is a non-starter. A collision-resistance constraint is nowhere near as painful as a one-shot constraint. #3 solves that, but at the expense of additional complexity.

lvh


> On May 20, 2015, at 2:16 PM, Alexey Melnikov <alexey.melnikov@isode.com> wrote:
> 
> Signature schemes have, traditionally, hashed the message to be signed to
> a representative value and then actually signed that value. This has led
> to APIs that follow the Init, Update*, Final (IUF) pattern that allows for
> fragmented or very large messages to be signed with constant memory usage.
> 
> Alternatively, some signature schemes hash the message to be signed twice,
> where a prefix of the second hash depends on the result of the first.
> Ed25519 is an example of a scheme of this type. This typically allows the
> signature scheme to require fewer assumptions about the strength of the
> hash function that is employed. However, this approach implies that the signing
> algorithm would have to buffer the entire message. That could lead to
> unacceptable memory usage for applications that sign very large messages.
> 
> Penalising large messages might be seen as a positive by some because
> signing arbitrarily large messages invites implementations to process
> unauthenticated data because of its potential size. Also, designs that
> really wish to do this can always define that the message to be signed is
> actually a hash of the data. In doing so they would reintroduce the
> requirement that the hash function be collision resistant, but can
> implement an IUF API in constant space again.
> 
> On the other hand, if we wish a signature primitive to be easy to
> substitute into existing protocols then supporting a constant-space IUF
> API might be seen as a requirement.
> 
> Chairs wish to poll the group on the following topic (please pick one):
> 
> #1: The signature scheme should follow the traditional model of hashing
> the message to be signed, thus trivially supporting IUF APIs in
> constant-space, at the cost of requiring collision resistant hash
> functions.
> 
> #2: The signature scheme should not depend on collision resistance, at the
> cost of the signing algorithm having to buffer messages to be signed.
> 
> #3: option #2, but with an additional "large message" mode defined for
> protocols that feel that they need it, where the message to be signed is
> actually a hash of the true message.
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email