Re: [Cfrg] Internal collisions

David Jacobson <dmjacobson@sbcglobal.net> Mon, 27 July 2015 17:49 UTC

Return-Path: <dmjacobson@sbcglobal.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28B871B3134 for <cfrg@ietfa.amsl.com>; Mon, 27 Jul 2015 10:49:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I1bndf7dUBS6 for <cfrg@ietfa.amsl.com>; Mon, 27 Jul 2015 10:49:37 -0700 (PDT)
Received: from nm16-vm7.access.bullet.mail.gq1.yahoo.com (nm16-vm7.access.bullet.mail.gq1.yahoo.com [216.39.63.194]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E157B1B3131 for <cfrg@irtf.org>; Mon, 27 Jul 2015 10:49:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s2048; t=1438019375; bh=7dFKSELVcR2KKgUwVpH8uTol00m0TBbLygzfym53S5Y=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=m97J1Zz8XBTw+BtdCh4BStbodUsL4LwPe3MHA+a68lj0+cxe9XbSQfK0OJ7iaG33uWrsKH89Jt0sBPttLeK1qupMhzKVJeWm2oKa+eCieh9voYCCPIhDgUfc6LUndfz791HKQu+FymaZRIv6QgnyEDTtx81jhHiFpdByytPyqmaIzvezHfT3zkKIY8mp0kR6e4whzEYmED1YtFQDcRo95dnUH8mRU6h3sZf6GWHFBtDsR2eOLEUg6ka6tlUJjSqieL7MKKcajU7VsuTCmw7vEib+YMpGwi9BE1KrBKCfoPD647+B3DBFay2l2Lkf2JGQbjEwGIXeCmYmswtLmpbE5g==
Received: from [216.39.60.169] by nm16.access.bullet.mail.gq1.yahoo.com with NNFMP; 27 Jul 2015 17:49:35 -0000
Received: from [67.195.22.116] by tm5.access.bullet.mail.gq1.yahoo.com with NNFMP; 27 Jul 2015 17:49:35 -0000
Received: from [127.0.0.1] by smtp111.sbc.mail.gq1.yahoo.com with NNFMP; 27 Jul 2015 17:49:35 -0000
X-Yahoo-Newman-Id: 824229.87313.bm@smtp111.sbc.mail.gq1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: kiiPuLsVM1nvUErUJBY._twrxjwbSdl930H1C5NptV3AgW3 TwQTvazW.fLF6gEK2cOgpwx9WjA0xSF24fP1oi3wkmdX5qUf8aXGsMdOLTTj o7oUKkYuFhLPGY7BTUzP2KRQiVCJkCjOVPMRFOQ.KaSD3UsnB.5FO0PSZWpP iiOxICtTwAq_oWdnmBflg6HJ9hyN6R0IP2ng.6Jq22oQgNiGbQLeXh1wYX.u 1yPXA8kz626M0yjKP4Hj6i3OUma52d031UXKx9Nru1uw4N5dnqFNaalppz1L XBX.VHB9mD0PaOvB8o9RmjWRT9rS8LKFf5Ovcwz.Qh6g.xZITT_sGy9KaseZ BJO9skXQZ5.KrSYXIImehy4H3DZLFOhfedU9qtB8WREIul.qFMRr66rBIaja cu9eoG.kU1oD3y181TwG0NUI8EKUjs1Muj2lx6h2GaoP_G5BMrdm7RjMGgTC 5.lvoy72QsIssPfXOPZm1VJdm1HLo2qMNIyAZV9x8Fqg8q4BlzwB8ELiu1ON y7g95539RUsTIYcO8Q9cc7um7J8AzNsjS8c2LvCjoCZX3.xE5wGmQD9pm
X-Yahoo-SMTP: nOrmCa6swBAE50FabWnlVFUpgFVJ9Gbi__8U5mpvhtQq7tTV1g--
To: Dan Brown <dbrown@certicom.com>, "'djb@cr.yp.to'" <djb@cr.yp.to>, "'cfrg@irtf.org'" <cfrg@irtf.org>
References: <20150726194306.14873.qmail@cr.yp.to> <810C31990B57ED40B2062BA10D43FBF5E1B345@XMB116CNC.rim.net>
From: David Jacobson <dmjacobson@sbcglobal.net>
Message-ID: <55B66F2E.8070105@sbcglobal.net>
Date: Mon, 27 Jul 2015 10:49:34 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5E1B345@XMB116CNC.rim.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/TqYhzuPzk1a00mHHNBTCTcqUxng>
Subject: Re: [Cfrg] Internal collisions
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2015 17:49:38 -0000

On 7/27/15 8:48 AM, Dan Brown wrote:
> Hi Dan,
>
> [ snip ]
> Unfortunately, prefixing means non-IUF.
>
>
[ snip ]

Why all this worry about IUF?  Industry is going to demand IUF so we 
have to provide it somehow.  Why can't we just bless making M be the 
hash of the message and use some otherwise non-IUF signature schemes?  I 
suspect that if we do that we need some way to prevent cross scheme 
forgeries.  Maybe we could have ASN.1 OIDs for the scheme and the names 
could be something like FOO and FOO_WITH_SHA512_PREHASH, etc and we 
could work the ASN.1 OID into the algorithm.  If we are worried about 
length extension attacks on the prehash, we could let M = 
length(message) || prehash(message).

This would get this issue of compatibility with IUF out of the debate 
about the security of the various proposals.

    --David Jacobson