IETF Logo Mail Archive

Re: [Cfrg] Internal collisions

"D. J. Bernstein" <djb@cr.yp.to> Sun, 02 August 2015 00:43 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A45051A8884 for <cfrg@ietfa.amsl.com>; Sat, 1 Aug 2015 17:43:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.896
X-Spam-Level: **
X-Spam-Status: No, score=2.896 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RCVD_IN_DNSWL_NONE=-0.0001, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lCURVRXDy7yd for <cfrg@ietfa.amsl.com>; Sat, 1 Aug 2015 17:43:21 -0700 (PDT)
Received: from calvin.win.tue.nl (calvin.win.tue.nl [131.155.70.11]) by ietfa.amsl.com (Postfix) with SMTP id E7E5E1A8883 for <cfrg@irtf.org>; Sat, 1 Aug 2015 17:43:20 -0700 (PDT)
Received: (qmail 22161 invoked by uid 1017); 2 Aug 2015 00:43:40 -0000
Received: from unknown (unknown) by unknown with QMTP; 2 Aug 2015 00:43:40 -0000
Received: (qmail 9550 invoked by uid 1000); 2 Aug 2015 00:43:08 -0000
Date: Sun, 02 Aug 2015 00:43:08 -0000
Message-ID: <20150802004308.9548.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5E1DC43@XMB116CNC.rim.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/_By97ejQgZdgLTTfdOeX3JMJlgM>
Subject: Re: [Cfrg] Internal collisions
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Aug 2015 00:43:22 -0000

Dan Brown writes:
> For consistency, if CFRG views prefixed wide-pipe hashes as a serious
> general-purpose PRF construct, thereby obviating the need for HMAC's
> extension-resilience, then it is not much of stretch to say that a
> wide-pipe hash obviates the need for H(R,M)'s collision-resilience.

I have no idea why you call this "consistency"; it doesn't match what
the cryptanalytic literature actually says about the security levels of
these constructions.

As a concrete example, 24 steps are broken in the SHA-384(M,R) construct
that you're using. What matters here is that the attacker knows internal
collisions.

It is far more difficult to break 24 steps of SHA-384(R,M), or 24 steps
of SHA-512(R,M). I explained in an earlier message why the randomization
is a huge obstruction for state-of-the-art collision-finding techniques.

For similar reasons, it is far more difficult to break 24 steps of
reduced SHA-512(seed,M) as a PRF, never mind the fact that in this
context the attacker doesn't have direct access to the output.

> Is that what the reduced-round attacks are indicating: no
> difference between SHA-512 and SHA-256? What about for SHA-3?

SHA-256 and SHA-512 are broken for essentially the same number of steps,
in essentially the same way. For SHA-3, the very different amounts of
truncation in SHA3-256 and SHA3-512 produce a gap of 1 or 2 rounds (out
of 24), depending on which attack strategy you look at.

> Oops, in Watson Ladd's proposal: H(M,R) has no known feasible attacks,
> but changing this to H(M) makes it forgeable

Please retract this statement.

I clearly specified the three possibilities here as the long-message
bottlenecks in the existing proposals. The proposals that have H(M) as a
bottleneck are of course using R in a subsequent (non-bottleneck) stage
of the signing process.

You are instead referring to the absurd idea of throwing R away. This is
not what any of the proposals do, and bringing it up isn't helpful for
the discussion. Also, please retract your false suggestion that the
proposals vary in the applicability of Pointcheval--Stern.

---Dan

v2.23.0 | Report a Bug | By Email