Re: [Cfrg] Internal collisions
"D. J. Bernstein" <djb@cr.yp.to> Sun, 02 August 2015 00:43 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A45051A8884 for <cfrg@ietfa.amsl.com>; Sat, 1 Aug 2015 17:43:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.896
X-Spam-Level: **
X-Spam-Status: No, score=2.896 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RCVD_IN_DNSWL_NONE=-0.0001, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lCURVRXDy7yd for <cfrg@ietfa.amsl.com>; Sat, 1 Aug 2015 17:43:21 -0700 (PDT)
Received: from calvin.win.tue.nl (calvin.win.tue.nl [131.155.70.11]) by ietfa.amsl.com (Postfix) with SMTP id E7E5E1A8883 for <cfrg@irtf.org>; Sat, 1 Aug 2015 17:43:20 -0700 (PDT)
Received: (qmail 22161 invoked by uid 1017); 2 Aug 2015 00:43:40 -0000
Received: from unknown (unknown) by unknown with QMTP; 2 Aug 2015 00:43:40 -0000
Received: (qmail 9550 invoked by uid 1000); 2 Aug 2015 00:43:08 -0000
Date: Sun, 02 Aug 2015 00:43:08 -0000
Message-ID: <20150802004308.9548.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5E1DC43@XMB116CNC.rim.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/_By97ejQgZdgLTTfdOeX3JMJlgM>
Subject: Re: [Cfrg] Internal collisions
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Aug 2015 00:43:22 -0000
Dan Brown writes: > For consistency, if CFRG views prefixed wide-pipe hashes as a serious > general-purpose PRF construct, thereby obviating the need for HMAC's > extension-resilience, then it is not much of stretch to say that a > wide-pipe hash obviates the need for H(R,M)'s collision-resilience. I have no idea why you call this "consistency"; it doesn't match what the cryptanalytic literature actually says about the security levels of these constructions. As a concrete example, 24 steps are broken in the SHA-384(M,R) construct that you're using. What matters here is that the attacker knows internal collisions. It is far more difficult to break 24 steps of SHA-384(R,M), or 24 steps of SHA-512(R,M). I explained in an earlier message why the randomization is a huge obstruction for state-of-the-art collision-finding techniques. For similar reasons, it is far more difficult to break 24 steps of reduced SHA-512(seed,M) as a PRF, never mind the fact that in this context the attacker doesn't have direct access to the output. > Is that what the reduced-round attacks are indicating: no > difference between SHA-512 and SHA-256? What about for SHA-3? SHA-256 and SHA-512 are broken for essentially the same number of steps, in essentially the same way. For SHA-3, the very different amounts of truncation in SHA3-256 and SHA3-512 produce a gap of 1 or 2 rounds (out of 24), depending on which attack strategy you look at. > Oops, in Watson Ladd's proposal: H(M,R) has no known feasible attacks, > but changing this to H(M) makes it forgeable Please retract this statement. I clearly specified the three possibilities here as the long-message bottlenecks in the existing proposals. The proposals that have H(M) as a bottleneck are of course using R in a subsequent (non-bottleneck) stage of the signing process. You are instead referring to the absurd idea of throwing R away. This is not what any of the proposals do, and bringing it up isn't helpful for the discussion. Also, please retract your false suggestion that the proposals vary in the applicability of Pointcheval--Stern. ---Dan
- [Cfrg] Internal collisions D. J. Bernstein
- Re: [Cfrg] Internal collisions Dan Brown
- Re: [Cfrg] Internal collisions David Jacobson
- Re: [Cfrg] Internal collisions Ilari Liusvaara
- Re: [Cfrg] Internal collisions Dan Brown
- Re: [Cfrg] Internal collisions Paterson, Kenny
- Re: [Cfrg] Internal collisions D. J. Bernstein
- Re: [Cfrg] Internal collisions Dan Brown
- Re: [Cfrg] Internal collisions D. J. Bernstein
- Re: [Cfrg] Internal collisions Dan Brown
- Re: [Cfrg] Internal collisions Bryan Ford
- Re: [Cfrg] Internal collisions D. J. Bernstein