IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

Tom Yu <tlyu@mit.edu> Wed, 03 June 2015 23:31 UTC

Return-Path: <tlyu@mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 161461A0120 for <cfrg@ietfa.amsl.com>; Wed, 3 Jun 2015 16:31:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zpmHeRrLbaY8 for <cfrg@ietfa.amsl.com>; Wed, 3 Jun 2015 16:31:17 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) by ietfa.amsl.com (Postfix) with ESMTP id 545C31A00B8 for <cfrg@irtf.org>; Wed, 3 Jun 2015 16:31:17 -0700 (PDT)
X-AuditID: 12074422-f79c36d000000db3-6c-556f8e44614c
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 18.6D.03507.44E8F655; Wed, 3 Jun 2015 19:31:16 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id t53NVGNc009676; Wed, 3 Jun 2015 19:31:16 -0400
Received: from localhost (sarnath.mit.edu [18.18.1.190]) (authenticated bits=0) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t53NVEK8008491; Wed, 3 Jun 2015 19:31:15 -0400
From: Tom Yu <tlyu@mit.edu>
To: Alexey Melnikov <alexey.melnikov@isode.com>
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com>
Date: Wed, 03 Jun 2015 19:31:14 -0400
In-Reply-To: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com> (Alexey Melnikov's message of "Wed, 20 May 2015 22:16:16 +0100")
Message-ID: <ldvsia8jrnh.fsf@sarnath.mit.edu>
Lines: 37
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrHIsWRmVeSWpSXmKPExsUixCmqrOvSlx9q8OCigcWM1UUW3T8OMjkw eUzeeJjN41SzYQBTFJdNSmpOZllqkb5dAldG583nrAUv+Cqufz3A2sDYxNPFyMEhIWAisfWa fhcjJ5ApJnHh3nq2LkYuDiGBxUwSL5/OY4VwNjBK7N/dwAjhvGaUaL3QywjSwiYgLXH88i4m EFtEQF9i9atZLCA2s4CKxLPOk6wgtrBAqcSStf/B6oUEbCReXJ/PCLKZRUBV4t1dIZCZnAIN jBKvz7Qyg9TwCuhKnNq2F2wmjwCnxPfPM1gg4oISJ2c+gZqvJXHj30umCYwCs5CkZiFJLWBk WsUom5JbpZubmJlTnJqsW5ycmJeXWqRrqpebWaKXmlK6iREUjOwuSjsYfx5UOsQowMGoxMPr EJYXKsSaWFZcmXuIUZKDSUmUNyI3P1SILyk/pTIjsTgjvqg0J7X4EKMEB7OSCO9rI6Acb0pi ZVVqUT5MSpqDRUmcd9MPvhAhgfTEktTs1NSC1CKYrAwHh5IEr0YvUKNgUWp6akVaZk4JQpqJ gxNkOA/QcE2QGt7igsTc4sx0iPwpRkUpcd7+HqCEAEgiozQPrheWLF4xigO9IsxbAdLOA0w0 cN2vgAYzAQ1uF8gBGVySiJCSamBcuFe739dbeqWSW+kPgdr4E6Zt6+f/O/Dv/flnLkLaQlwn rpusmr1WQl98ww6GMzWca/dtTr7IPYmZ++DsxEkr3bT0Oq1+tTxVZxXePJvv4P5Tr7rsWV0U 9LKEJdyf9Wt3hZQw14gLPr2esORYz39Oo/Yp/58bzf/q1hDh8ugyyysjf3+/OlYlluKMREMt 5qLiRACd2b+98QIAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/eClwelyUNM_X16BgIyh2dMTvC80>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2015 23:31:19 -0000

Alexey Melnikov <alexey.melnikov@isode.com> writes:

> Penalising large messages might be seen as a positive by some because
> signing arbitrarily large messages invites implementations to process
> unauthenticated data because of its potential size. Also, designs that
> really wish to do this can always define that the message to be signed is
> actually a hash of the data. In doing so they would reintroduce the
> requirement that the hash function be collision resistant, but can
> implement an IUF API in constant space again.

Based on some conversations with people who deal with crypto in high
performance applications, there are use cases for which minimizing
copying and optimizing cache usage can bring significant improvements.
Making multiple passes over messages could cause cache bottlenecks even
on systems that have large amounts of memory.  This was mosty in the
context of symmetric crypto, but I imagine that there are probably
signing scenarios where this is the case.

> On the other hand, if we wish a signature primitive to be easy to
> substitute into existing protocols then supporting a constant-space IUF
> API might be seen as a requirement.
>
> Chairs wish to poll the group on the following topic (please pick one):

No strong opinion, but leaning toward #1 or #3.

> #1: The signature scheme should follow the traditional model of hashing
> the message to be signed, thus trivially supporting IUF APIs in
> constant-space, at the cost of requiring collision resistant hash
> functions.
>
> #2: The signature scheme should not depend on collision resistance, at the
> cost of the signing algorithm having to buffer messages to be signed.
>
> #3: option #2, but with an additional "large message" mode defined for
> protocols that feel that they need it, where the message to be signed is
> actually a hash of the true message.

v2.23.0 | Report a Bug | By Email