Re: [Cfrg] Internal collisions

[Dan Brown <dbrown@certicom.com>]

> -----Original Message-----
> From: David Jacobson [mailto:dmjacobson@sbcglobal.net]
> 
> On 7/27/15 8:48 AM, Dan Brown wrote:
> > [ snip ]
> > Unfortunately, prefixing means non-IUF.
> >
> >
> [ snip ]
> 
> Why all this worry about IUF?  

[DB] I wouldn't call it worry, but anyway.

First, see your own answer about the industry demand.  

Second, CFRG already had a poll on IUF. But, I'm not quite sure how to
interpret the results: can EC signatures provide a non-IUF mode?

> Industry is going to demand IUF so we have to
> provide it somehow.  Why can't we just bless making M be the hash of the
> message and use some otherwise non-IUF signature schemes?  I suspect that
if

[DB] There are some security concerns are about how good the prehash is. 

In particular, the prehashing proposals try to _specify a prehash_ rather
than just bless a using from any old hash to prehash the message.   

The EdDSA proposal goes further: it recommends that the prehash be the
identity, because it provides collision-resilience.  Are you against that
recommendation?

The ECDSA_CFRG proposal computes H(M||R), which is 
(i) close in cost to prehashing M,  
(ii) mandates using the one common wide-pipe hash, in a single call for the
verifier,
(iii) in the ideal random oracle model provides some theoretical security.
That's not so different from pre-hashing, is it?

If we are really confident in wide-pipe hashes, then the random oracle in
(iii) is quite plausible.

The prehashed prefix proposals H(R||H(M)) can _also_ claim the random oracle
model benefits (iii) above, since for sequential hashes H(M||R) is usually
quite similar to H(H(M)||R).