Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
Andrey Jivsov <crypto@brainhub.org> Tue, 26 May 2015 19:39 UTC
Return-Path: <crypto@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B322A1ACDC9 for <cfrg@ietfa.amsl.com>; Tue, 26 May 2015 12:39:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.399
X-Spam-Level: *
X-Spam-Status: No, score=1.399 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, J_CHICKENPOX_41=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nQt7BGA5GaBT for <cfrg@ietfa.amsl.com>; Tue, 26 May 2015 12:39:27 -0700 (PDT)
Received: from resqmta-po-05v.sys.comcast.net (resqmta-po-05v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:164]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64EB51ACDC1 for <cfrg@irtf.org>; Tue, 26 May 2015 12:39:27 -0700 (PDT)
Received: from resomta-po-19v.sys.comcast.net ([96.114.154.243]) by resqmta-po-05v.sys.comcast.net with comcast id Yjes1q0035FMDhs01jfSZS; Tue, 26 May 2015 19:39:26 +0000
Received: from [IPv6:::1] ([71.202.164.227]) by resomta-po-19v.sys.comcast.net with comcast id YjfQ1q00G4uhcbK01jfQ3L; Tue, 26 May 2015 19:39:26 +0000
Message-ID: <5564CBEC.8070109@brainhub.org>
Date: Tue, 26 May 2015 12:39:24 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: cfrg@irtf.org
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com>
In-Reply-To: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1432669166; bh=tGZizI7symixgz0Uvq6nGE/9uwksJeOCR30srijqPjA=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=kPo82wrKHRk34z4DN4SsQT6taHW16fwnuuxztydZY35jUWLzsEohp9Z9XsN0leP3p oVuEZKv8t+cpMHr1RiXC0lC9wOpqiI2f5nItt1emMf9Ob1ENBJRhLafiPNngKV69KZ P4ecn2lnjX1nanzWX1lRmT1SnW8FLARZgeqC2ekKzZXq2srmfYVgNRy4m2Ba00ZMmK AMhVEGy/PMY3d6T0ttaQKNLrTWSuLlxfO5qSdbzJUxiyLTpsMj4O3IUiqYaxHDa0i6 b9cFgucqbRFFJFnxWn7miNBrUtQw1NRFHttFKKncu86J6bzmlTSmH4CKtBvBiblXeV GpWf/FV4Dvzdw==
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/khkRtI7scMIcA3W5ssQpYCzjCdk>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 19:39:29 -0000
On 05/20/2015 02:16 PM, Alexey Melnikov wrote: > Signature schemes have, traditionally, hashed the message to be signed to > a representative value and then actually signed that value. This has led > to APIs that follow the Init, Update*, Final (IUF) pattern that allows for > fragmented or very large messages to be signed with constant memory usage. > > Alternatively, some signature schemes hash the message to be signed twice, > where a prefix of the second hash depends on the result of the first. > Ed25519 is an example of a scheme of this type. This typically allows the > signature scheme to require fewer assumptions about the strength of the > hash function that is employed. However, this approach implies that the signing > algorithm would have to buffer the entire message. That could lead to > unacceptable memory usage for applications that sign very large messages. > > Penalising large messages might be seen as a positive by some because > signing arbitrarily large messages invites implementations to process > unauthenticated data because of its potential size. Also, designs that > really wish to do this can always define that the message to be signed is > actually a hash of the data. In doing so they would reintroduce the > requirement that the hash function be collision resistant, but can > implement an IUF API in constant space again. > > On the other hand, if we wish a signature primitive to be easy to > substitute into existing protocols then supporting a constant-space IUF > API might be seen as a requirement. > > Chairs wish to poll the group on the following topic (please pick one): > > #1: The signature scheme should follow the traditional model of hashing > the message to be signed, thus trivially supporting IUF APIs in > constant-space, at the cost of requiring collision resistant hash > functions. > > #2: The signature scheme should not depend on collision resistance, at the > cost of the signing algorithm having to buffer messages to be signed. > > #3: option #2, but with an additional "large message" mode defined for > protocols that feel that they need it, where the message to be signed is > actually a hash of the true message. What if M'=HMAC( K, M ) gets signed, where M is the input message, K is some derivation of the signing key, and size(M') is collision-resistant size (e.g. it's HMAC-SHA-256 for Curve25519)? For example, for EdDSA one would feed M' into its hash-twice method, not M or Hash(M). This means that the hash size will need to be matched with the double of the equivalent symmetric bit length, but this is a well-accepted assumption. This maintains the benefit of the IUF. The practical benefit of this method is that the attacker doesn't get to play with two arbitrary M1 and M2 of his choice hoping to find a collision. The attacker must use the signer as an oracle. I believe that the above idea can be tweaked to maintain IUF (perhaps change the HMAC, save a few hashings, etc...). I vote for #1, and if not #1, then #3, How can a protocol that uses smartcards in untrusted environments, a protocols without hard limit of message size, adopt #2 (see the attack in http://www.ietf.org/mail-archive/web/cfrg/current/msg06759.html ) ? This likely means that TLS is out, due to smartcard client authentication. I can see that #2 is helpful in X.509 certificates, but #1 with a tweak is an improvement that might be acceptable. Major OpenPGP implementations use streaming mode to sign (e.g. in 'cat InFile | gpg --clearsign'), just as with encryption, without writing sensitive data to a temporary file. They depend on IUF. I haven't seen this with SMIME/CMS -- this is harder, but possible.
- [Cfrg] Elliptic Curves - signature scheme: friend… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Adam Langley
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Jim Schaad
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Peter Gutmann
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Mike Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Laurens Van Houtven
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Salz, Rich
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… David Leon Gil
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Taylor R Campbell
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Rene Struik
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Taylor R Campbell
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Stephen Farrell
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tom Yu
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Rene Struik
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Yoav Nir
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- [Cfrg] square roots Rene Struik
- [Cfrg] testability of signature input/output para… Rene Struik
- Re: [Cfrg] testability of signature input/output … Ilari Liusvaara
- Re: [Cfrg] testability of signature input/output … Rene Struik
- Re: [Cfrg] square roots David Jacobson
- Re: [Cfrg] testability of signature input/output … Watson Ladd
- Re: [Cfrg] testability of signature input/output … Taylor R Campbell
- Re: [Cfrg] square roots Ilari Liusvaara
- Re: [Cfrg] testability of signature input/output … Derek Atkins
- Re: [Cfrg] testability of signature input/output … Rene Struik
- Re: [Cfrg] testability of signature input/output … Mike Hamburg
- Re: [Cfrg] testability of signature input/output … Yoav Nir
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Rene Struik
- Re: [Cfrg] testability of signature input/output … Watson Ladd
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Ilari Liusvaara
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Watson Ladd
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- [Cfrg] Summary of the poll: Elliptic Curves - sig… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Watson Ladd
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Nico Williams
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… D. J. Bernstein
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… D. J. Bernstein
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alyssa Rowan
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Paterson, Kenny
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Björn Edström
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Adam Langley
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Adam Langley
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Paul Hoffman
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Taylor R Campbell
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Paterson, Kenny
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Andrey Jivsov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Taylor R Campbell
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alyssa Rowan
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Andrey Jivsov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Dan Brown
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Stephen Farrell