IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

Nico Williams <nico@cryptonector.com> Fri, 22 May 2015 17:31 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56CC91A874D for <cfrg@ietfa.amsl.com>; Fri, 22 May 2015 10:31:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.034
X-Spam-Level: *
X-Spam-Status: No, score=1.034 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xqCzzL-wOm8v for <cfrg@ietfa.amsl.com>; Fri, 22 May 2015 10:31:23 -0700 (PDT)
Received: from homiemail-a95.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 6AB7E1A874B for <cfrg@irtf.org>; Fri, 22 May 2015 10:31:23 -0700 (PDT)
Received: from homiemail-a95.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a95.g.dreamhost.com (Postfix) with ESMTP id 186E41E071; Fri, 22 May 2015 10:31:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:subject:message-id:references:mime-version:content-type :in-reply-to; s=cryptonector.com; bh=FTHGRVUPX5VhX5QrWVrPvXYCVyI =; b=OlESKqSf9WJ2LV02G+Nb4mLmqfoOelqP4vjP6sdk8KVojP2f7FHDm9z7xHu sGOTF8YyjT/Z7IqzEOvYN6nDdumowb8L9H+xoHPCSX0LPA5wcAgTjeSec1n2Vc5S dR/rU2gBR3BKpLBOgHv5vT6/5LOGiCdVlKWkr5WAgVUDkkJs=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a95.g.dreamhost.com (Postfix) with ESMTPA id 3D5071E064; Fri, 22 May 2015 10:31:21 -0700 (PDT)
Date: Fri, 22 May 2015 12:31:20 -0500
From: Nico Williams <nico@cryptonector.com>
To: cfrg@irtf.org
Message-ID: <20150522173119.GG3791@localhost>
References: <CACsn0ck8gTCWqt+B7vOKQVzBrUkxW5YJgkDQ+9eJQrDFeTM8rA@mail.gmail.com> <20150522092959.4599.qmail@cr.yp.to>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150522092959.4599.qmail@cr.yp.to>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/lBEeWhNpAD0Rsh6DR3Eejl49KL8>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2015 17:31:24 -0000

On Fri, May 22, 2015 at 09:29:59AM -0000, D. J. Bernstein wrote:
> Watson Ladd writes:
> > It seems as though determinism, one pass schemes, and avoiding
> > collision resistance are at odds, unfortunately
> 
> Probably one can split a message into
> 
>    * packet p0 plus a signature s0 of ("start",p0);
>    * packet p1 plus a signature s1 of ("middle",s0,p1);
>    * packet p2 plus a signature s2 of ("middle",s1,p2);
>    * ...;
>    * last packet pn plus a signature of ("end",previous s,pn).

Say you're signing code.  Now you have to distribute O(N) additional
signatures, where N is the size of the message.  That's doable.  But to
verify in an online way as code is downloaded requires interspersing the
signatures with the code.  Which means new file formats (or new
protocols).

Say you're signing a large e-mail...  Now we'd need new message formats.

The point is that we're quite accustomed to online signature functions.
We *could* do without, but it will probably take a lot time and work to
get to where we're using deterministic, off-line, collision-resistant
signature schemes.

Which is why I see #3 as a reasonable compromise: we get a
deterministic, online scheme now that fits existing APIs and message
formats, and a deterministic off-line scheme that gives us collision
resistance and which will take time to get adopted.

> On the other hand, since the fans of streaming crypto interfaces have a
> [...]

Being pragmatic about this does not make one a "fan".

Mind you, streaming is a very good thing, and not just in crypto,
because predictable state costs are very useful in engineering...

> What _definitely_ improves security is switching to the much more robust
> world of all-in-one crypto interfaces. In this world streamability is
> clearly a bad idea: it provides no benefit, and trying to secure it
> creates a serious cost in simplicity (not to mention performance).

Agreed.  But we won't get there overnight.  And if we can retrofit
deterministic signature schemes into existing APIs and protocols at low
cost, why wouldn't we?

> More to the point, it's clear that these decisions should be made at a
> layer above the basic signature algorithm. The basic algorithm---the
> algorithm that everyone should use by default---should not allow
> security and simplicity to be corrupted by the pursuit of streaming.

That layer is also above CFRG.  All the more reason to give that layer
the tools they need to make the right choices and get deployment sooner
rather than later.

Practical considerations intrude.  That's terrible, but when you're
rebuilding an airplane mid-flight, practical considerations matter.
(With apologies to whoever I stole that analogy from; IIRC I first heard
it from Bill Sommerfeld.)

Nico
--

v2.23.0 | Report a Bug | By Email