Re: [Cfrg] [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement
Robert Ransom <rransom.8774@gmail.com> Sun, 12 January 2014 15:04 UTC
Return-Path: <rransom.8774@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDD3E1ADF7F for <cfrg@ietfa.amsl.com>; Sun, 12 Jan 2014 07:04:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HyIpzfaVOjwG for <cfrg@ietfa.amsl.com>; Sun, 12 Jan 2014 07:04:12 -0800 (PST)
Received: from mail-qe0-x22c.google.com (mail-qe0-x22c.google.com [IPv6:2607:f8b0:400d:c02::22c]) by ietfa.amsl.com (Postfix) with ESMTP id C98061ADF2E for <cfrg@irtf.org>; Sun, 12 Jan 2014 07:04:11 -0800 (PST)
Received: by mail-qe0-f44.google.com with SMTP id df13so1036101qeb.31 for <cfrg@irtf.org>; Sun, 12 Jan 2014 07:04:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=8VdjZFcg6jc2UuCpu6jqAOrQQ00xLGiOcq4GgkCkqx8=; b=LfcriVFeChkewYZja/oABKxsBi+8rwDk3W0FQ8m5FSDLRaZgLFzxkEWjY4lgCO3kpE j8773iZiKnvVZHNsEIXJPzjN8Oz/IDjueGadCBjj8CwhvykNm/9Y+1VwYPLMt4z/0Z8s TuGesctq58Urga/rHW2Xz4VprKMIxNktI3fdZ/tnvGbN8A9ka7YHXjzk5GL40MjKuF6c hCWr0fU8IfP5B1IepmdnIlMnCW4Xu7VGP71Td0LCixh0fLNXkz6xbO8nDy4o/rjwbi55 UiFSrNMwsPD/fqlgcZUHcRTuy52q3QTyaWHWCbeilKiK2RmgAxqlN3TKOI90V63wm+Fc 6Lfw==
MIME-Version: 1.0
X-Received: by 10.49.119.66 with SMTP id ks2mr19877919qeb.14.1389539041065; Sun, 12 Jan 2014 07:04:01 -0800 (PST)
Received: by 10.229.181.132 with HTTP; Sun, 12 Jan 2014 07:04:00 -0800 (PST)
In-Reply-To: <52D2AA91.8050804@fifthhorseman.net>
References: <87eh4e7a2y.fsf@latte.josefsson.org> <52D18475.10709@akr.io> <20140112062942.GA32437@LK-Perkele-VII> <52D29153.7000301@akr.io> <52D2AA91.8050804@fifthhorseman.net>
Date: Sun, 12 Jan 2014 07:04:00 -0800
Message-ID: <CABqy+spcrf+pOJaknOQoU+rVUvBrTyYZPCcJ9EpebuQm_=8anw@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Jan 2014 15:04:12 -0000
On 1/12/14, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: > On 01/12/2014 07:57 AM, Alyssa Rowan wrote: >> · Fast hardware performance is a negative in a PBKDF or a Hashcash, >> which we actually want to be slow to measure out workfactor of >> brute-force. >> · But it's a positive in a signature scheme, as long as the hash is >> strong enough to resist any plausible second-preimage attack. >> · And it [keccak] is. >> · A collision would not suffice here. > > What makes you say that a collision attack isn't relevant against a > signature scheme? The classic collision attack against a signature > scheme is: > > * attacker generates A, B, such that H(A) = H(B) > * attacker asks victim to sign A > * victim signs A over digest H > * attacker applies signature to B > > This is how the hashclash/rogue-CA project did its work [0], and it's a > conceivable attack against anything from OpenPGP certifications to > document signatures to revision control [1]. > > Or am i misunderstanding the context in which you're saying that a > collision would not suffice? In the specific case of an EdDSA-like Schnorr signature scheme, the *beginning* of the input to the message hash function would be unpredictable to the attacker (thus achieving ‘randomized hashing’ for free). This makes collision attacks harder with any reasonable hash function. (Note that Schnorr's original signature scheme put R at the *end* of the hash input; that would not mitigate collision attacks.) Robert Ransom
- [Cfrg] Thoughts on a Next-Generation Elliptic Cur… Alyssa Rowan
- Re: [Cfrg] Thoughts on a Next-Generation Elliptic… Robert Ransom
- Re: [Cfrg] [TLS] Additional Elliptic Curves (Curv… Alyssa Rowan
- [Cfrg] EdDSA and > 512 curve & hash (Re: [TLS] Ad… Adam Back
- Re: [Cfrg] [TLS] Additional Elliptic Curves (Curv… Daniel Kahn Gillmor
- Re: [Cfrg] [TLS] Additional Elliptic Curves (Curv… Robert Ransom
- Re: [Cfrg] EdDSA and > 512 curve & hash (Re: [TLS… Robert Ransom
- Re: [Cfrg] [TLS] Additional Elliptic Curves (Curv… Adam Back
- Re: [Cfrg] EdDSA and > 512 curve & hash (Re: [TLS… Adam Back
- Re: [Cfrg] EdDSA and > 512 curve & hash (Re: [TLS… Mike Hamburg
- Re: [Cfrg] EdDSA and > 512 curve & hash (Re: [TLS… Vadym Fedyukovych
- Re: [Cfrg] EdDSA and > 512 curve & hash (Re: [TLS… Watson Ladd
- Re: [Cfrg] EdDSA and > 512 curve & hash (Re: [TLS… Vadym Fedyukovych