Re: [Cfrg] [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement

Robert Ransom <rransom.8774@gmail.com> Sun, 12 January 2014 15:04 UTC

Return-Path: <rransom.8774@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDD3E1ADF7F for <cfrg@ietfa.amsl.com>; Sun, 12 Jan 2014 07:04:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HyIpzfaVOjwG for <cfrg@ietfa.amsl.com>; Sun, 12 Jan 2014 07:04:12 -0800 (PST)
Received: from mail-qe0-x22c.google.com (mail-qe0-x22c.google.com [IPv6:2607:f8b0:400d:c02::22c]) by ietfa.amsl.com (Postfix) with ESMTP id C98061ADF2E for <cfrg@irtf.org>; Sun, 12 Jan 2014 07:04:11 -0800 (PST)
Received: by mail-qe0-f44.google.com with SMTP id df13so1036101qeb.31 for <cfrg@irtf.org>; Sun, 12 Jan 2014 07:04:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=8VdjZFcg6jc2UuCpu6jqAOrQQ00xLGiOcq4GgkCkqx8=; b=LfcriVFeChkewYZja/oABKxsBi+8rwDk3W0FQ8m5FSDLRaZgLFzxkEWjY4lgCO3kpE j8773iZiKnvVZHNsEIXJPzjN8Oz/IDjueGadCBjj8CwhvykNm/9Y+1VwYPLMt4z/0Z8s TuGesctq58Urga/rHW2Xz4VprKMIxNktI3fdZ/tnvGbN8A9ka7YHXjzk5GL40MjKuF6c hCWr0fU8IfP5B1IepmdnIlMnCW4Xu7VGP71Td0LCixh0fLNXkz6xbO8nDy4o/rjwbi55 UiFSrNMwsPD/fqlgcZUHcRTuy52q3QTyaWHWCbeilKiK2RmgAxqlN3TKOI90V63wm+Fc 6Lfw==
MIME-Version: 1.0
X-Received: by 10.49.119.66 with SMTP id ks2mr19877919qeb.14.1389539041065; Sun, 12 Jan 2014 07:04:01 -0800 (PST)
Received: by 10.229.181.132 with HTTP; Sun, 12 Jan 2014 07:04:00 -0800 (PST)
In-Reply-To: <52D2AA91.8050804@fifthhorseman.net>
References: <87eh4e7a2y.fsf@latte.josefsson.org> <52D18475.10709@akr.io> <20140112062942.GA32437@LK-Perkele-VII> <52D29153.7000301@akr.io> <52D2AA91.8050804@fifthhorseman.net>
Date: Sun, 12 Jan 2014 07:04:00 -0800
Message-ID: <CABqy+spcrf+pOJaknOQoU+rVUvBrTyYZPCcJ9EpebuQm_=8anw@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Jan 2014 15:04:12 -0000

On 1/12/14, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> On 01/12/2014 07:57 AM, Alyssa Rowan wrote:
>>     · Fast hardware performance is a negative in a PBKDF or a Hashcash,
>>       which we actually want to be slow to measure out workfactor of
>>       brute-force.
>>     · But it's a positive in a signature scheme, as long as the hash is
>>       strong enough to resist any plausible second-preimage attack.
>>     · And it [keccak] is.
>>     · A collision would not suffice here.
>
> What makes you say that a collision attack isn't relevant against a
> signature scheme?  The classic collision attack against a signature
> scheme is:
>
>  * attacker generates A, B, such that H(A) = H(B)
>  * attacker asks victim to sign A
>  * victim signs A over digest H
>  * attacker applies signature to B
>
> This is how the hashclash/rogue-CA project did its work [0], and it's a
> conceivable attack against anything from OpenPGP certifications to
> document signatures to revision control [1].
>
> Or am i misunderstanding the context in which you're saying that a
> collision would not suffice?

In the specific case of an EdDSA-like Schnorr signature scheme, the
*beginning* of the input to the message hash function would be
unpredictable to the attacker (thus achieving ‘randomized hashing’ for
free).  This makes collision attacks harder with any reasonable hash
function.

(Note that Schnorr's original signature scheme put R at the *end* of
the hash input; that would not mitigate collision attacks.)


Robert Ransom