Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: [dnsext] Rabin-Williams signatures for DNSSEC

2 views
Skip to first unread message

Thierry Moreau

unread,
Oct 9, 2008, 6:40:21 AM10/9/08
to
Dear Adam,

To me personally, it's refreshing to see the R-W (Rabin-Williams)
cryptosystem being proposed for standard body adoption. However, the
dnsext wg audience is perhaps not ready to read the arguments and
appreciate them as if the mathematical properties could be rationally
assessed.

If I may rephrase your proposal, you are basically making three points:
(1) the R-W cryptosystem has better mathematical proofs than RSA,
(2) thanks to a recent development, the R-W signatures in the proposed
variant are about half the size of RSA, and
(3) ietf dnsext should consider this for DNSSEC purposes.

Item (1) has been around for decades, with very little, if any,
standards body adoption of the R-W for protocol applications. In part,
this is due to the 4:1 ambiguity that is handled differently in the many
R-W variants (the mathematical symbols e and f in your draft). In part,
the mathematical proofs, paradoxically, appear in retrospect as not so
good selling point as one would initially expect.

Item (2) is new to me, so I presume it would be new to many
cryptographic experts influencing the IETF/IESG adoption of standards.
ECC (Elliptic Curve Cryptography) also offers smaller signatures, which
inevitably will bring lengthy discussions as to the relative merits (...).

Item (3) is challenging. You need not only to revise your draft (which
is fine as a revision-00 as it makes the point for readers with previous
knowledge of R-W mathematics) to speak to implementors in a language
that they understand. You probably need to show an implementation as an
openssl and/or gnutls source code contribution. And above all, you need
to overcome power-of-the-installed-base resistance and inertia in the
IETF processes.

But yes indeed, smaller signatures would be fine for DNSSEC. And I see
the benefits of R-W signatures. So, good luck with this initiative.

Regards,


- Thierry Moreau


Adam Langley wrote:

> I had the pleasure of chatting with Paul Vixie recently and he
> described some of the cryptographic issues with DNSSEC, specifically
> that smaller signatures would be very nice.
>
> So I wrote up [1] and [2]. [1] is in the form of an ID, although I've
> not actually submitted it as such yet. [2] contains the full
> (executable) specification of the signature scheme described in [1]
>
> Abstract:
>
> This document describes how to use Rabin-Williams public keys and
> signatures in DNSSEC. Rabin-Williams signatures provide for faster
> verification and smaller signatures than an equivalent RSA scheme, yet
> a hash-generic attack is provably equivalent to factoring.
>
> Introduction:
>
> DNSSEC seeks to secure the Domain Name System by using signatures that
> are precomputable to avoid requiring nameservers to perform a public
> key operation for each request. Thus, for DNSSEC, verification speed
> is vastly more important than signing speed.
>
> However, DNSSEC still uses UDP as the primary transport layer
> protocol and, despite increasing the maximum payload size, large
> signatures are problematic both because of bandwidth and because of
> the amplification possibilities in a denial of service attack.
>
> This would suggest that elliptic curve signature schemes should be
> attractive. By using a group of points of an elliptic curve rather
> than a multiplicative group, index calculus (and related) attacks are
> much less effective and a smaller group is still sufficiently secure.
>
> Using the ECDSA scheme on the NIST P192 curve results in 384-bit
> signatures. However, the verification operation is nearly 25x slower
> than 1024-bit RSA (2.33GHz Core2).
>
> A 1024-bit Rabin-Williams scheme (B=0, fixed, unprincipled,
> compressed) results in 512-bit signatures and the verification speed
> is about 4x faster than 1024-bit RSA. Due to Bernstein, we have a
> proof that a hash generic attack on such a scheme is equivalent to
> factoring.
>
>
> [1] http://www.imperialviolet.org/binary/draft-agl-dnsext-rwb0fuz.html
> [2] http://github.com/agl/rwb0fuz1024/tree/master%2Frwb0fuz1024.pdf?raw=true
>
>
> Cheers
>

--

- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada H2M 2A1

Tel.: (514)385-5691
Fax: (514)385-5900

web site: http://www.connotech.com
e-mail: thierry...@connotech.com


--
to unsubscribe send a message to namedroppe...@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Thierry Moreau

unread,
Oct 9, 2008, 12:19:27 PM10/9/08
to

Eric Rescorla wrote:

> At Tue, 7 Oct 2008 13:31:19 -0700,


> Adam Langley wrote:
>
>>This document describes how to use Rabin-Williams public keys and
>>signatures in DNSSEC.
>

> 3. I did a little looking and it doesn't seem to me that
> anyone has standardized R-W.

At least ISO/9796:1991 did. I would be surprised IEEE P1363 does not
include some R-W variant. Granted that no *protocol* standard can be
readily identified where R-W is an option.

(How we got to this point is besides the point.)

Regards,

--

- Thierry Moreau

0 new messages