IETF Logo Mail Archive

[Cfrg] updated Python script for signature proposals

"D. J. Bernstein" <djb@cr.yp.to> Wed, 22 July 2015 08:26 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB1B11A8A61 for <cfrg@ietfa.amsl.com>; Wed, 22 Jul 2015 01:26:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.018
X-Spam-Level: ****
X-Spam-Status: No, score=4.018 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, UNPARSEABLE_RELAY=0.001, URI_HEX=1.122] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rmZA-aNXFndF for <cfrg@ietfa.amsl.com>; Wed, 22 Jul 2015 01:26:09 -0700 (PDT)
Received: from calvin.win.tue.nl (calvin.win.tue.nl [131.155.70.11]) by ietfa.amsl.com (Postfix) with SMTP id ABC3E1A009D for <cfrg@irtf.org>; Wed, 22 Jul 2015 01:26:08 -0700 (PDT)
Received: (qmail 16381 invoked by uid 1017); 22 Jul 2015 08:26:29 -0000
Received: from unknown (unknown) by unknown with QMTP; 22 Jul 2015 08:26:29 -0000
Received: (qmail 903 invoked by uid 1000); 22 Jul 2015 08:25:59 -0000
Date: Wed, 22 Jul 2015 08:25:59 -0000
Message-ID: <20150722082559.901.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/0XFBOWUsBNX-0TpwGkpFen-MGh0>
Subject: [Cfrg] updated Python script for signature proposals
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2015 08:26:10 -0000

http://ed25519.cr.yp.to/cfrg/signatures.py has various updates. It still
doesn't have the PRF details for 'brown'. The 128-bit hash and 320-bit
PRF for 'hamburg' are also wild guesses.

I see that one of the spec bugs---verification failing because of a
missing negation---has been resolved in Mike's slides the same way as in
the script, namely computing

   S = (r - inth * a) % l

but I also don't think this is the best resolution. EdDSA's

   S = (r + inth * a) % l

is slightly simpler than subtraction for small implementations, and it's
trivial to put the minus sign into the public key instead of the scalar.
EdDSA actually goes a step beyond this, juggling the order of operations
so that the simplest implementations can avoid all scalar negations and
all point negations; this seems to require (R,S) signatures rather than
(h,S) signatures, but it would clearly work as a tweak for all the
schemes except 'hamburg'.

Another way to simplify the script would be to switch 'ladd' to the
point encoding used by the other schemes. The point encoding is actually
underspecified in most proposals, so I just copied the EdDSA encoding;
but Watson's proposal clearly specifies an extra byte (33 bytes instead
of 32 for Curve25519) and clearly specifies a comparison to (q-1)/2,
which is slightly more complicated than extracting the bottom bit of x.
Does anyone have reasons to deviate from the EdDSA encoding?

It's clear that there are some particular issues where the proposals
have reasons for diverging, but there are some other discrepancies that
seem to be easily removable distractions.

---Dan

v2.23.0 | Report a Bug | By Email