[Cfrg] updated Python script for signature proposals
"D. J. Bernstein" <djb@cr.yp.to> Wed, 22 July 2015 08:26 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB1B11A8A61 for <cfrg@ietfa.amsl.com>; Wed, 22 Jul 2015 01:26:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.018
X-Spam-Level: ****
X-Spam-Status: No, score=4.018 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, UNPARSEABLE_RELAY=0.001, URI_HEX=1.122] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rmZA-aNXFndF for <cfrg@ietfa.amsl.com>; Wed, 22 Jul 2015 01:26:09 -0700 (PDT)
Received: from calvin.win.tue.nl (calvin.win.tue.nl [131.155.70.11]) by ietfa.amsl.com (Postfix) with SMTP id ABC3E1A009D for <cfrg@irtf.org>; Wed, 22 Jul 2015 01:26:08 -0700 (PDT)
Received: (qmail 16381 invoked by uid 1017); 22 Jul 2015 08:26:29 -0000
Received: from unknown (unknown) by unknown with QMTP; 22 Jul 2015 08:26:29 -0000
Received: (qmail 903 invoked by uid 1000); 22 Jul 2015 08:25:59 -0000
Date: Wed, 22 Jul 2015 08:25:59 -0000
Message-ID: <20150722082559.901.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/0XFBOWUsBNX-0TpwGkpFen-MGh0>
Subject: [Cfrg] updated Python script for signature proposals
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2015 08:26:10 -0000
http://ed25519.cr.yp.to/cfrg/signatures.py has various updates. It still doesn't have the PRF details for 'brown'. The 128-bit hash and 320-bit PRF for 'hamburg' are also wild guesses. I see that one of the spec bugs---verification failing because of a missing negation---has been resolved in Mike's slides the same way as in the script, namely computing S = (r - inth * a) % l but I also don't think this is the best resolution. EdDSA's S = (r + inth * a) % l is slightly simpler than subtraction for small implementations, and it's trivial to put the minus sign into the public key instead of the scalar. EdDSA actually goes a step beyond this, juggling the order of operations so that the simplest implementations can avoid all scalar negations and all point negations; this seems to require (R,S) signatures rather than (h,S) signatures, but it would clearly work as a tweak for all the schemes except 'hamburg'. Another way to simplify the script would be to switch 'ladd' to the point encoding used by the other schemes. The point encoding is actually underspecified in most proposals, so I just copied the EdDSA encoding; but Watson's proposal clearly specifies an extra byte (33 bytes instead of 32 for Curve25519) and clearly specifies a comparison to (q-1)/2, which is slightly more complicated than extracting the bottom bit of x. Does anyone have reasons to deviate from the EdDSA encoding? It's clear that there are some particular issues where the proposals have reasons for diverging, but there are some other discrepancies that seem to be easily removable distractions. ---Dan
- [Cfrg] updated Python script for signature propos… D. J. Bernstein
- Re: [Cfrg] updated Python script for signature pr… Watson Ladd
- Re: [Cfrg] updated Python script for signature pr… D. J. Bernstein
- Re: [Cfrg] updated Python script for signature pr… D. J. Bernstein
- Re: [Cfrg] updated Python script for signature pr… Dan Brown