Re: [Cfrg] updated Python script for signature proposals
"D. J. Bernstein" <djb@cr.yp.to> Thu, 23 July 2015 23:13 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D9741B2A47 for <cfrg@ietfa.amsl.com>; Thu, 23 Jul 2015 16:13:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.618
X-Spam-Level: ****
X-Spam-Status: No, score=4.618 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, J_CHICKENPOX_14=0.6, UNPARSEABLE_RELAY=0.001, URI_HEX=1.122] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mYrrOXD_an3y for <cfrg@ietfa.amsl.com>; Thu, 23 Jul 2015 16:13:49 -0700 (PDT)
Received: from calvin.win.tue.nl (calvin.win.tue.nl [131.155.70.11]) by ietfa.amsl.com (Postfix) with SMTP id 31FB61B2A46 for <cfrg@irtf.org>; Thu, 23 Jul 2015 16:13:48 -0700 (PDT)
Received: (qmail 21478 invoked by uid 1017); 23 Jul 2015 23:14:08 -0000
Received: from unknown (unknown) by unknown with QMTP; 23 Jul 2015 23:14:08 -0000
Received: (qmail 12998 invoked by uid 1000); 23 Jul 2015 23:13:40 -0000
Date: Thu, 23 Jul 2015 23:13:40 -0000
Message-ID: <20150723231340.12996.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <CACsn0ck4FiOiDwP_tF3Km8SC0QTDgDcdy1xoEpWCjT7W2v_-bg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/2s5euDiMRmmN6gp9z4MqviXZi_Y>
Subject: Re: [Cfrg] updated Python script for signature proposals
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2015 23:13:51 -0000
Watson Ladd writes: > I'll switch to EdDSA encoding then. Script updated: http://ed25519.cr.yp.to/cfrg/signatures.py Perhaps another issue where easy consensus is possible is the size of the secret key: * Three schemes ('brown', 'eddsa', 'hamburg') start from a 256-bit secret key. Signing uses two hash/PRF calls to derive the long-term scalar and one-time scalars (a,k). For 'brown' and 'eddsa' this is structured as sk->a,seed and then seed,m->k; for 'hamburg' it's structured as sk->a and separately sk,m->k. * Two schemes ('ladd', 'liusvaara') start from a 512-bit secret key (a,seed). Signing uses one hash call. One could argue that, since secret keys are rarely communicated, there's not much performance benefit in having a short secret key. However: * I'm told that, for small devices (including HSMs), secure long-term key storage is a serious cost, and people appreciate having this cost chopped in half. * Saving a hash call is only a small signing speedup. (For larger curve sizes, the savings would be two SHA-512 calls, but this is even less noticeable compared to the larger curve computations.) * More importantly, if an 'eddsa' user cares more about this hash call than about the space for the secret key, then the user is free to store the sk->a,seed output, eliminating this cost from signing. (Similarly, Mike mentioned the option of storing sk,a.) In other words, specifying a 512-bit secret key a,seed is really just skipping the specification of the sk->a,seed hash function. Choosing this function to fit nicely with subsequent hashing steps is beneficial for small signing implementations. Furthermore, this initial hashing helps protect the user if sk has less randomness than expected. Nobody knows any attacks against, e.g., a randomness burp that clears the first 64 bits of sk, while clearing the first 64 bits of the long-term scalar would bring the scalar within range of feasible "kangaroo" attacks. For DH this argument has to be weighed against code-size/auditing arguments, since many DH applications don't need hashing; but for signatures there's a hash function anyway, and this particular usage of hashing has extremely low cost. ---Dan
- [Cfrg] updated Python script for signature propos… D. J. Bernstein
- Re: [Cfrg] updated Python script for signature pr… Watson Ladd
- Re: [Cfrg] updated Python script for signature pr… D. J. Bernstein
- Re: [Cfrg] updated Python script for signature pr… D. J. Bernstein
- Re: [Cfrg] updated Python script for signature pr… Dan Brown