Re: [Cfrg] testability of signature input/output parameters

[Ilari Liusvaara <ilari.liusvaara@elisanet.fi>]

On Thu, Jun 04, 2015 at 04:53:37PM -0500, Nico Williams wrote:
> On Thu, Jun 04, 2015 at 01:35:34PM -0700, Watson Ladd wrote:
> > Why don't we see if anyone has an actual objection to EdDSA, instead of
> > fooling around trying to repeat this work? It's soon going to be over a
> > year: I'd like to see a finished product then,
> 
> +1

The few prototypes I have written are heavily inspired by EdDSA. The
differences have been (some are bad ideas):


1) Modify k-generation to support larger curves

Generate d and seed as separate expansions of secret key.

This is needed in order to use SHA-512 and other standard-issue
512-bit hashes with 448-bit curve.


2) Optional couponing

Take in nonce (the usual kind, not the ECDSA kind) and pregenerate
k and kG out of that. 

Bad idea for standard use (needed for some specialist low-latency
applications).


3) Tweaks

Change way k is derived from key and message, so the same message can
generate different signatures.

Probably a bad idea: One can leak secret key by maliscously abusing
this.


4) Signature contexts

Extra data that must match between signer and verifier, to counter cross-
protocol attacks.

Cross-protocol attacks against signatures seem to be dime dozen.


5) Hash domains

Add function used for message prehashing (which may be indentity) into
signature.

Allows support for both online and offline mode and prevents attacking
stronger hashes by confusing those with weaker ones.



-Ilari