Re: [Cfrg] updated Python script for signature proposals
Dan Brown <dbrown@certicom.com> Fri, 25 September 2015 16:08 UTC
Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B62C1A92E4 for <cfrg@ietfa.amsl.com>; Fri, 25 Sep 2015 09:08:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.478
X-Spam-Level:
X-Spam-Status: No, score=-1.478 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URI_HEX=1.122] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iB_BPmnNxl4D for <cfrg@ietfa.amsl.com>; Fri, 25 Sep 2015 09:08:36 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id E6E2B1A92EB for <cfrg@irtf.org>; Fri, 25 Sep 2015 09:08:33 -0700 (PDT)
Received: from xct103cnc.rim.net ([10.65.161.203]) by mhs212cnc.rim.net with ESMTP/TLS/AES128-SHA; 25 Sep 2015 12:08:33 -0400
Received: from XCT111CNC.rim.net (10.65.161.211) by XCT103CNC.rim.net (10.65.161.203) with Microsoft SMTP Server (TLS) id 14.3.210.2; Fri, 25 Sep 2015 12:08:32 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT111CNC.rim.net ([::1]) with mapi id 14.03.0210.002; Fri, 25 Sep 2015 12:08:32 -0400
From: Dan Brown <dbrown@certicom.com>
To: "'djb@cr.yp.to'" <djb@cr.yp.to>, "'cfrg@irtf.org'" <cfrg@irtf.org>
Thread-Topic: [Cfrg] updated Python script for signature proposals
Thread-Index: AQHQxFgdNfRZ4H5gTkKd1+yoghnqU53nu2aAgAI5YwCAZBKvAP//wLFQ
Date: Fri, 25 Sep 2015 16:08:31 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5E58C13@XMB116CNC.rim.net>
References: <20150723231340.12996.qmail@cr.yp.to> <20150925152630.11227.qmail@cr.yp.to>
In-Reply-To: <20150925152630.11227.qmail@cr.yp.to>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.249]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_001A_01D0F78A.E5386410"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/8-QdC-T9UWFgJ3DnNEyxL8JS238>
Subject: Re: [Cfrg] updated Python script for signature proposals
X-BeenThere: cfrg@mail.ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.mail.ietf.org>
List-Unsubscribe: <https://mail.ietf.org/mailman/options/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@mail.ietf.org>
List-Help: <mailto:cfrg-request@mail.ietf.org?subject=help>
List-Subscribe: <https://mail.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Sep 2015 16:08:41 -0000
> -----Original Message-----
> From: D. J. Bernstein
>
> Dan Brown sent me an update last week with an implementation of
> "brown_noinverse", which if I understand correctly is his current
proposal.
[DB] Yes that's my current proposal (modulo the PRF), for small curves, in
response to the poll for avoiding inversion. For larger curves, I've
recommended SHA-3, but script only has a small curve.
If the CFRG allows non-IUF modes, then my proposal would switch over to
hinput = R + m, in non-IUF mode (i.e. settings where EdDSA uses prehash is
the identity, e.g. in python
def prehash(m):
return m)
Question: according to the current python script, eddsa and liusvaara use
SHA256 to prehash. Wouldn't it preferable to use SHA512 or SHA384 because
of the potentially securer wider pipe (and maybe speed on 64-bit)?
The script's comments say that prehash is "meant to show clearly how the two
different hashes are used." So, I am wondering if SHA-256 is your official
preference for IUF mode EdDSA, or if the choice of SHA-256 is _just_ an
expository choice to "clearly" explain the different roles of the hashes.
If your IACR eprint proposal says something different than SHA-256, maybe
the script should match that? Of course, the prehash is one of many things
that can be worked out in preparing the I-D and RFC.
> I've now updated the script accordingly
[DB] Thanks so much.
>---sorry for not getting this done sooner:
[DB] No problem at all, no need to apologize! Indeed, I also delayed
sending you the update. If preferred, I send updates directly to list?
That would at least save you the trouble.
>
> http://ed25519.cr.yp.to/cfrg/signatures.py
>
> He also started on a split between IUF and non-IUF (with R before m for
his
> non-IUF mode); I haven't tried to integrate this yet.
>
[DB] I was hoping that all the schemes in your illustrative demo python
script could be IUF split, with three signing functions (init, update,
final). The update function receives all message fragments, and the final
function would produce the signature, while the init function might do
almost nothing. The verifying functions could also be split, but that's
less important (and perhaps ill-advised being a poor security model, since
partial verification is almost always a bad idea).
- [Cfrg] updated Python script for signature propos… D. J. Bernstein
- Re: [Cfrg] updated Python script for signature pr… Watson Ladd
- Re: [Cfrg] updated Python script for signature pr… D. J. Bernstein
- Re: [Cfrg] updated Python script for signature pr… D. J. Bernstein
- Re: [Cfrg] updated Python script for signature pr… Dan Brown