IETF Logo Mail Archive

Re: [Cfrg] testability of signature input/output parameters

Watson Ladd <watsonbladd@gmail.com> Thu, 04 June 2015 19:54 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D77741A9004 for <cfrg@ietfa.amsl.com>; Thu, 4 Jun 2015 12:54:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V6rwHmBe47jO for <cfrg@ietfa.amsl.com>; Thu, 4 Jun 2015 12:54:43 -0700 (PDT)
Received: from mail-wi0-x233.google.com (mail-wi0-x233.google.com [IPv6:2a00:1450:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9450E1A9068 for <cfrg@irtf.org>; Thu, 4 Jun 2015 12:54:41 -0700 (PDT)
Received: by wiwd19 with SMTP id d19so133945wiw.0 for <cfrg@irtf.org>; Thu, 04 Jun 2015 12:54:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fZeKpSMQ3Gha2eFY8SLaRPvzOpuA5l9cjc8pxACHhqM=; b=LceL8WP+CfioQ4UVwCf2VeZF1l7DT8Op6RdjLOMsBvIab2DzkFIc6igH3auHJ5Zy2E arr7hAwp3enXE9meZ7AOYsrT1pjvCl6iHiPKLQ6MUGcesZQcG5194gvRfocJ3vvxWB+K ltF1tp+F3EL66NjLS+puFQ8Pi3RFNPmQV9mmmsa/nAqi1TF5a5tXmc2M4hp1HHEAo3nU 7sB9wfTsJ0gIAkQ0zlXEYXd4s861NgA+LHaoxaC3zNh6DPZh4xh18LU0bXSVMeXFEI+e 2qk+Ben9CTiPVsZUreBiugBu9c6unB6AKnHIuKqRNP2CxoHDhicwBS4kRSCqC37pM2FE 9xyg==
MIME-Version: 1.0
X-Received: by 10.180.8.41 with SMTP id o9mr11029576wia.83.1433447680321; Thu, 04 Jun 2015 12:54:40 -0700 (PDT)
Received: by 10.194.20.97 with HTTP; Thu, 4 Jun 2015 12:54:40 -0700 (PDT)
In-Reply-To: <5570A53D.7020207@gmail.com>
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com> <556F8811.2070101@cs.tcd.ie> <20150604065658.GA14531@LK-Perkele-VII> <55705C19.4040600@gmail.com> <20150604183631.GL18760@localhost> <5570A53D.7020207@gmail.com>
Date: Thu, 04 Jun 2015 12:54:40 -0700
Message-ID: <CACsn0cm59EDNak8QeMACgw61QUjRMfT-Qqqjmp5q1Q1b+QhMQA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Rene Struik <rstruik.ext@gmail.com>
Content-Type: multipart/alternative; boundary="f46d04428f34ca2cfe0517b68b56"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/8x2FaKLvLyCkeg8f6sFeOQ2uNAs>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] testability of signature input/output parameters
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jun 2015 19:54:45 -0000

On Thu, Jun 4, 2015 at 12:21 PM, Rene Struik <rstruik.ext@gmail.com> wrote:

> I think one lesson one can draw from "piecemeal polls" is that it might
> make it harder to consider system-wide trade-offs.
>
> Hence, the questions in my email of yesterday, June 3, 2015, 5.14pm EDT,
> see http://www.ietf.org/mail-archive/web/cfrg/current/msg06875.html. I
> think these still stand.


Note that verifiers will still accept signatures generated with random k,
permitting the avoidance of double hashing while preserving the more than
collision property in systems which actually require this.


>
>
> Rene
>
> On 6/4/2015 2:36 PM, Nico Williams wrote:
>
>> On Thu, Jun 04, 2015 at 10:09:29AM -0400, Rene Struik wrote:
>>
>>> [...]
>>>
>> It isn't possible to write test vectors for non-deterministic signature
>> schemes unless you expose PRNG state or nonce inputs as explicit
>> arguments to the API.  Regardless of whether one chooses to do that or
>> not, non-deterministic signature schemes whose security falls apart when
>> nonces are reused (or are predictable) is a really bad idea.
>>
>> Anyways, we've already determined that we have consensus in favor of
>> deterministic signature schemes.  You could ask that that matter be
>> re-opened, but first re-read the threads that led there.
>>
>> Nico
>>
>
>
> --
> email: rstruik.ext@gmail.com | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

v2.23.0 | Report a Bug | By Email