Re: [Cfrg] EC signature: next steps

[William Whyte <wwhyte@securityinnovation.com>]

I also like the idea of being able to sign and verify without providing
the public key as part of the hash input.

Cheers,

William

-----Original Message-----
From: Cfrg [mailto:cfrg-bounces@mail.ietf.org] On Behalf Of Rene Struik
Sent: Friday, September 04, 2015 8:24 AM
To: Alexey Melnikov; cfrg@irtf.org
Subject: Re: [Cfrg] EC signature: next steps

Dear colleagues:

I think the signature scheme should facilitate the following:
a) signature generation.
Ideally, signing should be possible without requiring the signer to
access its public key (obviously, it does require the private key). For
Schnorr and ECDSA type schemes, one does not need to include the public
key in the signing process, since security in the multi-user setting is
roughly the same as in the single-user setting (see [1], [2]).
b) signature verification.
If the public key of the signer is not included with signing, it is also
generally not required with verification (if the signature includes the
ephemeral signing key), since then the public key of the signer can be
reconstructed from the signature itself (with Schnorr signature (R,s)
over message m, one has Q=(1/h)(R-sG), where h=H(R,m)). This may have
advantages in settings with certificate chains and with single
signatures (where one can reduce overhead to identify the public key of
the signer).
c) reuse of same signing key with IUF/non-IUF schemes.
Ideally, one should be able to use the same signing key, no matter
whether one uses the signature scheme in the so-called IUF setting or in
the non-IUF setting. If I understand correctly, consensus is to only
specify an IUF-scheme, but even then, the design should be so that it
can support both flavors. This should *not* be left to applications to
specify (and can also easily be done).
d) same signature scheme for Weierstrass curves, (twisted) Edwards
curves, and Montgomery curves.
The signature scheme should work for all these three schemes and not
just for (twisted) Edwards curves. Ideally, it should also work for Huff
curves, Jacobian curves, etc., without requiring any changes outside the
scalar multiplication routine.

Best regards, Rene

Ref:
[1] A. Menezes, N.P. Smart, "Security of Signature Schemes in A
Multi-User Setting", CACR-Corr-2001-063.
[2] J. Malone Lee, S. Galbraith, N. P. Smart, "Public Key Signatures in
the Multi-User Setting", Inform.Proc.Letters, 2002.




On 8/31/2015 5:53 AM, Alexey Melnikov wrote:
> Dear CFRG participants,
>
> Many thanks to Ilari for posting this updated summary of where things
> currently stand. Kenny and I would now like to run a short discussion
> focusing on this summary, with our intention being to flush out any last
> issues or additional points of comparison between the different schemes
> that everyone should be aware of.
>
> Once everyone has kicked the tires, so to speak, we plan to move to a
> poll to decide which scheme CFRG should focus on writing up and formally
> recommending. We, as chairs, are hoping these steps will get us to the
> finishing line.
>
> So:
>
> - are there important characteristics or points of comparison that
> Ilari's summary does not cover?
>
> - are there errors of fact or omission that need to be corrected?
>
> - anything else?
>
>
> We'll let this discussion run for exactly one week, but we might extend
> the time if the discussion is still going strong and new arguments or
> points of comparison are brought up. After that, if no major new
> information is brought up, we will start the Quaker poll for selecting a
> single CFRG-recommended signature scheme.
>
>
> Best Regards,
> Kenny and Alexey
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@mail.ietf.org
> https://mail.ietf.org/mailman/listinfo/cfrg


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363

_______________________________________________
Cfrg mailing list
Cfrg@mail.ietf.org
https://mail.ietf.org/mailman/listinfo/cfrg