Re: [Cfrg] Internet-Draft: Collective Edwards-Curve Digital Signature Algorithm
"Slamanig, Daniel" <daniel.slamanig@tugraz.at> Mon, 03 July 2017 22:39 UTC
Return-Path: <daniel.slamanig@tugraz.at>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03519131696 for <cfrg@ietfa.amsl.com>; Mon, 3 Jul 2017 15:39:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=tugraz.at
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c4b5XiuPl-4C for <cfrg@ietfa.amsl.com>; Mon, 3 Jul 2017 15:39:18 -0700 (PDT)
Received: from mailrelay.tugraz.at (mailrelay.tugraz.at [129.27.2.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7918D131638 for <cfrg@irtf.org>; Mon, 3 Jul 2017 15:39:18 -0700 (PDT)
Received: from exchange.tugraz.at (exchange.tugraz.at [129.27.2.220]) by mailrelay3.tugraz.at (8.14.9/8.14.9) with ESMTP id v63MdEUY008925 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=OK); Tue, 4 Jul 2017 00:39:14 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at; s=mailrelay; t=1499121556; bh=Q9ynHFeo9QLGUJMVTHoR2m0r7QXJPTYwdzsN1OCfQl4=; h=From:To:CC:Subject:Date; b=LZctkRqiK4AjgkgEv6eXj+Q2lmdHingvt+huyZh4FUs8vceLAWRqNCqDUEmPu7Sk4 ish0tN/NTgxZUqB3Ug2rE/1w753WjlNx9aQ1nIsvSMNJQCzOdeGgUHps2C4JUh1xXW iCTbHVnjqQbQBi2nN6ay39MowPJcZrx+nrn0wuP4=
Received: from MBX0002.tugraz.local (2002:811b:3045::811b:3045) by MBX0002.tugraz.local (2002:811b:3045::811b:3045) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 4 Jul 2017 00:39:12 +0200
Received: from MBX0002.tugraz.local ([fe80::5556:4aaf:d0f8:46ec]) by MBX0002.tugraz.local ([fe80::5556:4aaf:d0f8:46ec%12]) with mapi id 15.00.1263.000; Tue, 4 Jul 2017 00:39:12 +0200
From: "Slamanig, Daniel" <daniel.slamanig@tugraz.at>
To: Philipp Jovanovic <philipp@jovanovic.io>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Internet-Draft: Collective Edwards-Curve Digital Signature Algorithm
Thread-Index: AQHS9E0xFuwNyQq3DkK9EtFcxMSBZg==
Date: Mon, 03 Jul 2017 22:39:12 +0000
Message-ID: <8a0d8aec-8640-4fad-a692-c405cd05973e@email.android.com>
Accept-Language: de-AT, en-US
Content-Language: de-AT
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
Content-Type: multipart/alternative; boundary="_000_8a0d8aec86404fada692c405cd05973eemailandroidcom_"
MIME-Version: 1.0
X-TUG-Backscatter-control: lAa1Aa+Pa1hp/miybLoRww
X-Spam-Scanner: SpamAssassin 3.003001
X-Spam-Score-relay: -1.9
X-Scanned-By: MIMEDefang 2.74
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/H_Aj4LdOIIbj-gsM9QqFDA6gHlU>
Subject: Re: [Cfrg] Internet-Draft: Collective Edwards-Curve Digital Signature Algorithm
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jul 2017 22:39:22 -0000
Hi again, For instance, a malicious A^* could just take some key from A, say A_j, and compute and publish A^*=a^*A_j. sry, there is a typo. Should be A^*=a^*P+A_j assuming A_j=a_jP. Cheers, Daniel then given a collective signature (R,s,Z) where A_j participated, the signer can update s to s^* = s+a^*c as well as Z^* to exclude A_j and include A^* (as Z is not committed in the signature generation) and the signature (R,s^*,Z^*) will be a valid signature that certifies that A^* participated in signing - although he didn't. If Z is committed as proposed above and it is checked during the verification, then this should no longer work. One could also adapt the hash c=H(R||pk_ch||CH(Z'||A)||S) to include a chameleon hash to CH(Z||A'), where A' is the real set of signers that participated in the signature generation and is adapted before finalizing the signature when known as above. I hope that what I proposed is not just complete nonsense :) Also it produces quite a bit of an overhead. There may also be easier ways to avoid the issues. Some editorial issues: the message to be signed is sometimes called a satement S and later then message msg. S could be confusing as part of the signature is s and your semantic is that scalars are lowercase and points are uppercase. Also in 4.2 "Signature Generation" steps 2 and 3 are confusing as I guess that in the protocol all the signer compute their own [r_i]B values and R=\sum R_i instead of R=[r]B which would mean that they would send their r_i's (hope they will not do so). Also I find it somewhat confusing that the bitmask Z identifies the non-signers with a bit set to 1. Why not identifying the signers with a bit set to 1? Cheers, Daniel [1] Hugo Krawczyk, Tal Rabin: Chameleon Signatures. NDSS 2000 On 01.07.2017 23:58, Philipp Jovanovic wrote: > Hi CFRG, > > Here’s a first version of an Internet-Draft on “Collective Edwards-Curve Digital Signature Algorithms” based on Ed25519 and Ed448: https://datatracker.ietf.org/doc/draft-ford-cfrg-cosi/ > > We plan to give a short presentation on that topic at the next CFRG meeting in Prague. > > Any feedback is more than welcome. Thanks! > > All the best, > Philipp > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > -- Dr. Daniel Slamanig Institute for Applied Information Processing and Communications Graz University of Technology Inffeldgasse 16a, 8010 Graz, Austria. Phone: +43 316 873 5509 http://www.iaik.tugraz.at _______________________________________________ Cfrg mailing list Cfrg@irtf.org https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Internet-Draft: Collective Edwards-Curve D… Philipp Jovanovic
- Re: [Cfrg] Internet-Draft: Collective Edwards-Cur… Oleg Andreev
- Re: [Cfrg] Internet-Draft: Collective Edwards-Cur… Daniel Slamanig
- Re: [Cfrg] Internet-Draft: Collective Edwards-Cur… Slamanig, Daniel
- Re: [Cfrg] Internet-Draft: Collective Edwards-Cur… Bryan Ford
- Re: [Cfrg] Internet-Draft: Collective Edwards-Cur… Bryan Ford
- Re: [Cfrg] Internet-Draft: Collective Edwards-Cur… Bryan Ford
- Re: [Cfrg] Internet-Draft: Collective Edwards-Cur… Thomas Garcia
- Re: [Cfrg] Internet-Draft: Collective Edwards-Cur… Bryan Ford
- Re: [Cfrg] Internet-Draft: Collective Edwards-Cur… Daniel Slamanig
- Re: [Cfrg] Internet-Draft: Collective Edwards-Cur… Bryan Ford