IETF Logo Mail Archive

Re: [Cfrg] EC signature: next steps

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Fri, 04 September 2015 22:27 UTC

Return-Path: <prvs=66896595dd=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF28B1B2CAF for <cfrg@ietfa.amsl.com>; Fri, 4 Sep 2015 15:27:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.209
X-Spam-Level:
X-Spam-Status: No, score=-6.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zzJOmFx2oSVR for <cfrg@ietfa.amsl.com>; Fri, 4 Sep 2015 15:27:24 -0700 (PDT)
Received: from mx1.ll.mit.edu (MX1.LL.MIT.EDU [129.55.12.45]) by ietfa.amsl.com (Postfix) with ESMTP id 854BB1AD080 for <cfrg@irtf.org>; Fri, 4 Sep 2015 15:27:24 -0700 (PDT)
Received: from LLE2K10-HUB02.mitll.ad.local (LLE2K10-HUB02.mitll.ad.local) by mx1.ll.mit.edu (unknown) with ESMTP id t84MRLrY006713; Fri, 4 Sep 2015 18:27:21 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, William Whyte <wwhyte@securityinnovation.com>, Rene Struik <rstruik.ext@gmail.com>, Alexey Melnikov <alexey.melnikov@isode.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] EC signature: next steps
Thread-Index: AdDnYN0y0+OBS3Ns50qZf3WjCbEV4A==
Date: Fri, 04 Sep 2015 22:27:20 +0000
Message-ID: <20150904222729.17788996.95900.20991@ll.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="===============0047358583=="
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151, 1.0.33, 0.0.0000 definitions=2015-09-04_10:2015-09-04,2015-09-04,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1508030000 definitions=main-1509040352
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/JKStOp5_wE5ibMvFIJNu7NrklpA>
Subject: Re: [Cfrg] EC signature: next steps
X-BeenThere: cfrg@mail.ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.mail.ietf.org>
List-Unsubscribe: <https://mail.ietf.org/mailman/options/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@mail.ietf.org>
List-Help: <mailto:cfrg-request@mail.ietf.org?subject=help>
List-Subscribe: <https://mail.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Sep 2015 22:27:27 -0000

Rene,

Could you put together a list of specific changes to one (or more) of the proposed signature candidates? 

This would both offer a chance to incorporate those improvements (at this stage of the process :), and make the process itself somewhat smoother...

Thanks!

Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
  Original Message  
From: Stephen Farrell
Sent: Friday, September 4, 2015 16:18
To: William Whyte; Rene Struik; Alexey Melnikov; cfrg@irtf.org
Subject: Re: [Cfrg] EC signature: next steps


If the cost of supporting any of the things Rene mentions is *any*
delay, I'm against.

S.

On 04/09/15 19:00, William Whyte wrote:
> I also like the idea of being able to sign and verify without providing
> the public key as part of the hash input.
> 
> Cheers,
> 
> William
> 
> -----Original Message-----
> From: Cfrg [mailto:cfrg-bounces@mail.ietf.org] On Behalf Of Rene Struik
> Sent: Friday, September 04, 2015 8:24 AM
> To: Alexey Melnikov; cfrg@irtf.org
> Subject: Re: [Cfrg] EC signature: next steps
> 
> Dear colleagues:
> 
> I think the signature scheme should facilitate the following:
> a) signature generation.
> Ideally, signing should be possible without requiring the signer to
> access its public key (obviously, it does require the private key). For
> Schnorr and ECDSA type schemes, one does not need to include the public
> key in the signing process, since security in the multi-user setting is
> roughly the same as in the single-user setting (see [1], [2]).
> b) signature verification.
> If the public key of the signer is not included with signing, it is also
> generally not required with verification (if the signature includes the
> ephemeral signing key), since then the public key of the signer can be
> reconstructed from the signature itself (with Schnorr signature (R,s)
> over message m, one has Q=(1/h)(R-sG), where h=H(R,m)). This may have
> advantages in settings with certificate chains and with single
> signatures (where one can reduce overhead to identify the public key of
> the signer).
> c) reuse of same signing key with IUF/non-IUF schemes.
> Ideally, one should be able to use the same signing key, no matter
> whether one uses the signature scheme in the so-called IUF setting or in
> the non-IUF setting. If I understand correctly, consensus is to only
> specify an IUF-scheme, but even then, the design should be so that it
> can support both flavors. This should *not* be left to applications to
> specify (and can also easily be done).
> d) same signature scheme for Weierstrass curves, (twisted) Edwards
> curves, and Montgomery curves.
> The signature scheme should work for all these three schemes and not
> just for (twisted) Edwards curves. Ideally, it should also work for Huff
> curves, Jacobian curves, etc., without requiring any changes outside the
> scalar multiplication routine.
> 
> Best regards, Rene
> 
> Ref:
> [1] A. Menezes, N.P. Smart, "Security of Signature Schemes in A
> Multi-User Setting", CACR-Corr-2001-063.
> [2] J. Malone Lee, S. Galbraith, N. P. Smart, "Public Key Signatures in
> the Multi-User Setting", Inform.Proc.Letters, 2002.
> 
> 
> 
> 
> On 8/31/2015 5:53 AM, Alexey Melnikov wrote:
>> Dear CFRG participants,
>>
>> Many thanks to Ilari for posting this updated summary of where things
>> currently stand. Kenny and I would now like to run a short discussion
>> focusing on this summary, with our intention being to flush out any last
>> issues or additional points of comparison between the different schemes
>> that everyone should be aware of.
>>
>> Once everyone has kicked the tires, so to speak, we plan to move to a
>> poll to decide which scheme CFRG should focus on writing up and formally
>> recommending. We, as chairs, are hoping these steps will get us to the
>> finishing line.
>>
>> So:
>>
>> - are there important characteristics or points of comparison that
>> Ilari's summary does not cover?
>>
>> - are there errors of fact or omission that need to be corrected?
>>
>> - anything else?
>>
>>
>> We'll let this discussion run for exactly one week, but we might extend
>> the time if the discussion is still going strong and new arguments or
>> points of comparison are brought up. After that, if no major new
>> information is brought up, we will start the Quaker poll for selecting a
>> single CFRG-recommended signature scheme.
>>
>>
>> Best Regards,
>> Kenny and Alexey
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@mail.ietf.org
>> https://mail.ietf.org/mailman/listinfo/cfrg
> 
> 

_______________________________________________
Cfrg mailing list
Cfrg@mail.ietf.org
https://mail.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email