Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
Nico Williams <nico@cryptonector.com> Tue, 12 May 2015 00:44 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 203FC1B2ACA for <cfrg@ietfa.amsl.com>; Mon, 11 May 2015 17:44:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cNAsezuUvJfO for <cfrg@ietfa.amsl.com>; Mon, 11 May 2015 17:44:39 -0700 (PDT)
Received: from homiemail-a33.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 2E68A1A1BE7 for <cfrg@irtf.org>; Mon, 11 May 2015 17:44:39 -0700 (PDT)
Received: from homiemail-a33.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a33.g.dreamhost.com (Postfix) with ESMTP id DA04D59405E; Mon, 11 May 2015 17:44:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=jRzbsZew8Umcxp Fnr+rXzu2QHFY=; b=aT2S+BlI+djnh/xuvyBNUXLicAICyziXhZHVbLz2kEQMu7 1OLOLnD6pcBBvzYT86r5qfpwEeEAEZooB6EGKZMSBpCs+4W7JERzG12aAM73f6O6 aY743AbnvJ4RD/Ki9Bu8AhAE/Z4yOyHhNHTQktUy9+bZCjJCu4SSGtT1jcP2E=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a33.g.dreamhost.com (Postfix) with ESMTPA id 933B8594059; Mon, 11 May 2015 17:44:38 -0700 (PDT)
Date: Mon, 11 May 2015 19:44:37 -0500
From: Nico Williams <nico@cryptonector.com>
To: Andrey Jivsov <crypto@brainhub.org>
Message-ID: <20150512004436.GN7287@localhost>
References: <20150511152314.GG7287@localhost> <20150511200213.18468.qmail@cr.yp.to> <20150511202605.GK7287@localhost> <555146BA.9060906@brainhub.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <555146BA.9060906@brainhub.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/LB1FkrBldhzmFdTlHofTokrNVuU>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2015 00:44:40 -0000
On Mon, May 11, 2015 at 05:18:02PM -0700, Andrey Jivsov wrote: > This is a somewhat separate question about the hashing twice > (https://www.ietf.org/proceedings/92/minutes/minutes-92-cfrg search > for "twice"), but I view that the related concerns supports the idea > of a random k esp. with protocols that deal with messages of > unlimited size. > > Nico: you are against the interpretation of EdDSA as done in https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-00#section-5. > If you are against, consider what the code like "cat InFile | gpg > --clearsign" suppose to do then? (I assume that this piping is what > influenced this particular interpretation of EdDSA.) If we need online signing for some applications, then we can have it, either because those applications hash the message first, then sign, or because we have two signature functions, one online one not. > >It is clear that some users have a use for randomized k's, and that will > >interop with a deterministic, stateless signature scheme that derives k > >from the secret key and the message. There's no way to prevent that, > >so/and we shouldn't try, but the signature scheme that CFRG settles on > >should be deterministic and stateless as specified. > > I generally agree with this. Just don't criminalize / recognize the > benefit of random 'k' (with the security caveats). There's no IETF police. Nico --
- [Cfrg] Elliptic Curves - signature scheme: random… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Stephen Farrell
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Salz, Rich
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Paul Hoffman
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andy Lutomirski
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Jacobson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Alyssa Rowan
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Yoav Nir
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… James Cloos
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Jacobson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Damien Miller
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Jacobson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Adam Langley
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Daniel Kahn Gillmor
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Parkinson, Sean
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Paul Lambert
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Olafur Gudmundsson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Russ Housley
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Brian Smith
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Sean Turner
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Leon Gil
- [Cfrg] Summary of the poll: Elliptic Curves - sig… Alexey Melnikov