IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)

Nico Williams <nico@cryptonector.com> Sat, 09 May 2015 03:32 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E4BA1A873C for <cfrg@ietfa.amsl.com>; Fri, 8 May 2015 20:32:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.034
X-Spam-Level: *
X-Spam-Status: No, score=1.034 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w3GzyC521X12 for <cfrg@ietfa.amsl.com>; Fri, 8 May 2015 20:32:41 -0700 (PDT)
Received: from homiemail-a108.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id B09DF1A0393 for <cfrg@irtf.org>; Fri, 8 May 2015 20:32:41 -0700 (PDT)
Received: from homiemail-a108.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a108.g.dreamhost.com (Postfix) with ESMTP id 5D4EF2005D82D; Fri, 8 May 2015 20:32:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=rNmV1/cbDXtkpZ 2EGzSKLgr/K2E=; b=k4LaBuHEQEyHs1u8ycr2UIUzY1q7bclYG4z2eiyapKlJfg o5rvjk6w7ItfZkuSgAcuHFPSndk6+AEdxq2Ft4ldwMR/zDAXUKheQ5av+vm1Q7gs 052/VQooS2eY4TkdB5Q/l5CCGPZ13TmGN3GnRr0RnIRUd1Plsy2KcehMUK0hs=
Received: from localhost (unknown [107.18.17.193]) (Authenticated sender: nico@cryptonector.com) by homiemail-a108.g.dreamhost.com (Postfix) with ESMTPA id F0EA02005D82C; Fri, 8 May 2015 20:32:40 -0700 (PDT)
Date: Fri, 08 May 2015 22:32:40 -0500
From: Nico Williams <nico@cryptonector.com>
To: Dan Brown <dbrown@certicom.com>
Message-ID: <20150509033239.GE7287@localhost>
References: <810C31990B57ED40B2062BA10D43FBF5DCAEDC@XMB116CNC.rim.net> <20150505152258.31923.qmail@cr.yp.to> <810C31990B57ED40B2062BA10D43FBF5DCBA9C@XMB116CNC.rim.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5DCBA9C@XMB116CNC.rim.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/NSAoXS1m_kXwDXB10zXDYfSYlNY>
Cc: cfrg@irtf.org, djb@cr.yp.to
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 May 2015 03:32:42 -0000

On Wed, May 06, 2015 at 03:39:51PM +0000, Dan Brown wrote:
> Accordingly, I now amend my proposal to 
> k = F(m,a,t) 
> where 
> F is some to-be-specified cryptographically strong deterministic function,
> m is the message, 
> a is the actual long-term (signing) key, and 
> t is a temporal value (tweak/nonce), preferably secret and unpredictable, or at least non-repeating, optionally fixed (including empty: reducing the signature scheme to an outright deterministic signature scheme), and not under any influence from an adversary.  

The signature scheme just must be deterministic as to all inputs, and it
must be state-less.  I suppose one could have OPTIONAL inputs like t
above, or cached pre-computations (a cache is not the same as state),
but those warrant extreme caution (see Watson Ladd's response).

The issue here is partly about what the API looks like.  The signature
API has to be an interface to a deterministic function with no hidden
inputs nor hidden state: so it can be tested.

It's also about state: some (most!) systems can't keep it; the scheme
simply must be state-less.  Certainly we need a state-less signature
scheme.  An explicit-state scheme might later prove useful, but first we
urgently need a state-less one.

Given a deterministic, state-less function, implementations can be
tested via test vectors.  This should be a priority.  Batch verification
is also quite desirable, but can be had anyways (EdDSA has it).

An API with explicit state (e.g., a bag of one-time-use nonces, a
counter-based nonce generator) might be a nice optimizations for some
cases, but the price to pay is extreme difficulty keeping the required
state.

Nico
--

v2.23.0 | Report a Bug | By Email