Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
Nico Williams <nico@cryptonector.com> Sat, 09 May 2015 03:32 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E4BA1A873C for <cfrg@ietfa.amsl.com>; Fri, 8 May 2015 20:32:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.034
X-Spam-Level: *
X-Spam-Status: No, score=1.034 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w3GzyC521X12 for <cfrg@ietfa.amsl.com>; Fri, 8 May 2015 20:32:41 -0700 (PDT)
Received: from homiemail-a108.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id B09DF1A0393 for <cfrg@irtf.org>; Fri, 8 May 2015 20:32:41 -0700 (PDT)
Received: from homiemail-a108.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a108.g.dreamhost.com (Postfix) with ESMTP id 5D4EF2005D82D; Fri, 8 May 2015 20:32:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=rNmV1/cbDXtkpZ 2EGzSKLgr/K2E=; b=k4LaBuHEQEyHs1u8ycr2UIUzY1q7bclYG4z2eiyapKlJfg o5rvjk6w7ItfZkuSgAcuHFPSndk6+AEdxq2Ft4ldwMR/zDAXUKheQ5av+vm1Q7gs 052/VQooS2eY4TkdB5Q/l5CCGPZ13TmGN3GnRr0RnIRUd1Plsy2KcehMUK0hs=
Received: from localhost (unknown [107.18.17.193]) (Authenticated sender: nico@cryptonector.com) by homiemail-a108.g.dreamhost.com (Postfix) with ESMTPA id F0EA02005D82C; Fri, 8 May 2015 20:32:40 -0700 (PDT)
Date: Fri, 08 May 2015 22:32:40 -0500
From: Nico Williams <nico@cryptonector.com>
To: Dan Brown <dbrown@certicom.com>
Message-ID: <20150509033239.GE7287@localhost>
References: <810C31990B57ED40B2062BA10D43FBF5DCAEDC@XMB116CNC.rim.net> <20150505152258.31923.qmail@cr.yp.to> <810C31990B57ED40B2062BA10D43FBF5DCBA9C@XMB116CNC.rim.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5DCBA9C@XMB116CNC.rim.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/NSAoXS1m_kXwDXB10zXDYfSYlNY>
Cc: cfrg@irtf.org, djb@cr.yp.to
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 May 2015 03:32:42 -0000
On Wed, May 06, 2015 at 03:39:51PM +0000, Dan Brown wrote: > Accordingly, I now amend my proposal to > k = F(m,a,t) > where > F is some to-be-specified cryptographically strong deterministic function, > m is the message, > a is the actual long-term (signing) key, and > t is a temporal value (tweak/nonce), preferably secret and unpredictable, or at least non-repeating, optionally fixed (including empty: reducing the signature scheme to an outright deterministic signature scheme), and not under any influence from an adversary. The signature scheme just must be deterministic as to all inputs, and it must be state-less. I suppose one could have OPTIONAL inputs like t above, or cached pre-computations (a cache is not the same as state), but those warrant extreme caution (see Watson Ladd's response). The issue here is partly about what the API looks like. The signature API has to be an interface to a deterministic function with no hidden inputs nor hidden state: so it can be tested. It's also about state: some (most!) systems can't keep it; the scheme simply must be state-less. Certainly we need a state-less signature scheme. An explicit-state scheme might later prove useful, but first we urgently need a state-less one. Given a deterministic, state-less function, implementations can be tested via test vectors. This should be a priority. Batch verification is also quite desirable, but can be had anyways (EdDSA has it). An API with explicit state (e.g., a bag of one-time-use nonces, a counter-based nonce generator) might be a nice optimizations for some cases, but the price to pay is extreme difficulty keeping the required state. Nico --
- [Cfrg] Elliptic Curves - signature scheme: random… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Stephen Farrell
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Salz, Rich
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Paul Hoffman
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andy Lutomirski
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Jacobson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Alyssa Rowan
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Yoav Nir
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… James Cloos
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Jacobson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Damien Miller
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Jacobson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Adam Langley
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Daniel Kahn Gillmor
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Parkinson, Sean
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Paul Lambert
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Olafur Gudmundsson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Russ Housley
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Brian Smith
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Sean Turner
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Leon Gil
- [Cfrg] Summary of the poll: Elliptic Curves - sig… Alexey Melnikov