IETF Logo Mail Archive

[CFRG] 答复: I-D Action: draft-irtf-cfrg-det-sigs-with-noise-03.txt

Niu Danny <dannyniu@hotmail.com> Sat, 23 March 2024 05:19 UTC

Return-Path: <dannyniu@hotmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30293C14F684 for <cfrg@ietfa.amsl.com>; Fri, 22 Mar 2024 22:19:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.232
X-Spam-Level:
X-Spam-Status: No, score=-1.232 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u5wNXYxphnvo for <cfrg@ietfa.amsl.com>; Fri, 22 Mar 2024 22:19:41 -0700 (PDT)
Received: from JPN01-OS0-obe.outbound.protection.outlook.com (mail-os0jpn01olkn20801.outbound.protection.outlook.com [IPv6:2a01:111:f403:2815::801]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59DFAC14F68C for <cfrg@irtf.org>; Fri, 22 Mar 2024 22:19:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UNxBrwtBRTpv6Qyn1/0eCuHmj9ctmSxCbjQd+B7ylbP/p/+SwahwoTSHf1jjaIul00cFsClOp9Hm346zSPLOVKVnJLPPHSkVnruMXxS33NRhhimCyCaFjoXimW+SnqA0sxlGfW9xJ6Re/5Kg/nbwcT2HI7DClgbn7/eCIr6HFAzIHs3yDM+DJsJAQpM/ACz4V0qjj/Ujd7yErB8wQrMqqyVucJNtRoGG5D4rtfHLZB8mntnJbkF3KNpBQd82iv8tN9Lov21dhU3sHQ2cIZO0Hx/qtW7dX1inEGYqjXjtDcVjzFoOAd8g4FUMeaoYzfTF5lRkVXJBnZa19yKFsgSu2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Pl+cwzFra2fkm6LtLKlSJ9eny5tEYnYwwZQuJhEpvns=; b=dXxN67pU+66vfRUF1DZw8cuXBWChIeS8EWSjHyK4K/S0hTFz2plQqa37Yjy/2Bn/CC5uYVj9/4ehOZtJ5Hxz13MwNeOEHc1YSYjHyM7SGle65GdZXxWcgay4jhhFFxwtbZN5n4x5iMr+9LDMZwdBiorVpddZHP9Plp/fWnF/bA1StjY4EMgGC2lkc2HNQGE8stCtt1uORTSr6mAZMKB0942ud5HnHJi8XmNpu/GJKuHHx5SnCr4b0u/un37U0PbF52M7ZoPBdH8ikdcaB+ZFFwTxuxTKHBofHKlzc29gdy8RVoUmTzxc2S2xCd1OBo5XJiDA2X2R0Auzg8NrvKagKg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Pl+cwzFra2fkm6LtLKlSJ9eny5tEYnYwwZQuJhEpvns=; b=aSNvPRiH9VPREAZsn+iEvNB1iQeOZPVl+9xwOWpqd9gycSM3jCjQAqCyVosSDgeo2S3qh74V2kZ0MCOXQgzt30QxsJ9JY5gZ3TSNqRds0D4ax+tgfddhM5oXxUDJlN00/gDC/WX9uW9XL+N3XcGL1kAgR4AXBdYYSwTS7Ro/NS6guccb1Z2HnsNRWU5LWmxfcIz0/Ho6Q17DPcm6ZktcAg12moCBct2L7fSi84bCeKAoj5+aMMQqETbhiwSrz0ANbOoK7dyGjF6XL1fk4wz/4Jkl91JlPYOMMIXfG1u+Pb3HlxITPkxJRX18ArFXZ3CxjYLc+tYoQwctyiIFOl4VBA==
Received: from OS3P286MB1920.JPNP286.PROD.OUTLOOK.COM (2603:1096:604:172::14) by OS3P286MB1640.JPNP286.PROD.OUTLOOK.COM (2603:1096:604:161::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.26; Sat, 23 Mar 2024 05:19:37 +0000
Received: from OS3P286MB1920.JPNP286.PROD.OUTLOOK.COM ([fe80::f606:8757:993d:6001]) by OS3P286MB1920.JPNP286.PROD.OUTLOOK.COM ([fe80::f606:8757:993d:6001%3]) with mapi id 15.20.7409.010; Sat, 23 Mar 2024 05:19:37 +0000
From: Niu Danny <dannyniu@hotmail.com>
To: "D. J. Bernstein" <djb@cr.yp.to>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] I-D Action: draft-irtf-cfrg-det-sigs-with-noise-03.txt
Thread-Index: AQHad62ZdG54XWhYDkiFkDSuQ+ISzLE6cZgAgAjuhYCAAXJkBw==
Date: Sat, 23 Mar 2024 05:19:37 +0000
Message-ID: <OS3P286MB19204E10FABE372D06FFC86EC1302@OS3P286MB1920.JPNP286.PROD.OUTLOOK.COM>
References: <GVXPR07MB9678799A86599695B7B31F41892F2@GVXPR07MB9678.eurprd07.prod.outlook.com> <20240322070827.738849.qmail@cr.yp.to>
In-Reply-To: <20240322070827.738849.qmail@cr.yp.to>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [bHMQjXAF4hPYMpGhp8cRu0FY6Es/Vo+J073aAdB1pNhRECHm8VwOiWMGUuXzNxAX]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: OS3P286MB1920:EE_|OS3P286MB1640:EE_
x-ms-office365-filtering-correlation-id: 9a6129d3-1513-4914-65d2-08dc4af8d595
x-ms-exchange-slblob-mailprops: obhAqMD0nT+fOumjEr14LLf5rJqn3YltFyYrYJPTdAQgOYT1tYO1Wit5Ke8RwVUAfzBrVV/iLPDJf61gyapRZ2AEndecHWNDMceusVE5b/9MgH/nn2/O1kG7eFvceB+NEYyzti1j6ZQL/c5Il1RLSo8AwJvpp13/tlzUFH9orPBEfxMtCQr2zPKyCrzV1cljlD4NcNetFlNi4wa/GlIADq/GYRwoexo0b4JxZb3Huj3Fk2FmW6TQuUl+lT9rBFGRSO8BaBVqx4wazoDPHEbe0qr3cBzuzOUB4TgFZxH7X4k2Z0n4EH1f8SVaLizCalEQFVJo/YaVwUQtUAceuoIEIBEr3y8E3mMCi4QiNDxfI73xkYcg45jwTm01zXB7JlJ+iUUmpASKaoj4jCbLmAo8wiyGyStSXU4J8EYzphcq1nOUkqxhf5u3Df5BGyYnoWxNJhyn2RX1RsatdnmVjKF17kcRviNbmRmVr4mjZeQBZSQWVWYAZUkE31MFZhG+YvN9swfUgSnWCKwxLv9UAyZX8alY8By7ES/7SF9rCAr3o/o7/dIf3j8rinvJhheHyXdKzRUxxWGe7p12SDE8E4dL6cl7YOb5mNgFuJuXAeAn6cx93Ic6JnG3JK5BOKHFBThOozxrU/g3NuXeBSxPTSvLSgmyG8vLYEFMwhmnHWsB4MHq6blfQDK++abE45LltpAaa4mx+38YLBUxO2VvOg7uTl9+1gxNRP7D43HFnhxJMMphQEVqFufnyra2uLL9gx3mtSI9ONhhwKvcw8fVUGkTefkH0sov/vrzhhbQMDDtrwuTmc94fXxZS4tjcb6ec4lA
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: iHoFUQRAhaqaopS22zjJ2HZm1iVBmYy9NCfCLicJNDWczFCdBg/KqpUVHM/WoxLT9CMNZH/75JP5NAx9DxiXF31Ab4jsVpk8KFQV2MI0jb7TX4S7yBuL2xC5ZBT9VuzdLjWq10Xp60Bgxz5hXixITqO9deOYOkqUaSmCOKiAHrXXvjuDuR/bgYFf7LWSsoR26741uOjWivAv0+Dpi3CCkjLS4iDbp/zmC8cnnc8s0Qww/hSSYx7EAHqD9pF9/JUjkRs2tCcg1vjOXzOhve8eyMgqv3PK60kA7Fi0yZboRfk1cSxxqLcXrpIqBt6jz94qmaPT0TZ/Eeov6MOkkLe0GWLJQdXhG9nH6BPwRBUMQ9cBaxwe+THbhBsqkvaShFNpq3lSzCU850MqoSFYKb4DwJtp+/IJ848NVZa1J4x08V/SWHuqHwbyhVmaizDRTBNYyqB5/a5UuftDy3gPVQA59QnZWDgCNnBOOvvjh7S8FUaOUOFUUNzSvKOwExdIttjK+qCGL8lsM4fHN0CfMXvtZoN+bA6tHHXoKB01vwmWY8Ft5l/CmKQFcbl2jJG3zCKAz3HXTzu+d07t+N/hWInGoGW5yqAevAUeUQwfzSQmXB94cgbkztM+WXTpULhqjutJjOSloOeB49z0Zpyes78sX5GhSv4nrjouW7DVH/6NoiqaaRI6HRgivgEs68vp8tBs
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: zTmlWQCgwADrgFyN9wMN+CdmikFjUesMErPXWQH0VGNS4GThJ8AKBxieEuT50VQbw92FwVRpti7pvaaeyR/1O3qCA2cJjqe4EqqKJSc33d9qGst0YpVfexQjYZcv3Z+XCILmsoHNYJc5nT84PX3WxYgk01lf2A+8BjF/06lDhUHRGk47KCJvCXfVK/h5xcLQqGMsg5MITtTlmn7s+29iADnURx0qI6oD9C0zm8gn5hGW2fwy/ehcl1HUc3Wlkx2sycR1jutYvs8qkD8vzknymIlN055szvx+/oCYgw+RofbEPOpf0Y5yk5gYO9dmk7mTpfBtR+CRj20nCEkdmtORSyyiDw8rGVuex0YF2RM3Py1TZaL2iZFfFtSwvJ8NNyrfWL5yvkMfF5yKVy9EkGiRkgrfSF7U98VuAyAkvo6mNZJB1pTng+5ukbGGIZIdv/JcC2PFr1wu2ltZVfAAIdbnC7w1zgrQ/AHPBOh4t08r3lDAkHExBWwkf1gp1M72rviOjbqc8P31jUQcdQupQJPFiFK7k3dmEwC5s7wOzpiMQKOyiR5xP/nwgiy1OYXYEOLbnlBSoFfT5WgXWuIYLdgeNYSDylXENiTLYfveJbuCAqmR67J2Caokl9bwJMT/US/o8Ovh3wqqr7XCNtm3sYRCJlaQg8cTL0HeTlHuIE1xhesEGexG0K090KPxzxVc33NErhMryDkq6ynzXO5QsfWtnkAVfU+zpiat/uC28vMBaUphK6N+5x8KAfEPwuWZSAhTIkFTsdfh0gaitinsX45bvsRjHkfRXXpxB7Iu5uVjT45MUlEL0UkVgZFND2Nwt85kysyfwLfMhHSLLqvxKoQLxLhPZjm7EoBIy32PqlvRezPLI0k1Gn6ixDcu06aHRDAmUw26EjrWi9e6huJe9fGaDk6jdnP7FuLogzHpfAWu0o2gvmZoJfmlN/SHn0gM4XroqzrUMdpxk4GKDy82zP88vSbqY2UZBwXVoHC2Fw73l3a53U/v5qqtSYIfufP9y/0tkqA3bBqvcO7Mp+jJ5Itq4MlbQqK0gGyYoMknHygmFPYHaI8sMWv4GWZm3iSNZyZafB5kcgg+Z6P/356je6Mnb6Wm54NYSZ9xTq8Qnf9ZRAnS3JNlhwhQ4wzrrnCCkWfBc2R67HvrhdfnapDGrk4iE4BrhlkTL3pysurvOJDeSJ6wC4Pv7T/uwu/Mm/oDiwBEdMqZaQfHmruLNI34q+wQMbFlvP2NTi/W5nW0ZFiFMVmSiPNmiN2f1UTL3P1NtkSqbdGRJQCgTWfDJgi9i9/7Hs6OWcprrMTWre1VlJkAWfB9nKSwgFf8if/A55MD630c
Content-Type: multipart/alternative; boundary="_000_OS3P286MB19204E10FABE372D06FFC86EC1302OS3P286MB1920JPNP_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-05f45.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: OS3P286MB1920.JPNP286.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 9a6129d3-1513-4914-65d2-08dc4af8d595
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Mar 2024 05:19:37.5157 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: OS3P286MB1640
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/QZ0bsov4vR_wH7DqPStvhkTKPKk>
Subject: [CFRG] 答复: I-D Action: draft-irtf-cfrg-det-sigs-with-noise-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Mar 2024 05:19:45 -0000

From the perspective of the context string feature, I think it’s good - previously I implemented context string using un-finalized hashing context copying, where I feed context string into the hashing context without finalizing it, and copying it for use when signing; draft-03 made me change the way I implement it.

If you can provide a discussion of performance of hashing call counts and compatibility with pre-hash variants, I think it’ll be convincing enough to adopt that in the next draft(s).

发件人: CFRG <cfrg-bounces@irtf.org> 代表 D. J. Bernstein <djb@cr.yp.to>
日期: 星期五, 2024年3月22日 15:08
收件人: cfrg@irtf.org <cfrg@irtf.org>
主题: Re: [CFRG] I-D Action: draft-irtf-cfrg-det-sigs-with-noise-03.txt
I think the best way to convert deterministic Ed25519 signing software
into randomized Ed25519 signing software is to overwrite noncekey with
H(noncekey,randomness) right after the usual derivation of noncekey from
the secret key, i.e., before computing nonce = H(noncekey,message).

This makes the code changes as simple as possible: for example, the
relevant changes from earlier code to lib25519 replaced

    unsigned char secret[64];
    crypto_hash_sha512(secret,sk,32);

with

    unsigned char secret[96];
    crypto_hash_sha512(secret,sk,32);
    randombytes(secret+64,32);
    crypto_hash_sha512(secret+32,secret+32,64);

and left everything else unchanged.

The main security risk from randomization comes from typical test
frameworks not being able to test randomized functions: basically, the
entire signing function ends up being tested merely for "yes, signatures
verify", so bugs in how nonces are generated won't be caught. Randomized
functions are tested in the lib25519 test framework, and aligning the
randomization details has the secondary advantage of allowing reuse of
test inputs and test outputs from lib25519.

---D. J. Bernstein

_______________________________________________
CFRG mailing list
CFRG@irtf.org
https://mailman.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email