Re: [Cfrg] EC signature: next steps
Dan Brown <dbrown@certicom.com> Mon, 31 August 2015 17:27 UTC
Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BFA51A8A60 for <cfrg@ietfa.amsl.com>; Mon, 31 Aug 2015 10:27:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, GB_I_INVITATION=-2, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BH4IyAjJemvr for <cfrg@ietfa.amsl.com>; Mon, 31 Aug 2015 10:27:14 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id EBFF51A886F for <cfrg@irtf.org>; Mon, 31 Aug 2015 10:27:13 -0700 (PDT)
Received: from xct104cnc.rim.net ([10.65.161.204]) by mhs212cnc.rim.net with ESMTP/TLS/AES128-SHA; 31 Aug 2015 13:27:11 -0400
Received: from XCT116CNC.rim.net (10.65.161.216) by XCT104CNC.rim.net (10.65.161.204) with Microsoft SMTP Server (TLS) id 14.3.210.2; Mon, 31 Aug 2015 13:27:11 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT116CNC.rim.net ([::1]) with mapi id 14.03.0210.002; Mon, 31 Aug 2015 13:27:10 -0400
From: Dan Brown <dbrown@certicom.com>
To: "'simon@josefsson.org'" <simon@josefsson.org>, "'alexey.melnikov@isode.com'" <alexey.melnikov@isode.com>
Thread-Topic: [Cfrg] EC signature: next steps
Thread-Index: AQHQ49LprG/MjPqEFUmTJvcwISB1054mFGm4gAA45hA=
Date: Mon, 31 Aug 2015 17:27:10 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5E3754B@XMB116CNC.rim.net>
References: <55DD906F.3050607@isode.com> <D2035132.531EE%kenny.paterson@rhul.ac.uk> <55DDA21D.9060302@isode.com> <55DF3E3C.7020206@isode.com> <55E42414.3020805@isode.com> <8737yz4nfg.fsf@latte.josefsson.org>
In-Reply-To: <8737yz4nfg.fsf@latte.josefsson.org>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0005_01D0E3F0.BD654050"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/VQxbtAkk76Btst7XolVShgtP098>
Cc: "'cfrg@irtf.org'" <cfrg@irtf.org>
Subject: Re: [Cfrg] EC signature: next steps
X-BeenThere: cfrg@mail.ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.mail.ietf.org>
List-Unsubscribe: <https://mail.ietf.org/mailman/options/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@mail.ietf.org>
List-Help: <mailto:cfrg-request@mail.ietf.org?subject=help>
List-Subscribe: <https://mail.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Aug 2015 17:27:17 -0000
> -----Original Message----- > From: Simon Josefsson > > 1) Maturity. Ed25519 was published through CHES in 2011 and has been peer- > reviewed since then. I would appreciate if someone could find dates of > publications on the other proposals and find out how much of scientific review > they have seen. > [DB] By the way, this is what I'd call aegis, so is a good point, and I'll try to answer. That said, I'm not a historian, so I'll likely have some dates/names wrong below. Please take this as a tentative preliminary answer, so with a grain of salt. EdDSA Part of the EdDSA proposal (i.e. those beyond Ed25519) seems to be quite recent: http://eprint.iacr.org/2015/677 by DJB, you, Lange, Schwabe and Yang. You probably know better if these parts were published elsewhere. Actually, EdDSA is Schnorr-based, and Schnorr goes back to 1988. So, saying 2011 is drastically underselling the age of the main security basis of EdDSA. The 2011 date applies to the various details over Schnorr. Does the CHES 2011 publication claim some kind of provable security? Could you briefly synopsize? Further to EdDSA's case, Pointcheval and Stern proved the security of Schnorr signatures in the random oracle model. I think that this dates from 1996 or 1997, was very well peer-reviewed at the time, has since been extended and published in J. of Cryptology, and is very often often-cited. Not everybody values provable security as much as I do, but I don't think most people here completely discount it, do they? Neven, Smart and Warinschi published in J. of Math. Crypto 2009 a security proof for Schnorr signatures in the generic group model. That applies to EdDSA, too. ECDSA_CFRG As I recall, in some version of Pointcheval and Stern's paper, they mentioned both (1) using elliptic curves, and (2) amending DSA by inclusion of R in the message hash. This is a major part of ECDSA_CFRG proposal, so is quite old and somewhat peer-reviewed. ECDSA in some form was proposed quite early, maybe 1998, to IEEE P1363, mainly by Scott Vanstone. Of course, it is based on DSA (which is from 1991???), which is derived from ElGamal signatures (1984). These publications did not claim security proofs, (cf. CHES 2011?). I wrote about the security of ECDSA in http://eprint.iacr.org/2002/026 which was eventually published in DCC 2005: http://link.springer.com/article/10.1007/s10623-003-6154-z I also wrote a chapter 2 on ECDSA in the book Advances in Elliptic Curve Cryptography, Eds. Blake, Seroussi, Smart, Cambridge University Press, 2005. Of course, that chapter not fully peer-reviewed in the usual sense. I briefly discussed some security issues for ECDSA, http://eprint.iacr.org/2008/286 including the hashing R as a _suffix_, much like in ECDSA_CFRG, although I don't recall submitting this to any peer-reviewed forum. The discussion in that paper was really an aside. Koblitz and Menezes http://eprint.iacr.org/2015/140 discuss some variants of ECDSA that they ECDSA* and ECDSA+, which are fairly close to ECDSA_CFRG. They argue that these are security improvements over ECDSA. I think that this paper has been accepted to a journal, DCC, but perhaps as a special edition invitation issue. The idea to make the signatures deterministic (pseudorandom) is old and common to all current CFRG proposals, though some of the details vary between schemes, and some of them are indeed quite new.
- [Cfrg] EC signature: next steps Alexey Melnikov
- Re: [Cfrg] EC signature: next steps Simon Josefsson
- Re: [Cfrg] EC signature: next steps Watson Ladd
- [Cfrg] EC signature: next steps Dan Brown
- Re: [Cfrg] EC signature: next steps Ilari Liusvaara
- Re: [Cfrg] EC signature: next steps Stephen Farrell
- Re: [Cfrg] EC signature: next steps Dan Brown
- Re: [Cfrg] EC signature: next steps Simon Josefsson
- Re: [Cfrg] EC signature: next steps Ilari Liusvaara
- [Cfrg] Side inputs to signature systems D. J. Bernstein
- Re: [Cfrg] Side inputs to signature systems Natanael
- Re: [Cfrg] EC signature: next steps Simon Josefsson
- Re: [Cfrg] Side inputs to signature systems Michael Hamburg
- Re: [Cfrg] EC signature: next steps Rene Struik
- Re: [Cfrg] EC signature: next steps David Jacobson
- Re: [Cfrg] EC signature: next steps Mike Hamburg
- Re: [Cfrg] EC signature: next steps William Whyte
- Re: [Cfrg] EC signature: next steps Stephen Farrell
- Re: [Cfrg] EC signature: next steps Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] EC signature: next steps Ilari Liusvaara
- Re: [Cfrg] EC signature: next steps Stephen Farrell
- Re: [Cfrg] EC signature: next steps Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] EC signature: next steps Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] EC signature: next steps Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] key as message prefix => multi-key sec… Dan Brown
- [Cfrg] key as message prefix => multi-key security D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… Paterson, Kenny
- Re: [Cfrg] key as message prefix => multi-key sec… Sven Schäge
- Re: [Cfrg] key as message prefix => multi-key sec… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] key as message prefix => multi-key sec… William Whyte
- Re: [Cfrg] key as message prefix => multi-key sec… Bill Cox
- Re: [Cfrg] key as message prefix => multi-key sec… Andrey Jivsov
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… Eike Kiltz
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… Simon Josefsson