IETF Logo Mail Archive

Re: [Cfrg] testability of signature input/output parameters

Derek Atkins <derek@ihtfp.com> Thu, 04 June 2015 16:59 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CB191A0067 for <cfrg@ietfa.amsl.com>; Thu, 4 Jun 2015 09:59:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.5
X-Spam-Level:
X-Spam-Status: No, score=-1.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, GB_ABOUTYOU=0.5] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P7nJ-2yZfBAw for <cfrg@ietfa.amsl.com>; Thu, 4 Jun 2015 09:59:25 -0700 (PDT)
Received: from mail2.ihtfp.org (mail2.ihtfp.org [IPv6:2001:4830:143:1::3a11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BF701A0066 for <cfrg@irtf.org>; Thu, 4 Jun 2015 09:59:25 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id C85B2E2036; Thu, 4 Jun 2015 12:59:23 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 01814-08; Thu, 4 Jun 2015 12:59:21 -0400 (EDT)
Received: from securerf.ihtfp.org (unknown [IPv6:fe80::ea2a:eaff:fe7d:235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id 99657E2035; Thu, 4 Jun 2015 12:59:21 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1433437161; bh=vmmpGzgRDvYb3veSXFMx6tIXlHd131wHTDONuw2uQEU=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=AVXy0nasiQC2vk0G4ASp3KCtlO0o8Y9ybs3wOkkbHC3YFJh/DvDY1JbNLTCH3s4y7 jj2fxnxuwX7YnYjimvpFnPyJBrc6ejNSPjhpUicImMthb5CutTyt1feFwVHWxdv8Hy ZYrdD0LBn+rH+cGDbM5Bzg7aSR+pNmzvbCoG9fus=
Received: (from warlord@localhost) by securerf.ihtfp.org (8.14.8/8.14.8/Submit) id t54GxKaU032229; Thu, 4 Jun 2015 12:59:20 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Rene Struik <rstruik.ext@gmail.com>
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com> <556F8811.2070101@cs.tcd.ie> <20150604065658.GA14531@LK-Perkele-VII> <55705C19.4040600@gmail.com>
Date: Thu, 04 Jun 2015 12:59:20 -0400
In-Reply-To: <55705C19.4040600@gmail.com> (Rene Struik's message of "Thu, 04 Jun 2015 10:09:29 -0400")
Message-ID: <sjma8wfe7fb.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/WoVC-aIsY1hI3KZ6mbCVUncRqJg>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] testability of signature input/output parameters
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jun 2015 16:59:26 -0000

Rene Struik <rstruik.ext@gmail.com> writes:

> Hi Ilari:
>
> Just curious about your remark that deterministic signatures would
> allow for easier testability.
>
> I don't know how these tests would exactly look like, but I presume
> these take as input some messages and public keys written in a spec
> and then checking whether the signature output is indeed as listed in
> the spec for the corresponding message/public key pairs {let us assume
> that these test parameters have been confirmed independently, prior to

No, you would publish the *PRIVATE* key, the message, and the signature,
so that you could verify that your implementation generates the exact
same signature given the exact same inputs.

You could theoretically do this with a non-deterministic scheme as well
if you also publish the random nonces along with the private key
parameters.  But having a deterministic signature scheme is better,
IMHO, because frankly some devices don't have a good source of random
numbers.

-derek
-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

v2.23.0 | Report a Bug | By Email