IETF Logo Mail Archive

Re: [Cfrg] testability of signature input/output parameters

Watson Ladd <watsonbladd@gmail.com> Thu, 04 June 2015 20:35 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FF211A9237 for <cfrg@ietfa.amsl.com>; Thu, 4 Jun 2015 13:35:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EtTo_iBSt7uX for <cfrg@ietfa.amsl.com>; Thu, 4 Jun 2015 13:35:35 -0700 (PDT)
Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FB8B1A9235 for <cfrg@irtf.org>; Thu, 4 Jun 2015 13:35:35 -0700 (PDT)
Received: by wiwd19 with SMTP id d19so1090887wiw.0 for <cfrg@irtf.org>; Thu, 04 Jun 2015 13:35:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=3ZRaBXwW9mDLJWZxsebJcHfcU9ILxZRnpzAYmty5huE=; b=c+R/7k5gfiE7/0TYyKegS6Wm58KHxMVngEn4LgqP0hRNIUHzp8pWgLugrgip9XpVdZ HgLBA9D/dXyko/svWJMdLW6H35grU/PGhYpCDujmoyyfYGE3WlyMbs38enqOXuu7ajXH 6vuxBMgCXtYY+cDMzamebMD2lCbUSLA83QpfhmsyFyugJDisX4G7c2j6i54Hc3lkrr70 u33WBsqbAdHLyvrz4ABCXateG0lZ3ra6miPhMHsKueQ9G1b5lUQmHT3Nz0oz9VZg67nD zmTwa+rQXwtFHNFlLat7+3vILvvv+Leu02qkmpsiTFFEBMSWVX74Vz/ugGeY435MSRBC z/mw==
MIME-Version: 1.0
X-Received: by 10.180.79.73 with SMTP id h9mr55355947wix.35.1433450134368; Thu, 04 Jun 2015 13:35:34 -0700 (PDT)
Received: by 10.194.20.97 with HTTP; Thu, 4 Jun 2015 13:35:34 -0700 (PDT)
In-Reply-To: <20150604202326.GQ18760@localhost>
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com> <556F8811.2070101@cs.tcd.ie> <20150604065658.GA14531@LK-Perkele-VII> <55705C19.4040600@gmail.com> <20150604183631.GL18760@localhost> <5570A53D.7020207@gmail.com> <CACsn0cm59EDNak8QeMACgw61QUjRMfT-Qqqjmp5q1Q1b+QhMQA@mail.gmail.com> <20150604202326.GQ18760@localhost>
Date: Thu, 04 Jun 2015 13:35:34 -0700
Message-ID: <CACsn0ck97T=sYRf7Wr+G2mz63Xc5LjxTnNfakasNnw8FJR_8ug@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: multipart/alternative; boundary="f46d041825e20ff6ad0517b71eb4"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/X3lMiqO83qpEvgfSv34FLJqL8hI>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] testability of signature input/output parameters
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jun 2015 20:35:38 -0000

On Thu, Jun 4, 2015 at 1:23 PM, Nico Williams <nico@cryptonector.com> wrote:

> On Thu, Jun 04, 2015 at 12:54:40PM -0700, Watson Ladd wrote:
> > Note that verifiers will still accept signatures generated with random k,
> > permitting the avoidance of double hashing while preserving the more than
> > collision property in systems which actually require this.
>
> Right, special-purpose implementations can resort to such optimizations
> because special-purpose implementations are more likely to manage the
> requisite state and/or TRNG.  But for general purpose implementations we
> should have deterministic behavior.
>
> Note also that verification for message-derived k schemes is still
> online (though implementations should generall not permit access to the
> message prior to signature verification).  It's only the signature
> function that is made offline by the CR constructions we've discussed.
>

Let's consider an actual scheme for a moment, namely EdDSA. The verifier
takes R and s, computes e=H(R, M), and determines if R=sG+eP. This only
requires one pass through the message, not two, which for some reason we
are calling "online" vs. "offline".

Why don't we see if anyone has an actual objection to EdDSA, instead of
fooling around trying to repeat this work? It's soon going to be over a
year: I'd like to see a finished product then,


> Nico
> --
>



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

v2.23.0 | Report a Bug | By Email