Re: [Cfrg] updated Python script for signature proposals
Watson Ladd <watsonbladd@gmail.com> Wed, 22 July 2015 13:15 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFCE21A1AB9 for <cfrg@ietfa.amsl.com>; Wed, 22 Jul 2015 06:15:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.822
X-Spam-Level: *
X-Spam-Status: No, score=1.822 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, URI_HEX=1.122] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SUh6l_Z4JnzP for <cfrg@ietfa.amsl.com>; Wed, 22 Jul 2015 06:15:47 -0700 (PDT)
Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A2571A1AA3 for <cfrg@irtf.org>; Wed, 22 Jul 2015 06:15:47 -0700 (PDT)
Received: by wibxm9 with SMTP id xm9so101867473wib.1 for <cfrg@irtf.org>; Wed, 22 Jul 2015 06:15:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=XZ2CgrgUQJxoETL9Fkq13L9/mw7AjxoykqxIU5oy8Xo=; b=Zr2hrY2qJPC0zWc7H1k7IMwmOuBTDHwOV41NM0XkSjp02CAn+RXZ7COyBwzDVW+dsw +qq375kDUh/VFCA399eTOO+v+U/Yn9S+kp3mfj5LGmazzSQWjQCaEEt5GbaYg9J75KJj ou4mfIoC1DzD/sXXAfQbQNGjknFLcWnZVluaDjN6i21VIv6nX0vfC3HTj5e33eOTEH7b tTZpOKA52f7LCLdtrl8sWRjDxIufNKkU+lhilPSYGKOGiZ4PFKg6EfVfgKs25rIh+sKL 1uCLCIzXWRk213Rza5RZrYDEdTtthsraM20LuiV3tPz/ezqau2dQdjpf2KMrHiYLxOtb QYNA==
MIME-Version: 1.0
X-Received: by 10.194.209.167 with SMTP id mn7mr4911257wjc.64.1437570945963; Wed, 22 Jul 2015 06:15:45 -0700 (PDT)
Received: by 10.28.155.136 with HTTP; Wed, 22 Jul 2015 06:15:45 -0700 (PDT)
In-Reply-To: <20150722082559.901.qmail@cr.yp.to>
References: <20150722082559.901.qmail@cr.yp.to>
Date: Wed, 22 Jul 2015 06:15:45 -0700
Message-ID: <CACsn0ck4FiOiDwP_tF3Km8SC0QTDgDcdy1xoEpWCjT7W2v_-bg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/Z8PimqsX5s9W4Rc4JOsVA6GDLDI>
Subject: Re: [Cfrg] updated Python script for signature proposals
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2015 13:15:49 -0000
On Wed, Jul 22, 2015 at 1:25 AM, D. J. Bernstein <djb@cr.yp.to> wrote: > http://ed25519.cr.yp.to/cfrg/signatures.py has various updates. It still > doesn't have the PRF details for 'brown'. The 128-bit hash and 320-bit > PRF for 'hamburg' are also wild guesses. > > I see that one of the spec bugs---verification failing because of a > missing negation---has been resolved in Mike's slides the same way as in > the script, namely computing > > S = (r - inth * a) % l > > but I also don't think this is the best resolution. EdDSA's > > S = (r + inth * a) % l > > is slightly simpler than subtraction for small implementations, and it's > trivial to put the minus sign into the public key instead of the scalar. > EdDSA actually goes a step beyond this, juggling the order of operations > so that the simplest implementations can avoid all scalar negations and > all point negations; this seems to require (R,S) signatures rather than > (h,S) signatures, but it would clearly work as a tweak for all the > schemes except 'hamburg'. > > Another way to simplify the script would be to switch 'ladd' to the > point encoding used by the other schemes. The point encoding is actually > underspecified in most proposals, so I just copied the EdDSA encoding; > but Watson's proposal clearly specifies an extra byte (33 bytes instead > of 32 for Curve25519) and clearly specifies a comparison to (q-1)/2, > which is slightly more complicated than extracting the bottom bit of x. > Does anyone have reasons to deviate from the EdDSA encoding? I'll switch to EdDSA encoding then. > > It's clear that there are some particular issues where the proposals > have reasons for diverging, but there are some other discrepancies that > seem to be easily removable distractions. > > ---Dan > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg -- "Man is born free, but everywhere he is in chains". --Rousseau.
- [Cfrg] updated Python script for signature propos… D. J. Bernstein
- Re: [Cfrg] updated Python script for signature pr… Watson Ladd
- Re: [Cfrg] updated Python script for signature pr… D. J. Bernstein
- Re: [Cfrg] updated Python script for signature pr… D. J. Bernstein
- Re: [Cfrg] updated Python script for signature pr… Dan Brown