Re: [Cfrg] draft-irtf-cfrg-eddsa - more implementation questions
Jim Schaad <ietf@augustcellars.com> Mon, 11 July 2016 18:44 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D718612D66B for <cfrg@ietfa.amsl.com>; Mon, 11 Jul 2016 11:44:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.187
X-Spam-Level:
X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qkHzYznSel7o for <cfrg@ietfa.amsl.com>; Mon, 11 Jul 2016 11:44:18 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 104F212B04E for <cfrg@ietf.org>; Mon, 11 Jul 2016 11:44:18 -0700 (PDT)
Received: from hebrews (24.21.96.37) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 11 Jul 2016 11:49:59 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Mike Hamburg' <mike@shiftleft.org>
References: <008901d1db7b$ab86bed0$02943c70$@augustcellars.com> <84618BCB-35C7-4978-8F75-7FEE4B137A9F@shiftleft.org>
In-Reply-To: <84618BCB-35C7-4978-8F75-7FEE4B137A9F@shiftleft.org>
Date: Mon, 11 Jul 2016 11:43:37 -0700
Message-ID: <011701d1dba4$242c0840$6c8418c0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJP9/OYUuJ28Cv5wxwEI8LPqy03agLCjEa9nwFDLzA=
Content-Language: en-us
X-Originating-IP: [24.21.96.37]
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/_ac01fX1twvD4yhYsk47S3NGNBs>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: cfrg@ietf.org
Subject: Re: [Cfrg] draft-irtf-cfrg-eddsa - more implementation questions
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2016 18:44:20 -0000
> -----Original Message----- > From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Mike Hamburg > Sent: Monday, July 11, 2016 11:14 AM > To: Jim Schaad <ietf@augustcellars.com> > Cc: cfrg@ietf.org; draft-irtf-cfrg-eddsa@tools.ietf.org > Subject: Re: [Cfrg] draft-irtf-cfrg-eddsa - more implementation questions > > > > On Jul 11, 2016, at 6:53 AM, Jim Schaad <ietf@augustcellars.com> wrote: > > > > In step #3 of the verify function, I assume that I can reduce k mod p > > without any problems. Can I reduce it mod L or not? It would be useful to > > have the hint in the text since it is all over the Sign algorithm. > > Good idea; we should add that hint to the spec. > > You can’t reduce it mod p. You can and should reduce it mod L (aka q), at least > for the non-strict verification formula. > > For the strict verification formula, it may be better to reduce mod hL, where h=8 > or 4 for ed25519 and ed448 respectively. This doesn’t affect the usual notion of > security, but reducing mod hL will give you the same answer as not reducing, > and reducing mod L will sometimes change whether a maliciously-crafted > signature validates or not. > Since the spec doesn’t say you may reduce mod L, you probably shouldn’t. But > the easier solution is not to use the strict formula. > > > I have been using the python program to help debug my quick > > implementation of the signature algorithm. This has worked up to the > > point of trying to decode points as the python code does not use the > > suggested formula in section 5.1.3 (use this trick) but instead just > > directly computes a square root on the base formula. > > > > I am therefore unable to determine where my bug is: In my code, in > > the formula, or in how I read the formula. It might be worthwhile to > > actually implement this algorithm for computing square roots if that > > is what is suggested. > > How are you implementing the division and square root? The code for square > root looks almost the same as the trick anyway, so you could just switch it over. Probably because the document implies that one should in order to avoid the double modular exponentiation. > > > By the way, I finally found were the neutral point was defined. You > > still might want to highlight it as part of the point addition sections. > > > > Looking at the python code, I think I see the trick you are using to > > deal with step 1 in the decoding code for removing the x_0 bit but it > > could be highlighted that it is being done in the field parsing > > function rather than the decoding function. > > It’s being done in decode_base, right? No xs=s[(b-1)//8]>>((b-1)&7) obtains the value of x_0, however it does not remove it from the array s, that is being done in frombytes (I think). jim > > > Jim > > Cheers, > — Mike > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] draft-irtf-cfrg-eddsa - more implementatio… Jim Schaad
- Re: [Cfrg] draft-irtf-cfrg-eddsa - more implement… Mike Hamburg
- Re: [Cfrg] draft-irtf-cfrg-eddsa - more implement… Jim Schaad
- Re: [Cfrg] draft-irtf-cfrg-eddsa - more implement… Mike Hamburg