IETF Logo Mail Archive

Re: [Cfrg] testability of signature input/output parameters

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Thu, 04 June 2015 20:18 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70AED1A90FD for <cfrg@ietfa.amsl.com>; Thu, 4 Jun 2015 13:18:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AMwCaXUu6na0 for <cfrg@ietfa.amsl.com>; Thu, 4 Jun 2015 13:18:37 -0700 (PDT)
Received: from emh01.mail.saunalahti.fi (emh01.mail.saunalahti.fi [62.142.5.107]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12A2A1A90FC for <cfrg@irtf.org>; Thu, 4 Jun 2015 13:18:36 -0700 (PDT)
Received: from LK-Perkele-VII (a91-155-194-207.elisa-laajakaista.fi [91.155.194.207]) by emh01.mail.saunalahti.fi (Postfix) with ESMTP id BFEAA90038; Thu, 4 Jun 2015 23:18:34 +0300 (EEST)
Date: Thu, 04 Jun 2015 23:18:34 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Rene Struik <rstruik.ext@gmail.com>
Message-ID: <20150604201834.GA32469@LK-Perkele-VII>
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com> <556F8811.2070101@cs.tcd.ie> <20150604065658.GA14531@LK-Perkele-VII> <55705C19.4040600@gmail.com> <20150604183631.GL18760@localhost> <5570A53D.7020207@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <5570A53D.7020207@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/a9BPrlkT1CPr45okAAuDOoiYr9c>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] testability of signature input/output parameters
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jun 2015 20:18:39 -0000

On Thu, Jun 04, 2015 at 03:21:33PM -0400, Rene Struik wrote:
> I think one lesson one can draw from "piecemeal polls" is that it might make
> it harder to consider system-wide trade-offs.
> 
> Hence, the questions in my email of yesterday, June 3, 2015, 5.14pm EDT, see
> http://www.ietf.org/mail-archive/web/cfrg/current/msg06875.html. I think
> these still stand.

Going through briefly.

- Randomly generating k in Schnorr is very dangerous. And the dangers go
  far beyond testability.
- One can do deterministic one-pass Schnorr at cost of requiring nonces
  (the usual definition, not the bizarro one ECDSA uses).
- However, I think that is still too dangerous for main mode.
- The message size argument is that since verification is not streamable,
  and thus large message cause pain for verifiers, let's also cause pain
  for signers in order to keep those message sizes in check.


-Ilari

v2.23.0 | Report a Bug | By Email