Re: [Cfrg] Help with the use of contexts

"D. J. Bernstein" <> Mon, 16 January 2017 20:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1FA64129670 for <>; Mon, 16 Jan 2017 12:09:59 -0800 (PST)
X-Quarantine-ID: <LkqigzxS-ry0>
X-Virus-Scanned: amavisd-new at
X-Amavis-Alert: BANNED, message contains text/plain,.exe
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LkqigzxS-ry0 for <>; Mon, 16 Jan 2017 12:09:57 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id BA59F129667 for <>; Mon, 16 Jan 2017 12:09:55 -0800 (PST)
Received: (qmail 13541 invoked by uid 1017); 16 Jan 2017 20:09:52 -0000
Received: from unknown (unknown) by unknown with QMTP; 16 Jan 2017 20:09:52 -0000
Received: (qmail 6537 invoked by uid 1000); 16 Jan 2017 20:09:48 -0000
Date: Mon, 16 Jan 2017 20:09:48 -0000
Message-ID: <>
From: "D. J. Bernstein" <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [Cfrg] Help with the use of contexts
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 16 Jan 2017 20:09:59 -0000

Adam Langley writes:
> The way that this is constructed (due to me) is generic for any
> signature scheme. (Basically just have the context string be
> NUL-terminated at the beginning of the signed message.)

In other words, there's still a simple sign-a-message layer that uses
the standard signature API, that works with all signature systems, and
that minimizes costs for implementors and auditors. On top of this
there's a universal

   def sign_a_context_and_data(c,d):
     if '\0' in c: raise Exception('NUL not allowed in contexts')
     return sign(c + '\0' + d)

layer used by the protocol (and by any other protocols that want it).
Everyone can see how this works from a spec perspective and from a
software-engineering perspective.

For comparison, trying to modify the interface and specification of
every sign() function creates a transition nightmare, with nobody able
to answer basic questions about how this approach is actually supposed
to work. What's the advantage supposed to be?

I would really like to see this unnecessary complexity eliminated from
CFRG's signature specifications. Please see

for further comments.