[Cfrg] Schnorr signature encodings
Bryan Ford <brynosaurus@gmail.com> Wed, 22 July 2015 15:39 UTC
Return-Path: <brynosaurus@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EA5A1A000B for <cfrg@ietfa.amsl.com>; Wed, 22 Jul 2015 08:39:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0PRaxU2vkmPU for <cfrg@ietfa.amsl.com>; Wed, 22 Jul 2015 08:39:54 -0700 (PDT)
Received: from mail-wi0-x22d.google.com (mail-wi0-x22d.google.com [IPv6:2a00:1450:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 623B31A0113 for <cfrg@irtf.org>; Wed, 22 Jul 2015 08:39:19 -0700 (PDT)
Received: by wicmv11 with SMTP id mv11so86947188wic.0 for <cfrg@irtf.org>; Wed, 22 Jul 2015 08:39:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:subject:message-id:date:to:mime-version; bh=ymZANViiQiZiO6tLKXCGI5NRxRlOYB8gNSWVxWpRqL8=; b=XJAsGIXZeB4nY53WANSwrQXiLN0+oHrJzuEui7Rz6CLxbwiD9Indushw42LofwFPV3 5MhC98QVgLk8optDWHdc0uIjqAWTx/z8a4VA34hjJsZ7u14kyVhy3P3eETf84D51fwc2 3R3HnWIeSImEEcJeRZUIHwgMtqrcU1v+xsdX130ucnJIrsionjnyBTEZFPV01CKptcX1 GbMN24fu/4qgl60ISJFhrK43ncXRDfD2CMWOYiNIjn1OwVdjSRRr03RZTKxrLnNfVxzk H3KSq6KG1NI/58RjOTDogZa6zWLgcLNo31LscM0Z67atcrGjr0l66TA0FqeQG8HspEre nnrg==
X-Received: by 10.181.11.229 with SMTP id el5mr7579202wid.40.1437579557991; Wed, 22 Jul 2015 08:39:17 -0700 (PDT)
Received: from dhcp-894d.meeting.ietf.org ([31.133.139.77]) by smtp.gmail.com with ESMTPSA id ib9sm2984738wjb.2.2015.07.22.08.39.16 for <cfrg@irtf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 22 Jul 2015 08:39:17 -0700 (PDT)
From: Bryan Ford <brynosaurus@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_B5BA6916-8F55-4E06-9097-BBDA6ABBBB1E"; protocol="application/pkcs7-signature"; micalg="sha1"
Message-Id: <9DF9AC6F-A9D9-4DF8-8D82-F6A238D9E609@gmail.com>
Date: Wed, 22 Jul 2015 17:39:15 +0200
To: "cfrg@irtf.org" <cfrg@irtf.org>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
X-Mailer: Apple Mail (2.2102)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/eE584uhpY47SrVUXSGbtG5_J30o>
Subject: [Cfrg] Schnorr signature encodings
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2015 15:39:56 -0000
I wanted to thank Mike Hamburg again for a nice summary today of some of the tradeoffs between the (point,int) and (int,int) formats for Schnorr signatures. The two formats appear to be - or could be defined to be - fully inter-convertible: a signature in either format can be converted to the other via a simple 1-to-1 transformation. One format is a bit larger but amenable to batch verification; hence we might call this “Fast Format.” The other format (challenge-response) can be ~25% shorter and requires no point parsing for verification; hence we might call this “Short Format.” There seems to be a bit of a parallel between this choice and the two standard point encodings (“normal” versus “compressed”) that are defined for the established NIST-standard elliptic curves, and both of which are routinely used in practice. As such, without suggesting that this is necessarily the right thing to do, it might be worth considering the possibility that any CFRG-standard signature scheme could simply specify both formats, with the simple and obvious method of converting either to the other, and leave it to the higher-level protocol or application to decide which format is used in that particular application/protocol context (or let the application protocol provide a way to select/negotiate between the two if that proves sufficiently desirable for a particular application). Of course there are clear downsides to any standard specifying two different possible encoding formats for the same logical blob - e.g., size/complexity of the standard, accidental risk of breakage by communication parters failing to agree which format is being used, etc. It’s not immediately clear to me whether the flexibility benefits of “providing that choice” justify the complexity cost. Bryan
- [Cfrg] Schnorr signature encodings Bryan Ford