IETF Logo Mail Archive

Re: [Cfrg] EC signature: next steps

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Fri, 04 September 2015 20:26 UTC

Return-Path: <prvs=66896595dd=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD2141A1B12 for <cfrg@ietfa.amsl.com>; Fri, 4 Sep 2015 13:26:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.208
X-Spam-Level:
X-Spam-Status: No, score=-6.208 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fu8zO8cXV7Pc for <cfrg@ietfa.amsl.com>; Fri, 4 Sep 2015 13:26:35 -0700 (PDT)
Received: from mx1.ll.mit.edu (MX1.LL.MIT.EDU [129.55.12.45]) by ietfa.amsl.com (Postfix) with ESMTP id 37A0E1A1AAA for <cfrg@irtf.org>; Fri, 4 Sep 2015 13:26:34 -0700 (PDT)
Received: from LLE2K10-HUB02.mitll.ad.local (LLE2K10-HUB02.mitll.ad.local) by mx1.ll.mit.edu (unknown) with ESMTP id t84KQTWb023603; Fri, 4 Sep 2015 16:26:29 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, William Whyte <wwhyte@securityinnovation.com>, Rene Struik <rstruik.ext@gmail.com>, Alexey Melnikov <alexey.melnikov@isode.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] EC signature: next steps
Thread-Index: AQHQ49Ly0+OBS3Ns50qZf3WjCbEV4J4spWEAgABNPoCAACZhgP//v0iA
Date: Fri, 04 Sep 2015 20:26:28 +0000
Message-ID: <D20F7586.1E8D9%uri@ll.mit.edu>
References: <55DD906F.3050607@isode.com> <D2035132.531EE%kenny.paterson@rhul.ac.uk> <55DDA21D.9060302@isode.com> <55DF3E3C.7020206@isode.com> <55E42414.3020805@isode.com> <55E99B7C.6020509@gmail.com> <1822507ba15947761d52dadf31b88f52@mail.gmail.com> <55E9FC79.50302@cs.tcd.ie>
In-Reply-To: <55E9FC79.50302@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.4.150722
x-originating-ip: [172.25.177.187]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3524228783_333550"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151, 1.0.33, 0.0.0000 definitions=2015-09-04_09:2015-09-04,2015-09-04,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1508030000 definitions=main-1509040324
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/eWjjGOjLUb3p1NFISoxifBVJNRU>
Subject: Re: [Cfrg] EC signature: next steps
X-BeenThere: cfrg@mail.ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.mail.ietf.org>
List-Unsubscribe: <https://mail.ietf.org/mailman/options/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@mail.ietf.org>
List-Help: <mailto:cfrg-request@mail.ietf.org?subject=help>
List-Subscribe: <https://mail.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Sep 2015 20:26:38 -0000

It took us all a while to get here. If it takes a bit longer to get it
right, so be it.

There’s ECDSA and EC-KCDSA for those who can’t wait any longer. :-)  Not
to mention [F]HMQV. :-)
-- 
Regards,
Uri Blumenthal





On 9/4/15, 16:18 , "Cfrg on behalf of Stephen Farrell"
<cfrg-bounces@mail.ietf.org on behalf of stephen.farrell@cs.tcd.ie> wrote:

>
>If the cost of supporting any of the things Rene mentions is *any*
>delay, I'm against.
>
>S.
>
>On 04/09/15 19:00, William Whyte wrote:
>> I also like the idea of being able to sign and verify without providing
>> the public key as part of the hash input.
>> 
>> Cheers,
>> 
>> William
>> 
>> -----Original Message-----
>> From: Cfrg [mailto:cfrg-bounces@mail.ietf.org] On Behalf Of Rene Struik
>> Sent: Friday, September 04, 2015 8:24 AM
>> To: Alexey Melnikov; cfrg@irtf.org
>> Subject: Re: [Cfrg] EC signature: next steps
>> 
>> Dear colleagues:
>> 
>> I think the signature scheme should facilitate the following:
>> a) signature generation.
>> Ideally, signing should be possible without requiring the signer to
>> access its public key (obviously, it does require the private key). For
>> Schnorr and ECDSA type schemes, one does not need to include the public
>> key in the signing process, since security in the multi-user setting is
>> roughly the same as in the single-user setting (see [1], [2]).
>> b) signature verification.
>> If the public key of the signer is not included with signing, it is also
>> generally not required with verification (if the signature includes the
>> ephemeral signing key), since then the public key of the signer can be
>> reconstructed from the signature itself (with Schnorr signature (R,s)
>> over message m, one has Q=(1/h)(R-sG), where h=H(R,m)). This may have
>> advantages in settings with certificate chains and with single
>> signatures (where one can reduce overhead to identify the public key of
>> the signer).
>> c) reuse of same signing key with IUF/non-IUF schemes.
>> Ideally, one should be able to use the same signing key, no matter
>> whether one uses the signature scheme in the so-called IUF setting or in
>> the non-IUF setting. If I understand correctly, consensus is to only
>> specify an IUF-scheme, but even then, the design should be so that it
>> can support both flavors. This should *not* be left to applications to
>> specify (and can also easily be done).
>> d) same signature scheme for Weierstrass curves, (twisted) Edwards
>> curves, and Montgomery curves.
>> The signature scheme should work for all these three schemes and not
>> just for (twisted) Edwards curves. Ideally, it should also work for Huff
>> curves, Jacobian curves, etc., without requiring any changes outside the
>> scalar multiplication routine.
>> 
>> Best regards, Rene
>> 
>> Ref:
>> [1] A. Menezes, N.P. Smart, "Security of Signature Schemes in A
>> Multi-User Setting", CACR-Corr-2001-063.
>> [2] J. Malone Lee, S. Galbraith, N. P. Smart, "Public Key Signatures in
>> the Multi-User Setting", Inform.Proc.Letters, 2002.
>> 
>> 
>> 
>> 
>> On 8/31/2015 5:53 AM, Alexey Melnikov wrote:
>>> Dear CFRG participants,
>>>
>>> Many thanks to Ilari for posting this updated summary of where things
>>> currently stand. Kenny and I would now like to run a short discussion
>>> focusing on this summary, with our intention being to flush out any
>>>last
>>> issues or additional points of comparison between the different schemes
>>> that everyone should be aware of.
>>>
>>> Once everyone has kicked the tires, so to speak, we plan to move to a
>>> poll to decide which scheme CFRG should focus on writing up and
>>>formally
>>> recommending. We, as chairs, are hoping these steps will get us to the
>>> finishing line.
>>>
>>> So:
>>>
>>> - are there important characteristics or points of comparison that
>>> Ilari's summary does not cover?
>>>
>>> - are there errors of fact or omission that need to be corrected?
>>>
>>> - anything else?
>>>
>>>
>>> We'll let this discussion run for exactly one week, but we might extend
>>> the time if the discussion is still going strong and new arguments or
>>> points of comparison are brought up. After that, if no major new
>>> information is brought up, we will start the Quaker poll for selecting
>>>a
>>> single CFRG-recommended signature scheme.
>>>
>>>
>>> Best Regards,
>>> Kenny and Alexey
>>>
>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@mail.ietf.org
>>> https://mail.ietf.org/mailman/listinfo/cfrg
>> 
>> 
>
>_______________________________________________
>Cfrg mailing list
>Cfrg@mail.ietf.org
>https://mail.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email