Re: [Cfrg] EC signature: next steps
"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Fri, 04 September 2015 20:26 UTC
Return-Path: <prvs=66896595dd=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD2141A1B12 for <cfrg@ietfa.amsl.com>; Fri, 4 Sep 2015 13:26:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.208
X-Spam-Level:
X-Spam-Status: No, score=-6.208 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fu8zO8cXV7Pc for <cfrg@ietfa.amsl.com>; Fri, 4 Sep 2015 13:26:35 -0700 (PDT)
Received: from mx1.ll.mit.edu (MX1.LL.MIT.EDU [129.55.12.45]) by ietfa.amsl.com (Postfix) with ESMTP id 37A0E1A1AAA for <cfrg@irtf.org>; Fri, 4 Sep 2015 13:26:34 -0700 (PDT)
Received: from LLE2K10-HUB02.mitll.ad.local (LLE2K10-HUB02.mitll.ad.local) by mx1.ll.mit.edu (unknown) with ESMTP id t84KQTWb023603; Fri, 4 Sep 2015 16:26:29 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, William Whyte <wwhyte@securityinnovation.com>, Rene Struik <rstruik.ext@gmail.com>, Alexey Melnikov <alexey.melnikov@isode.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] EC signature: next steps
Thread-Index: AQHQ49Ly0+OBS3Ns50qZf3WjCbEV4J4spWEAgABNPoCAACZhgP//v0iA
Date: Fri, 04 Sep 2015 20:26:28 +0000
Message-ID: <D20F7586.1E8D9%uri@ll.mit.edu>
References: <55DD906F.3050607@isode.com> <D2035132.531EE%kenny.paterson@rhul.ac.uk> <55DDA21D.9060302@isode.com> <55DF3E3C.7020206@isode.com> <55E42414.3020805@isode.com> <55E99B7C.6020509@gmail.com> <1822507ba15947761d52dadf31b88f52@mail.gmail.com> <55E9FC79.50302@cs.tcd.ie>
In-Reply-To: <55E9FC79.50302@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.4.150722
x-originating-ip: [172.25.177.187]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3524228783_333550"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151, 1.0.33, 0.0.0000 definitions=2015-09-04_09:2015-09-04,2015-09-04,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1508030000 definitions=main-1509040324
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/eWjjGOjLUb3p1NFISoxifBVJNRU>
Subject: Re: [Cfrg] EC signature: next steps
X-BeenThere: cfrg@mail.ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.mail.ietf.org>
List-Unsubscribe: <https://mail.ietf.org/mailman/options/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@mail.ietf.org>
List-Help: <mailto:cfrg-request@mail.ietf.org?subject=help>
List-Subscribe: <https://mail.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Sep 2015 20:26:38 -0000
It took us all a while to get here. If it takes a bit longer to get it right, so be it. There’s ECDSA and EC-KCDSA for those who can’t wait any longer. :-) Not to mention [F]HMQV. :-) -- Regards, Uri Blumenthal On 9/4/15, 16:18 , "Cfrg on behalf of Stephen Farrell" <cfrg-bounces@mail.ietf.org on behalf of stephen.farrell@cs.tcd.ie> wrote: > >If the cost of supporting any of the things Rene mentions is *any* >delay, I'm against. > >S. > >On 04/09/15 19:00, William Whyte wrote: >> I also like the idea of being able to sign and verify without providing >> the public key as part of the hash input. >> >> Cheers, >> >> William >> >> -----Original Message----- >> From: Cfrg [mailto:cfrg-bounces@mail.ietf.org] On Behalf Of Rene Struik >> Sent: Friday, September 04, 2015 8:24 AM >> To: Alexey Melnikov; cfrg@irtf.org >> Subject: Re: [Cfrg] EC signature: next steps >> >> Dear colleagues: >> >> I think the signature scheme should facilitate the following: >> a) signature generation. >> Ideally, signing should be possible without requiring the signer to >> access its public key (obviously, it does require the private key). For >> Schnorr and ECDSA type schemes, one does not need to include the public >> key in the signing process, since security in the multi-user setting is >> roughly the same as in the single-user setting (see [1], [2]). >> b) signature verification. >> If the public key of the signer is not included with signing, it is also >> generally not required with verification (if the signature includes the >> ephemeral signing key), since then the public key of the signer can be >> reconstructed from the signature itself (with Schnorr signature (R,s) >> over message m, one has Q=(1/h)(R-sG), where h=H(R,m)). This may have >> advantages in settings with certificate chains and with single >> signatures (where one can reduce overhead to identify the public key of >> the signer). >> c) reuse of same signing key with IUF/non-IUF schemes. >> Ideally, one should be able to use the same signing key, no matter >> whether one uses the signature scheme in the so-called IUF setting or in >> the non-IUF setting. If I understand correctly, consensus is to only >> specify an IUF-scheme, but even then, the design should be so that it >> can support both flavors. This should *not* be left to applications to >> specify (and can also easily be done). >> d) same signature scheme for Weierstrass curves, (twisted) Edwards >> curves, and Montgomery curves. >> The signature scheme should work for all these three schemes and not >> just for (twisted) Edwards curves. Ideally, it should also work for Huff >> curves, Jacobian curves, etc., without requiring any changes outside the >> scalar multiplication routine. >> >> Best regards, Rene >> >> Ref: >> [1] A. Menezes, N.P. Smart, "Security of Signature Schemes in A >> Multi-User Setting", CACR-Corr-2001-063. >> [2] J. Malone Lee, S. Galbraith, N. P. Smart, "Public Key Signatures in >> the Multi-User Setting", Inform.Proc.Letters, 2002. >> >> >> >> >> On 8/31/2015 5:53 AM, Alexey Melnikov wrote: >>> Dear CFRG participants, >>> >>> Many thanks to Ilari for posting this updated summary of where things >>> currently stand. Kenny and I would now like to run a short discussion >>> focusing on this summary, with our intention being to flush out any >>>last >>> issues or additional points of comparison between the different schemes >>> that everyone should be aware of. >>> >>> Once everyone has kicked the tires, so to speak, we plan to move to a >>> poll to decide which scheme CFRG should focus on writing up and >>>formally >>> recommending. We, as chairs, are hoping these steps will get us to the >>> finishing line. >>> >>> So: >>> >>> - are there important characteristics or points of comparison that >>> Ilari's summary does not cover? >>> >>> - are there errors of fact or omission that need to be corrected? >>> >>> - anything else? >>> >>> >>> We'll let this discussion run for exactly one week, but we might extend >>> the time if the discussion is still going strong and new arguments or >>> points of comparison are brought up. After that, if no major new >>> information is brought up, we will start the Quaker poll for selecting >>>a >>> single CFRG-recommended signature scheme. >>> >>> >>> Best Regards, >>> Kenny and Alexey >>> >>> _______________________________________________ >>> Cfrg mailing list >>> Cfrg@mail.ietf.org >>> https://mail.ietf.org/mailman/listinfo/cfrg >> >> > >_______________________________________________ >Cfrg mailing list >Cfrg@mail.ietf.org >https://mail.ietf.org/mailman/listinfo/cfrg
- [Cfrg] EC signature: next steps Alexey Melnikov
- Re: [Cfrg] EC signature: next steps Simon Josefsson
- Re: [Cfrg] EC signature: next steps Watson Ladd
- [Cfrg] EC signature: next steps Dan Brown
- Re: [Cfrg] EC signature: next steps Ilari Liusvaara
- Re: [Cfrg] EC signature: next steps Stephen Farrell
- Re: [Cfrg] EC signature: next steps Dan Brown
- Re: [Cfrg] EC signature: next steps Simon Josefsson
- Re: [Cfrg] EC signature: next steps Ilari Liusvaara
- [Cfrg] Side inputs to signature systems D. J. Bernstein
- Re: [Cfrg] Side inputs to signature systems Natanael
- Re: [Cfrg] EC signature: next steps Simon Josefsson
- Re: [Cfrg] Side inputs to signature systems Michael Hamburg
- Re: [Cfrg] EC signature: next steps Rene Struik
- Re: [Cfrg] EC signature: next steps David Jacobson
- Re: [Cfrg] EC signature: next steps Mike Hamburg
- Re: [Cfrg] EC signature: next steps William Whyte
- Re: [Cfrg] EC signature: next steps Stephen Farrell
- Re: [Cfrg] EC signature: next steps Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] EC signature: next steps Ilari Liusvaara
- Re: [Cfrg] EC signature: next steps Stephen Farrell
- Re: [Cfrg] EC signature: next steps Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] EC signature: next steps Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] EC signature: next steps Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] key as message prefix => multi-key sec… Dan Brown
- [Cfrg] key as message prefix => multi-key security D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… Paterson, Kenny
- Re: [Cfrg] key as message prefix => multi-key sec… Sven Schäge
- Re: [Cfrg] key as message prefix => multi-key sec… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] key as message prefix => multi-key sec… William Whyte
- Re: [Cfrg] key as message prefix => multi-key sec… Bill Cox
- Re: [Cfrg] key as message prefix => multi-key sec… Andrey Jivsov
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… Eike Kiltz
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… Simon Josefsson