Re: [Cfrg] EC signature: next steps
Simon Josefsson <simon@josefsson.org> Tue, 01 September 2015 18:36 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4CA71A887A for <cfrg@ietfa.amsl.com>; Tue, 1 Sep 2015 11:36:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.429
X-Spam-Level:
X-Spam-Status: No, score=-0.429 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001, URI_HEX=1.122] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2yINr9Bbt3dA for <cfrg@ietfa.amsl.com>; Tue, 1 Sep 2015 11:36:42 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8BD61A8AF6 for <cfrg@irtf.org>; Tue, 1 Sep 2015 11:36:41 -0700 (PDT)
Received: from latte.josefsson.org ([155.4.17.3]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id t81IaK8X015692 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Tue, 1 Sep 2015 20:36:21 +0200
Date: Tue, 01 Sep 2015 20:36:19 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Message-ID: <20150901203619.23a0f6bc@latte.josefsson.org>
In-Reply-To: <20150901154109.GA1874@LK-Perkele-VII>
References: <55DD906F.3050607@isode.com> <D2035132.531EE%kenny.paterson@rhul.ac.uk> <55DDA21D.9060302@isode.com> <55DF3E3C.7020206@isode.com> <55E42414.3020805@isode.com> <8737yz4nfg.fsf@latte.josefsson.org> <20150831162832.GA16764@LK-Perkele-VII> <87vbbu39jd.fsf@latte.josefsson.org> <20150901154109.GA1874@LK-Perkele-VII>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; boundary="Sig_/+J+a=RTLx_Z8hZWQWnuUpgu"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/lR8gYgUnhVIPbc4aNbJCRifWTCc>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] EC signature: next steps
X-BeenThere: cfrg@mail.ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.mail.ietf.org>
List-Unsubscribe: <https://mail.ietf.org/mailman/options/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@mail.ietf.org>
List-Help: <mailto:cfrg-request@mail.ietf.org?subject=help>
List-Subscribe: <https://mail.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2015 18:36:46 -0000
Den Tue, 1 Sep 2015 18:41:09 +0300 skrev Re: EC signature: next steps: > On Tue, Sep 01, 2015 at 09:04:22AM +0200, Simon Josefsson wrote: > > Ilari Liusvaara <ilari.liusvaara@elisanet.fi> writes: > > > > > On Mon, Aug 31, 2015 at 03:06:43PM +0200, Simon Josefsson wrote: > > >> Alexey Melnikov <alexey.melnikov@isode.com> writes: > > >> > > >> > - are there errors of fact or omission that need to be > > >> > corrected? > > >> > > >> 1) I don't understand by this part of Ilari's writeup: 'dictated > > >> by ???'. > > > > > > I earlier tought that the prehash comes from the key, but then > > > read comment by DJB stating that this is not the case. > > > > Do you have a reference? I believe the > > http://ed25519.cr.yp.to/eddsa-20150704.pdf paper is clear on this. > > Simply explained, the prehash is a parameter of the signature > > system. > > So it is denoted in the key (since signature system parameters need to > be fixed by the key) after all? I don't understand what you mean by "denoted in the key"? The encoding of the public key does not contain the prehash OID or anything similar, if that is what you refer to. The prehash is a parameter of the signature system, similar to many other parameters (curve, base point, encodings, etc). A key is only valid for a particular signature system, unless some other (likely higher level) protocol or mechanism specify how it could safely be used with another signature system. > > > As for personalization, the problem is that protocols A and B (or > > > even just different versions of the same protocol!) can interpret > > > the same message in rather different ways. > > > > Do you have a concrete example? I would consider that a protocol > > flaw. > > The problem is that each protocol or version might be reasonable > alone, but still interact badly. > > The worst are "challenge signing" protocols. One could argue that is a > design flaw, but that kind of construct is used because it is simple. Are there any IETF protocols like that? I'm not sure if this is an imaginary or real problem. The traditional solution is to use one key per protocol anyway. > > >> 3) What is NPOT? > > > > > > (Order) Near Power Of Two. The difference of order and nearest > > > power of two is on order of sqrt(l). > > > > > > Such orders produce even distributions of x mod l, where x is n > > > bits long with smaller n than usual. > > > > > > Both Curve25519 and Curve448 are NPOT. > > > > How is this relevant to the chose of signature scheme? > > It isn't really relevant. Then I suggest either that it is dropped from the comparison, or that its meaning/relevance is clarified. /Simon
- [Cfrg] EC signature: next steps Alexey Melnikov
- Re: [Cfrg] EC signature: next steps Simon Josefsson
- Re: [Cfrg] EC signature: next steps Watson Ladd
- [Cfrg] EC signature: next steps Dan Brown
- Re: [Cfrg] EC signature: next steps Ilari Liusvaara
- Re: [Cfrg] EC signature: next steps Stephen Farrell
- Re: [Cfrg] EC signature: next steps Dan Brown
- Re: [Cfrg] EC signature: next steps Simon Josefsson
- Re: [Cfrg] EC signature: next steps Ilari Liusvaara
- [Cfrg] Side inputs to signature systems D. J. Bernstein
- Re: [Cfrg] Side inputs to signature systems Natanael
- Re: [Cfrg] EC signature: next steps Simon Josefsson
- Re: [Cfrg] Side inputs to signature systems Michael Hamburg
- Re: [Cfrg] EC signature: next steps Rene Struik
- Re: [Cfrg] EC signature: next steps David Jacobson
- Re: [Cfrg] EC signature: next steps Mike Hamburg
- Re: [Cfrg] EC signature: next steps William Whyte
- Re: [Cfrg] EC signature: next steps Stephen Farrell
- Re: [Cfrg] EC signature: next steps Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] EC signature: next steps Ilari Liusvaara
- Re: [Cfrg] EC signature: next steps Stephen Farrell
- Re: [Cfrg] EC signature: next steps Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] EC signature: next steps Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] EC signature: next steps Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] key as message prefix => multi-key sec… Dan Brown
- [Cfrg] key as message prefix => multi-key security D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… Paterson, Kenny
- Re: [Cfrg] key as message prefix => multi-key sec… Sven Schäge
- Re: [Cfrg] key as message prefix => multi-key sec… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] key as message prefix => multi-key sec… William Whyte
- Re: [Cfrg] key as message prefix => multi-key sec… Bill Cox
- Re: [Cfrg] key as message prefix => multi-key sec… Andrey Jivsov
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… Eike Kiltz
- Re: [Cfrg] key as message prefix => multi-key sec… D. J. Bernstein
- Re: [Cfrg] key as message prefix => multi-key sec… Simon Josefsson