IETF Logo Mail Archive

Re: [Cfrg] EC signature: next steps

Simon Josefsson <simon@josefsson.org> Tue, 01 September 2015 18:36 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4CA71A887A for <cfrg@ietfa.amsl.com>; Tue, 1 Sep 2015 11:36:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.429
X-Spam-Level:
X-Spam-Status: No, score=-0.429 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001, URI_HEX=1.122] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2yINr9Bbt3dA for <cfrg@ietfa.amsl.com>; Tue, 1 Sep 2015 11:36:42 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8BD61A8AF6 for <cfrg@irtf.org>; Tue, 1 Sep 2015 11:36:41 -0700 (PDT)
Received: from latte.josefsson.org ([155.4.17.3]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id t81IaK8X015692 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Tue, 1 Sep 2015 20:36:21 +0200
Date: Tue, 01 Sep 2015 20:36:19 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Message-ID: <20150901203619.23a0f6bc@latte.josefsson.org>
In-Reply-To: <20150901154109.GA1874@LK-Perkele-VII>
References: <55DD906F.3050607@isode.com> <D2035132.531EE%kenny.paterson@rhul.ac.uk> <55DDA21D.9060302@isode.com> <55DF3E3C.7020206@isode.com> <55E42414.3020805@isode.com> <8737yz4nfg.fsf@latte.josefsson.org> <20150831162832.GA16764@LK-Perkele-VII> <87vbbu39jd.fsf@latte.josefsson.org> <20150901154109.GA1874@LK-Perkele-VII>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; boundary="Sig_/+J+a=RTLx_Z8hZWQWnuUpgu"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/lR8gYgUnhVIPbc4aNbJCRifWTCc>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] EC signature: next steps
X-BeenThere: cfrg@mail.ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.mail.ietf.org>
List-Unsubscribe: <https://mail.ietf.org/mailman/options/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@mail.ietf.org>
List-Help: <mailto:cfrg-request@mail.ietf.org?subject=help>
List-Subscribe: <https://mail.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2015 18:36:46 -0000

Den Tue, 1 Sep 2015 18:41:09 +0300
skrev Re: EC signature: next steps:

> On Tue, Sep 01, 2015 at 09:04:22AM +0200, Simon Josefsson wrote:
> > Ilari Liusvaara <ilari.liusvaara@elisanet.fi> writes:
> > 
> > > On Mon, Aug 31, 2015 at 03:06:43PM +0200, Simon Josefsson wrote:
> > >> Alexey Melnikov <alexey.melnikov@isode.com> writes:
> > >> 
> > >> > - are there errors of fact or omission that need to be
> > >> > corrected?
> > >> 
> > >> 1) I don't understand by this part of Ilari's writeup: 'dictated
> > >> by ???'.
> > >
> > > I earlier tought that the prehash comes from the key, but then
> > > read comment by DJB stating that this is not the case.
> > 
> > Do you have a reference?  I believe the
> > http://ed25519.cr.yp.to/eddsa-20150704.pdf paper is clear on this.
> > Simply explained, the prehash is a parameter of the signature
> > system.
> 
> So it is denoted in the key (since signature system parameters need to
> be fixed by the key) after all?

I don't understand what you mean by "denoted in the key"?  The encoding
of the public key does not contain the prehash OID or anything similar,
if that is what you refer to.

The prehash is a parameter of the signature system, similar to many
other parameters (curve, base point, encodings, etc).  A key is only
valid for a particular signature system, unless some other (likely
higher level) protocol or mechanism specify how it could safely be used
with another signature system.

> > > As for personalization, the problem is that protocols A and B (or
> > > even just different versions of the same protocol!) can interpret
> > > the same message in rather different ways.
> > 
> > Do you have a concrete example?  I would consider that a protocol
> > flaw.
> 
> The problem is that each protocol or version might be reasonable
> alone, but still interact badly.
> 
> The worst are "challenge signing" protocols. One could argue that is a
> design flaw, but that kind of construct is used because it is simple.

Are there any IETF protocols like that?  I'm not sure if this is an
imaginary or real problem.  The traditional solution is to use one key
per protocol anyway.

> > >> 3) What is NPOT?
> > >
> > > (Order) Near Power Of Two. The difference of order and nearest
> > > power of two is on order of sqrt(l).
> > >
> > > Such orders produce even distributions of x mod l, where x is n
> > > bits long with smaller n than usual.
> > >
> > > Both Curve25519 and Curve448 are NPOT. 
> > 
> > How is this relevant to the chose of signature scheme?
> 
> It isn't really relevant.

Then I suggest either that it is dropped from the comparison, or that
its meaning/relevance is clarified.

/Simon

v2.23.0 | Report a Bug | By Email