Re: [TLS] [Cfrg] FW: Schnorr Signatures

Nigel Smart <nigel@cs.bris.ac.uk> Thu, 26 June 2014 20:56 UTC

Return-Path: <csnps@bristol.ac.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6658A1A028F for <tls@ietfa.amsl.com>; Thu, 26 Jun 2014 13:56:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id njNFWwJXybpY for <tls@ietfa.amsl.com>; Thu, 26 Jun 2014 13:56:23 -0700 (PDT)
Received: from eu1sys200aog128.obsmtp.com (eu1sys200aog128.obsmtp.com [207.126.144.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A4601A019E for <tls@ietf.org>; Thu, 26 Jun 2014 13:56:22 -0700 (PDT)
Received: from mail-wi0-f174.google.com ([209.85.212.174]) (using TLSv1) by eu1sys200aob128.postini.com ([207.126.147.11]) with SMTP ID DSNKU6yI8gyECwx5/7x22811P3GsNNI72x3B@postini.com; Thu, 26 Jun 2014 20:56:22 UTC
Received: by mail-wi0-f174.google.com with SMTP id bs8so1810192wib.1 for <tls@ietf.org>; Thu, 26 Jun 2014 13:56:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:message-id:date:from:user-agent :mime-version:to:subject:content-type:content-transfer-encoding; bh=lpGqJ7zFoXvc2aJg5p/i5jm5VnEdelD1z1Ptn4o1wrQ=; b=O0vfj8ESSJAE3+EzaVubjIfQsRlS2VbENkExMzOJk692G2TYEgBAl5OpcXHHHhk9Cn QH+1O3ogzpqQ2SDFtuXtQF9a/7nrrwYNOoo0s3NMCG4h3AV4wQBJcy20QrasOKiFqPGC l0zVNjPZCbEdwI5kTqfM4dmYEquFuS+UsZEDa8OqP5kusie7oy+oR0iq+p0K09Ihd77h eW8goUExAl5yEioR166im9dG2nKodsitHvybeIOB4x6bLv5N76P0I5D5Cbl0HsgEr0y6 9f6YBhj6mQ/82GnffjEEWXFGzhdXOtYlh/vhbsGR+tHuRsntTPykqAsdmQfUo7TOO5M7 eoRg==
X-Gm-Message-State: ALoCoQk+I/1CJzuB1gzY9klDNt4K9/wcjfdvYEsNvxEyJBRDlvTJouJY2izqN2tsMGyHqI5GyqGKCXCWbtQpG2nFLYPDXnExb3AsH/ROkvtS/W7go5lAWnqc6OlYSuU8qWDLv9RMUA8+
X-Received: by 10.194.142.148 with SMTP id rw20mr20154469wjb.69.1403816178306; Thu, 26 Jun 2014 13:56:18 -0700 (PDT)
X-Received: by 10.194.142.148 with SMTP id rw20mr20154461wjb.69.1403816178128; Thu, 26 Jun 2014 13:56:18 -0700 (PDT)
Received: from [192.168.1.242] ([95.144.51.46]) by mx.google.com with ESMTPSA id v17sm16739084wjr.33.2014.06.26.13.56.16 for <tls@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 26 Jun 2014 13:56:17 -0700 (PDT)
Sender: Nigel Smart <csnps@bristol.ac.uk>
Message-ID: <53AC88F2.7020405@cs.bris.ac.uk>
Date: Thu, 26 Jun 2014 21:56:18 +0100
From: Nigel Smart <nigel@cs.bris.ac.uk>
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: tls@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/PsdlV9qoAwJp070WUT0XwqDnzcE
Subject: Re: [TLS] [Cfrg] FW: Schnorr Signatures
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jun 2014 20:56:25 -0000

>
>
> Schnorr permits batching and is faster as there is no inverse. But to
> take full advantage, you have to send R, the temporary point, not just
> the x-coordinate. With point compression this is easy, without the
> signature gets a little bigger.

With Schnorr you dont send the x-coord of R. What you send is
half the hash value e
	e=Hash(R||Message)
So if using SHA-256 you send 128 bits of e over.

Batching is not so important for TLS. With Schnorr however
you can do distributed signing much easier, which means you can
protect your signing key much easier

Nigel
-- 
Prof. Nigel P. Smart         | Tel +44 (0)117 9545163
Computer Science Department, | Fax +44 (0)117 9545208
Woodland Road,               | Email nigel@cs.bris.ac.uk
Bristol, BS8 1UB, UK         | http://www.cs.bris.ac.uk~nigel