[TLS] Schnorr Signatures
Nigel Smart <nigel@cs.bris.ac.uk> Wed, 25 June 2014 08:28 UTC
Return-Path: <csnps@bristol.ac.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 013331B2B18 for <tls@ietfa.amsl.com>; Wed, 25 Jun 2014 01:28:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rM7KIhYaDH_n for <tls@ietfa.amsl.com>; Wed, 25 Jun 2014 01:28:44 -0700 (PDT)
Received: from eu1sys200aog131.obsmtp.com (eu1sys200aog131.obsmtp.com [207.126.144.205]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 334FD1B2B16 for <tls@ietf.org>; Wed, 25 Jun 2014 01:28:43 -0700 (PDT)
Received: from mail-wg0-f41.google.com ([74.125.82.41]) (using TLSv1) by eu1sys200aob131.postini.com ([207.126.147.11]) with SMTP ID DSNKU6qIOdcTLMlzWOMbDodKGFxFMw918Y1v@postini.com; Wed, 25 Jun 2014 08:28:44 UTC
Received: by mail-wg0-f41.google.com with SMTP id a1so1646258wgh.24 for <tls@ietf.org>; Wed, 25 Jun 2014 01:28:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:message-id:date:from:user-agent :mime-version:to:subject:content-type:content-transfer-encoding; bh=s7DENSeXJdlzQtbWaj3JlmhhFWoE6bouJ64lNW5+/Eo=; b=CdJGaBW5pU2cY+2CnxdaUBhOkpGGfRZ5SqsJuozSpl/RDr10+Cn7j78bglca2UAqAK gcdqBpvySpo4+b1QKd5oT1J5tB/NZzfAbg5LRiS4nB1/l6LIuCKd3FsxFvmksiBzTGdO Kfa5MmpwwGQhaNW/qQxzDpXvb8jY9SqEB/obTG/YnqPIcp0YU1Vj44EJmDTFGnLUBAnX sYcNNbZwnvqbaj8APxnp0VWSxV7y5NShJ5nvOypnw7echDeykaGn24cDPvMs71crQbFa IbsWvPHjJdBn+OQtS0owpGAb0aoCrxMUxCuMjIPNDuUpxlVjBG/m6rPBlxPcbd0s0PBT h+BA==
X-Gm-Message-State: ALoCoQmNlMAqGOy3iko1rCYDhHn/iBkTlRs5MdRGVaPrF224pJQRYQp6rPhtfqNx34crYzH6U+D7XBi1TsuFSj5O9YF3gAaTJIDvZn0J516cGjrJJvkhSug2DNQhPQ73czZ6f5OvRz+i
X-Received: by 10.194.237.135 with SMTP id vc7mr8183659wjc.86.1403684921616; Wed, 25 Jun 2014 01:28:41 -0700 (PDT)
X-Received: by 10.194.237.135 with SMTP id vc7mr8183648wjc.86.1403684921537; Wed, 25 Jun 2014 01:28:41 -0700 (PDT)
Received: from [192.168.1.78] (host86-173-16-66.range86-173.btcentralplus.com. [86.173.16.66]) by mx.google.com with ESMTPSA id wu6sm5922918wjb.46.2014.06.25.01.28.40 for <tls@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 25 Jun 2014 01:28:40 -0700 (PDT)
Sender: Nigel Smart <csnps@bristol.ac.uk>
Message-ID: <53AA8839.8000507@cs.bris.ac.uk>
Date: Wed, 25 Jun 2014 09:28:41 +0100
From: Nigel Smart <nigel@cs.bris.ac.uk>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: tls@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/p1O87r2lm34ZCjqs4IMp06LXIAM
Subject: [TLS] Schnorr Signatures
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jun 2014 08:30:02 -0000
Hi
[First post to list so please ignore any breaking of etiquette etc]
As we are moving to TLS 1.3 I wondered why not include EC-Schnorr
signatures in the standard as a possible addition to EC-DSA for the signing.
Some notes...
i) Schnorr is faster than EC-DSA
ii) Patent has expired
iii) Shorter signatures
iv) Has a proper proof of security and not "tainted" by NSA design
- Unlike EC-DSA in both instances.
v) Protects against hash collisions. i.e. any hash function break
involving
collisions does not provide an attack on the signature scheme.
vi) Allows various other tricks to be done more easily
vii) Already standardized in ISO. The ISO standard just gives Schnorr as a
tweak on the EC-DSA signature. So there is not much work to do.
viii) Can use the same EC-DSA certs as EC-DSA signing. All that changes
is how the signing equation is generated and verified.
Cheers
Nigel
- [TLS] Schnorr Signatures Nigel Smart
- Re: [TLS] [Cfrg] FW: Schnorr Signatures Watson Ladd
- Re: [TLS] [Cfrg] FW: Schnorr Signatures Nigel Smart
- Re: [TLS] [Cfrg] FW: Schnorr Signatures Johannes Merkle
- Re: [TLS] [Cfrg] FW: Schnorr Signatures Watson Ladd
- Re: [TLS] [Cfrg] FW: Schnorr Signatures Johannes Merkle