'[CFRG] =?gb2312?b?tPC4tDogIEktRCBBY3Rpb246IGRyYWZ0LWlydGYtY2Zy?= =?gb2312?b?Zy1kZXQtc2lncy13aXRoLW5v'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cfrg
Subject:    [CFRG] =?gb2312?b?tPC4tDogIEktRCBBY3Rpb246IGRyYWZ0LWlydGYtY2Zy?= =?gb2312?b?Zy1kZXQtc2lncy13aXRoLW5v
From:       Niu Danny <dannyniu () hotmail ! com>
Date:       2024-03-23 5:19:37
Message-ID: OS3P286MB19204E10FABE372D06FFC86EC1302 () OS3P286MB1920 ! JPNP286 ! PROD ! OUTLOOK ! COM
[Download RAW message or body]

[Attachment #2 (text/plain)]

From the perspective of the context string feature, I think it¡¯s good - previously I \
implemented context string using un-finalized hashing context copying, where I feed \
context string into the hashing context without finalizing it, and copying it for use \
when signing; draft-03 made me change the way I implement it.

If you can provide a discussion of performance of hashing call counts and \
compatibility with pre-hash variants, I think it¡¯ll be convincing enough to adopt \
that in the next draft(s).

·¢¼þÈË: CFRG <cfrg-bounces@irtf.org> ´ú±í D. J. Bernstein <djb@cr.yp.to>
ÈÕÆÚ: ÐÇÆÚÎå, 2024Äê3Ô 22ÈÕ 15:08
ÊÕ¼þÈË: cfrg@irtf.org <cfrg@irtf.org>
Ö÷Ìâ: Re: [CFRG] I-D Action: draft-irtf-cfrg-det-sigs-with-noise-03.txt
I think the best way to convert deterministic Ed25519 signing software
into randomized Ed25519 signing software is to overwrite noncekey with
H(noncekey,randomness) right after the usual derivation of noncekey from
the secret key, i.e., before computing nonce = H(noncekey,message).

This makes the code changes as simple as possible: for example, the
relevant changes from earlier code to lib25519 replaced

    unsigned char secret[64];
    crypto_hash_sha512(secret,sk,32);

with

    unsigned char secret[96];
    crypto_hash_sha512(secret,sk,32);
    randombytes(secret+64,32);
    crypto_hash_sha512(secret+32,secret+32,64);

and left everything else unchanged.

The main security risk from randomization comes from typical test
frameworks not being able to test randomized functions: basically, the
entire signing function ends up being tested merely for "yes, signatures
verify", so bugs in how nonces are generated won't be caught. Randomized
functions are tested in the lib25519 test framework, and aligning the
randomization details has the secondary advantage of allowing reuse of
test inputs and test outputs from lib25519.

---D. J. Bernstein

_______________________________________________
CFRG mailing list
CFRG@irtf.org
https://mailman.irtf.org/mailman/listinfo/cfrg

[Attachment #3 (text/html)]

<html xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:ËÎÌå;
	panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:DengXian;
	panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
	{font-family:Aptos;
	panose-1:2 11 0 4 2 2 2 2 2 4;}
@font-face
	{font-family:"\@µÈÏß";
	panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
	{font-family:"\@ËÎÌå";
	panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	font-size:12.0pt;
	font-family:ËÎÌå;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;
	mso-ligatures:none;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
	{page:WordSection1;}
--></style>
</head>
<body lang="ZH-CN" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.5pt;font-family:DengXian">From the perspective of the context \
string feature, I think it</span><span \
style="font-size:10.5pt;font-family:DengXian">¡¯<span lang="EN-US">s good - \
previously I implemented  context string using un-finalized hashing context copying, \
where I feed context string into the hashing context without finalizing it, and \
copying it for use when signing; draft-03 made me change the way I implement \
it.<o:p></o:p></span></span></p> <p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.5pt;font-family:DengXian"><o:p>&nbsp;</o:p></span></p> <p \
class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;font-family:DengXian">If \
you can provide a discussion of performance of hashing call counts and compatibility \
with pre-hash variants, I think it¡¯ll be convincing enough to adopt that in the next \
draft(s).<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.5pt;font-family:DengXian"><o:p>&nbsp;</o:p></span></p> <div \
id="mail-editor-reference-message-container"> <div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span \
style="color:black">·¢¼þÈË</span></b><b><span lang="EN-US" \
style="font-family:&quot;Aptos&quot;,sans-serif;color:black">:</span></b><span \
lang="EN-US" style="font-family:&quot;Aptos&quot;,sans-serif;color:black"> CFRG \
&lt;cfrg-bounces@irtf.org&gt; </span><span style="color:black">´ú±í</span><span \
lang="EN-US" style="font-family:&quot;Aptos&quot;,sans-serif;color:black"> D. J. \
Bernstein &lt;djb@cr.yp.to&gt;<br> </span><b><span \
style="color:black">ÈÕÆÚ</span></b><b><span lang="EN-US" \
style="font-family:&quot;Aptos&quot;,sans-serif;color:black">:</span></b><span \
lang="EN-US" style="font-family:&quot;Aptos&quot;,sans-serif;color:black"> \
</span><span style="color:black">ÐÇÆÚÎå</span><span lang="EN-US" \
style="font-family:&quot;Aptos&quot;,sans-serif;color:black">, 2024</span><span \
style="color:black">Äê</span><span lang="EN-US" \
style="font-family:&quot;Aptos&quot;,sans-serif;color:black">3</span><span \
style="color:black">Ô </span><span lang="EN-US" \
style="font-family:&quot;Aptos&quot;,sans-serif;color:black">22</span><span \
style="color:black">ÈÕ</span><span lang="EN-US" \
style="font-family:&quot;Aptos&quot;,sans-serif;color:black">  15:08<br>
</span><b><span style="color:black">ÊÕ¼þÈË</span></b><b><span lang="EN-US" \
style="font-family:&quot;Aptos&quot;,sans-serif;color:black">:</span></b><span \
lang="EN-US" style="font-family:&quot;Aptos&quot;,sans-serif;color:black"> \
cfrg@irtf.org &lt;cfrg@irtf.org&gt;<br> </span><b><span \
style="color:black">Ö÷Ìâ</span></b><b><span lang="EN-US" \
style="font-family:&quot;Aptos&quot;,sans-serif;color:black">:</span></b><span \
lang="EN-US" style="font-family:&quot;Aptos&quot;,sans-serif;color:black"> Re: [CFRG] \
I-D Action: draft-irtf-cfrg-det-sigs-with-noise-03.txt<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt">I think the best way \
to convert deterministic Ed25519 signing software<br> into randomized Ed25519 signing \
software is to overwrite noncekey with<br> H(noncekey,randomness) right after the \
usual derivation of noncekey from<br> the secret key, i.e., before computing nonce = \
H(noncekey,message).<br> <br>
This makes the code changes as simple as possible: for example, the<br>
relevant changes from earlier code to lib25519 replaced<br>
<br>
&nbsp;&nbsp;&nbsp; unsigned char secret[64];<br>
&nbsp;&nbsp;&nbsp; crypto_hash_sha512(secret,sk,32);<br>
<br>
with<br>
<br>
&nbsp;&nbsp;&nbsp; unsigned char secret[96];<br>
&nbsp;&nbsp;&nbsp; crypto_hash_sha512(secret,sk,32);<br>
&nbsp;&nbsp;&nbsp; randombytes(secret+64,32);<br>
&nbsp;&nbsp;&nbsp; crypto_hash_sha512(secret+32,secret+32,64);<br>
<br>
and left everything else unchanged.<br>
<br>
The main security risk from randomization comes from typical test<br>
frameworks not being able to test randomized functions: basically, the<br>
entire signing function ends up being tested merely for &quot;yes, signatures<br>
verify&quot;, so bugs in how nonces are generated won't be caught. Randomized<br>
functions are tested in the lib25519 test framework, and aligning the<br>
randomization details has the secondary advantage of allowing reuse of<br>
test inputs and test outputs from lib25519.<br>
<br>
---D. J. Bernstein<br>
<br>
_______________________________________________<br>
CFRG mailing list<br>
CFRG@irtf.org<br>
</span><span lang="EN-US"><a \
href="https://mailman.irtf.org/mailman/listinfo/cfrg"><span \
style="font-size:11.0pt">https://mailman.irtf.org/mailman/listinfo/cfrg</span></a></span><span \
lang="EN-US" style="font-size:11.0pt"><o:p></o:p></span></p> </div>
</div>
</div>
</div>
</body>
</html>

_______________________________________________
CFRG mailing list
CFRG@irtf.org
https://mailman.irtf.org/mailman/listinfo/cfrg

--===============2310839191067407507==--

[prev in list] [next in list] [prev in thread] [next in thread] 