Re: Curve25519-based EC-KCDSA

According to xmath <xmath.news@xxxxxxxxx>:
But why the XOR instead of just sending h = hash(message, Y) and v,
with the verifier confirming h == hash(message, vP + hG) ?

There are out there some API for having applications use private keys
which are, physically, in a smartcard or an hardware accelerator. Most
common are PKCS#11, Microsoft's CryptoAPI, and CDSA (which is officially
an open standard, but in practice Apple's API for this kind of things).
All of these look a bit like this: the application loads a DLL and asks
it to generate the signature. The DLL knows how to talk to the involved
hardware.

These API allow the application to provide the hash of the message
instead of the message itself. Thus, the DLL and its hardware must be
able to compute the signature from the hash alone. Note that even if
your smartcard knows how to hash data, you probably do not want to send
your 10 MBytes PowerPoint file into a smartcard; it would take quite a
long time for the transfer alone.

Therefore, a practical signature system, ready to be implemented and
deployed and used by Outlook Express, Firefox and their ilk, must assume
that only hash(message) is available, and not a hash partial evaluation
where you could smuggle additional data such as Y. Of course, you could
imagine cascading hashes, which means using hash(hash(message), Y), but
such cascading may make security proofs more complex, and I daresay
that the XOR is faster. As a side note, if the signing hardware is
really weak and has little time to perform its computation, then you
could precompute x, Y and hash(Y) (before seeing anything related to
the message) and the actual time-critical operation will need no hash
evaluation at all, if hash(message) is provided.


To sum up, I think that using hash(message) XOR h(Y) instead of
hash(message, Y) improves practical usage of the scheme in production
environment.


--Thomas Pornin
.

Relevant Pages

  • Re: Curve25519-based EC-KCDSA
    ... signing just the hash of the message, using a standard hash function. ... those signature schemes aren't widely used. ... If the attacker aims at forgery, then an API accepting the hash doesn't ...
    (sci.crypt)
  • Re: Reloading windows XP Home Edition
    ... >> How does Microsoft identify the computer's hardware? ... >> product is being installed and creates hash values for that>> configuration. ... Product Activation does not scan the>> customer's hard drive, detect any personal information, or>> determine the ... If the network card is the same, then only 4 additional>> characteristics must match (because the network card is worth 3,>> for a total ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Reloading windows XP Home Edition
    ... > someone at microsoft about this. ... How does Microsoft identify the computer's hardware? ... product is being installed and creates hash values for that configuration. ... If the network card is the same, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Reloading windows XP Home Edition
    ... > How does Microsoft identify the computer's hardware? ... > Microsoft Product Activation detects the hardware configuration on which the ... > product is being installed and creates hash values for that configuration. ... > characteristics other than the network card must be the same. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Password / access rights check
    ... I would separate the password hashing API ... No ability to specify any algorithm except for the hash, ... Doesn't this seem like a natural direction for future symmetric standards ...
    (sci.crypt)