[curves] Collective Edwards-Curve Digital Signature Algorithm

Bryan Ford brynosaurus at gmail.com
Wed Jul 5 02:21:55 PDT 2017

Thanks Greg for the feedback.  We’re aware of the proposals for delinearization mechanisms to increase robustness to related-key attacks such as key cancellation, and we’re completely open to refinements like these in an eventual standard for collective signatures.  I seem to recall that refinements like this were discussed on the CFRG list back in the work leading up to RFC 8032, but weren't adopted in that context for reasons I can't remember well - perhaps simply because the focus then was on individual rather than collective signatures. So perhaps then wasn’t the right time to discuss such enhancements, but maybe now is the right time.  Can anyone else remember exactly when that discussion occurred or find the relevant messages in the CFRG list archive?

At any rate, our Internet-Draft is intended to be just a first draft, not by any means a final specification. Our immediate goal is to get a critical mass of support within CFRG to adopt collective signing as a working group item. Once we get to that point, then we can begin the process of (collectively) figuring out exactly what that signing scheme should look like, including which particular hardening refinements (such as delinearization mechanisms) it should include.

So if you and/or others on this list are interested in seeing collective signing in some form move toward standardization, what would be ideal at the moment is if you could post to the CFRG mailing list an E-mail stating (a) that you support the CFRG adopting collective signing as a working group item, and (b) a list of issues or changes such as the above that you'd like to see considered in the context of that work, of which delinearization should certainly be a high-priority topic.


> On Jul 5, 2017, at 1:15 AM, Gregory Maxwell <gmaxwell at gmail.com> wrote:
> The lack of delinearization makes this rather fragile: if someone
> fails to check a key signature their key can be canceled.  Having to
> carry around those signatures also makes this approach unsuitable for
> some applications e.g. where keys are used once and the group is
> formed by the verifier instead of the signers, in that case the
> additional signatures plus the collective signature require more
> bandwidth and computation than normal single party signatures.
> On Tue, Jul 4, 2017 at 9:04 AM, Nicolas Gailly <nicolas.gailly at epfl.ch> wrote:
>> Hi all,
>> We recently published an Internet-Draft about “Collective Edwards-Curve Digital Signature Algorithms” based on Ed25519 and Ed448: https://datatracker.ietf.org/doc/draft-ford-cfrg-cosi/
>> We already submitted it to the CFRG mailing list (follow-up discussions in [0]), and and since we thought that this community might also be interested, we wanted to reach out to this mailing list, too.
>> FWIW, we plan to give a short presentation on that topic at the next CFRG meeting in Prague (18th of July).
>> Any feedback is more than welcome. Thanks!
>> All the best,
>> Nicolas
>> [0] https://www.ietf.org/mail-archive/web/cfrg/current/msg09205.html
>> _______________________________________________
>> Curves mailing list
>> Curves at moderncrypto.org
>> https://moderncrypto.org/mailman/listinfo/curves

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20170705/853c0be7/attachment.sig>

More information about the Curves mailing list