Deterministic interface

[emanjon]

https://mailarchive.ietf.org/arch/msg/cfrg/jmfn1b880x7-7gZKb7_uwLvE3oU/

Taylor R Campbell wrote: Where does one find test vectors for the deterministic functions defined here with the extra randomization parameters Z?

Daniel Bernstein wrote:

[emanjon]

Bernstein wrote:

https://mailarchive.ietf.org/arch/msg/cfrg/GRigAYvZ8-Z8qmxJ1jOiKR8eLyQ/

Compute SHA-512(dom2(F, C) || Z || prefix || 000... || PH(M)),

What stops implementors from forgetting to include PH(M) in the hash input? I'd recommend building this on top of a deterministic interface where Z is an explicit input, and making sure to test that interface.

[emanjon]

I assume the suggestion here is that the interface is inside of the specification. I.e., the end user calls Sign(sk, M) and the description in the specification is

Sign(sk, M):

1. Generate random Z
2. Sign(sk, M, Z)

[cjpatton]

I think this is a good idea.

[FiloSottile]

Big fan of derandomized interfaces, and NIST is planning to introduce them for the PQ algorithms (https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Mf2kemwwreY/m/oF8HfaNxAQAJ) so I like the idea of a testable Sign_internal(sk, M, Z), but only if it doesn't delay this draft further. I'd like to implement this and produce shared test vectors for it ASAP :)

[emanjon]

Seems to be strong support for specifying a derandomized interface. We will add that.

[emanjon]

I'd like to implement this and produce shared test vectors for it ASAP :) Noted, let's try to move this draft to publications asap. Early comments was mostly about naming and IPR, It is just recently we have gotten a lot of good technical comments, which are very welcome.