IETF Logo Mail Archive

Re: [Cfrg] On the differences of Ed25519/448 and how it affects a vote on twoshakes-d

Bryan A Ford <brynosaurus@gmail.com> Sat, 12 December 2015 08:47 UTC

Return-Path: <brynosaurus@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1C0D1A1EFD for <cfrg@ietfa.amsl.com>; Sat, 12 Dec 2015 00:47:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fm2XRUuLDHGF for <cfrg@ietfa.amsl.com>; Sat, 12 Dec 2015 00:47:18 -0800 (PST)
Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC9BE1A1EF9 for <cfrg@irtf.org>; Sat, 12 Dec 2015 00:47:17 -0800 (PST)
Received: by mail-wm0-x22c.google.com with SMTP id p66so1914605wmp.1 for <cfrg@irtf.org>; Sat, 12 Dec 2015 00:47:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type; bh=gfG8NI/mdZBFo7WzsXGrGqhrBXl6P3yjxn4uEg7Wv9o=; b=Z2M1TMXyenKxP58PwBA0UmqJcHnUOglV1lUFJOh0PpS3Q5ULCbcfYWt9HvrTHSv2bF b+t2+N/CfrHxMN18A2ls5wVZY5CwiL7378ce00KsAtY3fGBUaw20Q6gV36XQ+kN5wuoN tD8XMj3mR6YRieIsOfi9RBlbTX/xDRHYt51Lq90XpIPb9yZvuGITbGJEQ1yt2LsTcEkt N85OiEprCB72Qfs6scmGJHsCvpmXRwE9/jPcb2bepBaj55bNpmk/s58QG0/i10OAj3Rn vty+MHSIJQoQE/7SOVuFvgG6rHxOzzD00mP2NuDPw3V4oPx6KnviDZcYk542pkqu66DH W4vg==
X-Received: by 10.28.175.144 with SMTP id y138mr11149930wme.47.1449910036385; Sat, 12 Dec 2015 00:47:16 -0800 (PST)
Received: from proz.dclient.lsne.ch (85-218-12-53.dclient.lsne.ch. [85.218.12.53]) by smtp.gmail.com with ESMTPSA id v129sm5966452wmg.21.2015.12.12.00.47.14 for <cfrg@irtf.org> (version=TLSv1/SSLv3 cipher=OTHER); Sat, 12 Dec 2015 00:47:15 -0800 (PST)
To: cfrg@irtf.org
References: <CAA4PzX18bcS_awPg-YDAoo90537Ot=s_nf7k_Vt75OVSdvtDrQ@mail.gmail.com> <87fuzcng51.fsf@latte.josefsson.org> <20151209125944.GA26766@LK-Perkele-V2.elisa-laajakaista.fi> <566AEB08.9070302@st.com> <CAHOTMV+1am7eyn_H8JLdR_GCU9twonduEpxRnQTJEVOb+Gq6jg@mail.gmail.com>
From: Bryan A Ford <brynosaurus@gmail.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <566BDF12.9060501@gmail.com>
Date: Sat, 12 Dec 2015 09:47:14 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <CAHOTMV+1am7eyn_H8JLdR_GCU9twonduEpxRnQTJEVOb+Gq6jg@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms040406020509030607030300"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/0SpPuHsBKIbgO_Y2gzYY0vUJJxw>
Subject: Re: [Cfrg] On the differences of Ed25519/448 and how it affects a vote on twoshakes-d
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Dec 2015 08:47:19 -0000

On 12/11/15 11:03 PM, Tony Arcieri wrote:
> On Fri, Dec 11, 2015 at 7:26 AM, Gilles Van Assche
> <gilles.vanassche@st.com <mailto:gilles.vanassche@st.com>> wrote:
> 
>     Another point of view could be that Ed448 and Ed448ph are still
>     distinctly-named algorithms (i.e., symmetrically with Ed25519 and
>     Ed25519ph), but thanks to the domain separation brought by twoshakes-d
>     in the internal hash they enjoy the property that a public key can be
>     certified for one, for the other or for both. As far as I have seen,
>     twoshakes-d is the only proposal so far that offers that property.
> 
> I voted for twoshakes-d for this reason, however there's something odd
> about this I think really deserves discussion...
> 
> I do not think Ed448(ph) will receive widespread use, because
> Ed25519(ph) is "good enough".
> 
> If twoshakes-d wins, Ed448 will be in the curious position of supporting
> domain separation (but hardly anyone will use it), but Ed25519 will not
> (and most people will probably use it).
> 
> This seems oddly inconsistent to me.

Interesting - I agree with most of your reasoning but it leads me to the
opposite conclusion.  Namely, this makes me feel less concerned about
Ed448 being a bit inconsistent with Ed25519 by virtue of having extra
"conservative security features" like domain separation.  While indeed
most everyone agrees that Ed25519 is probably good enough for most
purposes, Ed448's main "raison d'etre" is to have an additional/backup
alternative with even more conservative security parameters - i.e., from
"good enough" (255-bit curve) to "insane" security (448-bit curve).
From that viewpoint, it doesn't seem at all inconsistent with Ed448's
basic purpose for it to have additional conservative security features
that Ed25519 doesn't, such as explicit domain separation.

I still think it would be straightforward to back-port domain separation
to Ed25519 but don't have strong feelings either way; especially the
line of reasoning above makes me also completely comfortable with not
doing so.

Cheers
Bryan

> 
> -- 
> Tony Arcieri
> 
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email