IETF Logo Mail Archive

Re: [Cfrg] Poll: hash functions for Ed448 (ends on December 22nd)

Simon Josefsson <simon@josefsson.org> Wed, 09 December 2015 08:56 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BC931B2A81 for <cfrg@ietfa.amsl.com>; Wed, 9 Dec 2015 00:56:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.429
X-Spam-Level:
X-Spam-Status: No, score=-0.429 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001, URI_HEX=1.122] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1-0P_7Mzd0J3 for <cfrg@ietfa.amsl.com>; Wed, 9 Dec 2015 00:56:23 -0800 (PST)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBB341B2A7F for <cfrg@irtf.org>; Wed, 9 Dec 2015 00:56:22 -0800 (PST)
Received: from latte.josefsson.org ([155.4.17.2]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id tB98u9XH016610 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 9 Dec 2015 09:56:10 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Alexey Melnikov <alexey.melnikov@isode.com>
References: <5666F7A9.7020608@isode.com>
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
X-Hashcash: 1:22:151209:alexey.melnikov@isode.com::3Q2BZaYiFuwBPqKA:3f3E
X-Hashcash: 1:22:151209:cfrg@irtf.org::U+HcvBrtJy6sSct6:8poD
Date: Wed, 09 Dec 2015 09:56:08 +0100
In-Reply-To: <5666F7A9.7020608@isode.com> (Alexey Melnikov's message of "Tue, 08 Dec 2015 15:30:49 +0000")
Message-ID: <87mvtkngpj.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/1kt_kHzqetvjVpyTZLwG7hkebg4>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Poll: hash functions for Ed448 (ends on December 22nd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2015 08:56:24 -0000

My thinking is:

twoshakes-s: 0
twoshakes-d: -1 (complexity!)
simon1: 1 (simplicity, conservative, consistency with ed25519)
simon2: 0
ilari1: 0
ilari2: 0

I have started to feel that the fact that we can have this poll with no
real-world feedback from experience with deployed Ed448 implementations
is a sign that standardizing Ed448 is premature.  There simply appears
to be little interest from implementers, at least from what I can see
From my perspective.  I suppose it may be too late to back down from
this tree though.

/Simon

Alexey Melnikov <alexey.melnikov@isode.com> writes:

> This message starts 2 weeks Quaker Poll on hash functions to be used
> for definition of Ed448 in draft-irtf-cfrg-eddsa. Please reply for
> each choice:
> +1, if you prefer a particular choice
> 0, if you can live with it
> -1, if you are against a particular choice
>
> Choices are:
>
> 1) "twoshakes-s", (SHAKE256@912(x) for the internal hash,
> SHAKE256@512(x) as the prehash)
>
> More details:
> <http://www.ietf.org/mail-archive/web/cfrg/current/msg07629.html>
>
> 2) "twoshakes-d",
>
> This scheme again uses the SHAKE256 extensible-output functions (XOFs)
> to implement both hashes, with the inputs prefixed as specified below
> for explicit domain separation purposes.
>
> More details:
> <http://www.ietf.org/mail-archive/web/cfrg/current/msg07629.html>
>
> 3) "simon1" (SHAKE256@912(x) for the internal hash, SHA3-512 as the
> prehash).
>
> 4) "simon2" (Use SHA2-512/912 as described in [1] as the internal hash
> and SHA2-512 as the prehash).
>
> [1] - <http://ed25519.cr.yp.to/eddsa-20150704.pdf>
>
> 5) "ilari1" (SHAKE256@912bits(x) for the internal hash, SHA2-512(x) as
> the prehash)
>
> More details:
> <http://www.ietf.org/mail-archive/web/cfrg/current/msg07644.html>
>
> 6) "ilari2"
>
> Hash: HKDF-EXPAND(hash=SHA2-512, prk=HKDF-EXTRACT(hash=SHA2-512,
> salt=<blank>, ikm=x), info=<blank>, 114) Prehash: SHA2-512(x)
>
> More details:
> <http://www.ietf.org/mail-archive/web/cfrg/current/msg07644.html>
>
> 7) You can specify an alternative proposal, if you wish
>
> Best Regards,
> Kenny and Alexey
>

v2.23.0 | Report a Bug | By Email