Re: [Cfrg] EdDSA and > 512 curve & hash (Re: [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement)

Mike Hamburg <> Sun, 12 January 2014 18:31 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id AFD9D1ADFE4 for <>; Sun, 12 Jan 2014 10:31:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.556
X-Spam-Level: *
X-Spam-Status: No, score=1.556 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FAsmyJFVZhMI for <>; Sun, 12 Jan 2014 10:31:09 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 7BB7B1ADFD8 for <>; Sun, 12 Jan 2014 10:31:09 -0800 (PST)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id 492183AA04; Sun, 12 Jan 2014 10:29:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=sldo; t=1389551365; bh=qbohOSOGsVNUymSnQWhnmJv9omjhkXiMUJORWj6UR+Y=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=TMkyKx0gq+EH0mOXu7syiiHBXU03+KULWTGepRjFxlhJEBwwOJuTybq+Q8L+NvnaU GlsS/IRKtDnksYGHEk6do6myCOj21cVdNySEQCEDljVHHbwn6H94XiztrnpVzxi+NG lPYM8sBcLGqO+Pfm/Lv2dXpyE3hFatF9WlMkw9FA=
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Mike Hamburg <>
In-Reply-To: <>
Date: Sun, 12 Jan 2014 10:30:56 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <20140112062942.GA32437@LK-Perkele-VII> <> <> <> <>
To: Adam Back <>
X-Mailer: Apple Mail (2.1827)
Subject: Re: [Cfrg] EdDSA and > 512 curve & hash (Re: [TLS] Additional Elliptic Curves (Curve25519 etc) for TLS ECDH key agreement)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 12 Jan 2014 18:31:10 -0000

On Jan 12, 2014, at 7:53 AM, Adam Back <> wrote:

> On Sun, Jan 12, 2014 at 07:13:16AM -0800, Robert Ransom wrote:
>> Deterministic generation of message keys is the primary reason that
>> EdDSA requires a double-length hash function.
>> EdDSA relies on the hash function having double-length output in two ways:
>> * Message key generation relies on the output being noticeably longer
>> than the group order in order to generate *uniform* exponents.
>> * EdDSA also uses the hash function to expand the secret-key bitstring
>> into (a) the secret exponent of the public key and (b) a secret
>> bitstring used to key the message key generation hash function.
> My point is compared to the deterministic CRNG that eg DSA specifies for k
> generation, follow that pattern, but using SHA3-512 as the building
> block, seeded with d, the private key, is certainly doable to scale EdDSA to
> 512-bit curve without needing a 1024-bit hash function.
> Some KDF functions are designed to provide the needed one-way security
> beyond the hash input size of the underlying hash or MAC function.  So I was
> suggesting this as an alternative method than using a not-widely-used hash
> or hash-parameterization (Keccak).
> Adam

My personal preference here is for either SHA512 or SHA3, in that order.  But is SHA3 defined yet?

I don't care that SHA2 was designed by NSA.  The SHA2 functions are widely deployed and have survived more than a dozen years of public analysis.  Their performance is good enough that they won't be the bottleneck in an EC signature implementation.  SHA512 has a wide enough output and a high enough security level to be suitable for many of these curves, though for some curves it will need to be evaluated twice in order to be wide enough.

BLAKE2 is probably fine.  But it hasn't had as much time in the spotlight as SHA2 or Keccak.

The SHA3 finalists are also fine.  But we should test timings to see whether their extreme performance is a gain in an EC hash setting.

Using a widely-deployed and widely-respected hash function will ease implementation and improve acceptance and deployment of any new standard we might make.

I also wonder if a new signature scheme should support hash-and-sign, or just signing where you have the full message.  Hash-and-sign is less secure because of collision attacks, but the API is much nicer especially for deterministic hashes, and that matters.

-- Mike