[Cfrg] draft-irtf-cfrg-eddsa-00
Simon Josefsson <simon@josefsson.org> Thu, 08 October 2015 12:14 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F21801B330A for <cfrg@ietfa.amsl.com>; Thu, 8 Oct 2015 05:14:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.971
X-Spam-Level:
X-Spam-Status: No, score=0.971 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_SE=0.35, SPF_PASS=-0.001, URI_HEX=1.122] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4b9j3jMiv83W for <cfrg@ietfa.amsl.com>; Thu, 8 Oct 2015 05:14:29 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B96701B32F6 for <cfrg@ietf.org>; Thu, 8 Oct 2015 05:14:28 -0700 (PDT)
Received: from latte.josefsson.org ([155.4.17.3]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id t98CEG9P010403 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT) for <cfrg@ietf.org>; Thu, 8 Oct 2015 14:14:17 +0200
X-Hashcash: 1:22:151008:cfrg@ietf.org::sL60CYAQARdb+147:QhN7
From: Simon Josefsson <simon@josefsson.org>
To: cfrg@ietf.org
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
Date: Thu, 08 Oct 2015 14:14:15 +0200
Message-ID: <87wpuxo8vc.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/3JWiVQxHyRbJvb3-28NQLgtl-rw>
Subject: [Cfrg] draft-irtf-cfrg-eddsa-00
X-BeenThere: cfrg@mail.ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.mail.ietf.org>
List-Unsubscribe: <https://mail.ietf.org/mailman/options/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@mail.ietf.org>
List-Help: <mailto:cfrg-request@mail.ietf.org?subject=help>
List-Subscribe: <https://mail.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@mail.ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2015 12:14:31 -0000
Dear WG, We have posted the following draft to describe EdDSA, based on the EdDSA/Ed25519 description in draft-josefsson-eddsa-ed25519 and the EdDSA2 paper. https://tools.ietf.org/html/draft-irtf-cfrg-eddsa-00 Feedback is welcome. There are at least two main areas I believe the WG will need to discuss: 1) The 912-bit wide internal hash function to use for Ed448. In the EDDSA2 paper we proposed SHA-512/912 because we thought use of SHA512 would be more convenient in existing deployments than SHAKE256. However, given that 1) some implementers thought the IV-modification we proposed would be difficult to implement in some APIs, and 2) some implementers (including at least one smartcard implementer, which typically are more constrained than software-only developers) appeared to be fine with SHAKE256 even though it is newer, I believe we should treat this as an open issue. Options include: 1) SHA-512/912 as described in http://ed25519.cr.yp.to/eddsa-20150704.pdf 2) Straightforward use of SHAKE256, also discussed in the previous paper. 3) Home-cooked SHA2-based variant such as: Truncate-912-bits(SHA512("0" | M) | SHA512("1" | M)) 4) Less home-cooked SHA2-based variant such as the RFC 5869 HDKF. Thoughts? Other options? Strengths and weaknesses of the above? Personally I am currently in favor of chosing SHAKE256 for Ed448. 2) Naming of the pre-hashed variants of Ed25519 and Ed448 and the relationship between PureEdDSA and HashEdDSA. For this draft I chose the short but still (barely) readable names Ed25519ph and Ed448ph. In the EDDSA2 paper we used 'SHA-512-Ed25519-SHA-512' which might be shorted to 'SHA-512-Ed25519' since the internal hash function is already settled on. Still, I believe 'SHA-512-Ed25519' is a quite unreadable name and the important part, Ed25519, is lost. Using 'Ed25519-SHA-512' to refer to the pre-hash variant seems confusing given that it is already in use to describe Ed25519 with SHA-512 as the internal hash. The 'Ed25519ph' name variant came up during discussions related to the PKIX EdDSA draft. I believe we definitely should not use the name 'Ed25519' to describe what we are doing in the pre-hash variant since that is already well established in deployment to refer to, eh well, Ed25519. So another name is needed. Does someone have a better suggestion, or can we settle on 'Ed25519ph' and 'Ed448ph'? The document is not ready, and our primary main open work items are as below. If anyone has suggested improvements here, they are welcome. 1) Test vectors and sample code for Ed448 and the pre-hash variants. 2) Align terminology and notation with cfrg-curves. Perhaps this is already in good shape, but it might be that a lot of work is required to harmonise terminology. Someone has to review both documents for consistency. 3) We need to abstract the Ed25519 description somewhat so that it can describe Ed448 too, but not abstract it all the way to the generic EdDSA which is already described. Otherwise the document will repeat large chunk of text to describe Ed25519 and Ed448 which is mostly identical. 4) Security Considerations, especially related to cross-protocol attacks (i.e., when you use the same key in pure mode or different pre-hashes). Of course, any other feedback is welcome. Thanks, /Simon
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Blumenthal, Uri - 0553 - MITLL
- [Cfrg] draft-irtf-cfrg-eddsa-00 Simon Josefsson
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Taylor R Campbell
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Tony Arcieri
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Salz, Rich
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Tony Arcieri
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Viktor Dukhovni
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Damien Miller
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Simon Josefsson
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Simon Josefsson
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Dan Brown
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 James Cloos
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Tony Arcieri
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Paul Lambert
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Dang, Quynh
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Stephen Farrell
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Peter Gutmann
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Yoav Nir
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Taylor R Campbell
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Taylor R Campbell
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Eric Rescorla
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 David Jacobson
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Jim Schaad
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Jean-Philippe Aumasson
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Gilles Van Assche
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Peter Schwabe
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Peter Schwabe
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Taylor R Campbell
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Damien Miller
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Alyssa Rowan
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Taylor R Campbell
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Tony Arcieri
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Taylor R Campbell
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Taylor R Campbell
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Simon Josefsson
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Gilles Van Assche
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Peter Schwabe
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Simon Josefsson
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Taylor R Campbell
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Gilles Van Assche
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Paul Lambert
- Re: [Cfrg] draft-irtf-cfrg-eddsa-00 Ilari Liusvaara