IETF Logo Mail Archive

Re: [Cfrg] On the differences of Ed25519/448 and how it affects a vote on twoshakes-d

Tony Arcieri <bascule@gmail.com> Sun, 13 December 2015 08:13 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E04211AC3F0 for <cfrg@ietfa.amsl.com>; Sun, 13 Dec 2015 00:13:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4NKT1Oy0I7ls for <cfrg@ietfa.amsl.com>; Sun, 13 Dec 2015 00:13:53 -0800 (PST)
Received: from mail-ig0-x234.google.com (mail-ig0-x234.google.com [IPv6:2607:f8b0:4001:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4195B1AC3ED for <cfrg@irtf.org>; Sun, 13 Dec 2015 00:13:53 -0800 (PST)
Received: by mail-ig0-x234.google.com with SMTP id mv3so64811651igc.0 for <cfrg@irtf.org>; Sun, 13 Dec 2015 00:13:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=Xt53c5PLviH97CHhbsia+21JExzmeD0Mb3C72nEykYg=; b=j6VH7y0UHpsfopn7TkJygdhWBZc6CKuoOues2sdEdmENJpZc6ZTKKrx6ANnOGeZ+r9 vPfsqFcAa+qcx7hS2SKkjg57ZyFf9mjR7oZ9XxVChSD+ZpQix+1dXDehDR0dburn2i/l aMmPXWdLptWCQadmncDQeg/xMUpACbkUEGh4u/BGqswoN8iAmCOeg4jDKGCxtEbsIv+j SIwP5O2oDNJ71yKLEXyB6aQuC93482QS+TvDx17Jl2+QnBNT1Inv4qxqOExG7YRAVD8g LsZgeVVdZzW7k3lMuyV24fla6rgXpzdUeXOKVOWLAo3NTnbd3lIQ7Vb4TEYovgZxn86t p+nw==
X-Received: by 10.50.64.146 with SMTP id o18mr11442903igs.51.1449994432686; Sun, 13 Dec 2015 00:13:52 -0800 (PST)
MIME-Version: 1.0
Received: by 10.79.37.140 with HTTP; Sun, 13 Dec 2015 00:13:33 -0800 (PST)
In-Reply-To: <566BDF12.9060501@gmail.com>
References: <CAA4PzX18bcS_awPg-YDAoo90537Ot=s_nf7k_Vt75OVSdvtDrQ@mail.gmail.com> <87fuzcng51.fsf@latte.josefsson.org> <20151209125944.GA26766@LK-Perkele-V2.elisa-laajakaista.fi> <566AEB08.9070302@st.com> <CAHOTMV+1am7eyn_H8JLdR_GCU9twonduEpxRnQTJEVOb+Gq6jg@mail.gmail.com> <566BDF12.9060501@gmail.com>
From: Tony Arcieri <bascule@gmail.com>
Date: Sun, 13 Dec 2015 00:13:33 -0800
Message-ID: <CAHOTMV+DD1qnHAtEBvKy-7hQgsq6vF5Ba4v_WCvEei24VNK=uQ@mail.gmail.com>
To: Bryan A Ford <brynosaurus@gmail.com>
Content-Type: multipart/alternative; boundary="047d7bea43fc1633730526c323e4"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/90YbfTelGUBuCjfjduG8zNeNa3k>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] On the differences of Ed25519/448 and how it affects a vote on twoshakes-d
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Dec 2015 08:13:55 -0000

On Sat, Dec 12, 2015 at 12:47 AM, Bryan A Ford <brynosaurus@gmail.com>
wrote:

> Interesting - I agree with most of your reasoning but it leads me to the
> opposite conclusion.  Namely, this makes me feel less concerned about
> Ed448 being a bit inconsistent with Ed25519 by virtue of having extra
> "conservative security features" like domain separation.  While indeed
> most everyone agrees that Ed25519 is probably good enough for most
> purposes, Ed448's main "raison d'etre" is to have an additional/backup
> alternative with even more conservative security parameters - i.e., from
> "good enough" (255-bit curve) to "insane" security (448-bit curve).
> From that viewpoint, it doesn't seem at all inconsistent with Ed448's
> basic purpose for it to have additional conservative security features
> that Ed25519 doesn't, such as explicit domain separation.


This is something I'm a bit confused about and could perhaps use some
clarification from the chairs about...

I had also originally assumed that the Ed448 hash choice(s) were a sort of
"spinal tap grade" option to switch over to in the event of a disastrous
Ed25519 failure, but...

Is it that, or is this to be a future framework for additional elliptic
curve signatures? When it comes time to standardize CFRG signatures for
e.g. FourQ, will Ed25519 be treated as legacy and the decisions around
Ed448 be treated as standard operating procedure. Or will the debate start
over from the beginning?

I think it would be nice if there were a standard signature framework that
could be used for future curves without restarting the bikeshedding debate
again from the beginning.

-- 
Tony Arcieri

v2.23.0 | Report a Bug | By Email