Re: [CFRG] RFC 8032 Erratum: EdDSA test vectors
Benson Muite <benson_muite@emailplus.org> Fri, 25 November 2022 18:49 UTC
Return-Path: <benson_muite@emailplus.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2FC9C14F747 for <cfrg@ietfa.amsl.com>; Fri, 25 Nov 2022 10:49:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=emailplus.org header.b=ttBl6y21; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=f2FMfXki
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1gbbtmhndtun for <cfrg@ietfa.amsl.com>; Fri, 25 Nov 2022 10:49:26 -0800 (PST)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD637C14F727 for <cfrg@irtf.org>; Fri, 25 Nov 2022 10:49:26 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 697F33200992; Fri, 25 Nov 2022 13:49:25 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Fri, 25 Nov 2022 13:49:25 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=emailplus.org; h=cc:cc:content-transfer-encoding:content-type:date:date:from :from:in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; t=1669402164; x= 1669488564; bh=qSwMgI2OtLz9r3Impfi8s3wMyvwbK+OT4UFwNSWFP9Y=; b=t tBl6y21oi2lc2iTVfzDfSlGdSC+tXxirxhbXj3F4EUPd5l+yqbI2EOoKkpE+iMHw hHUmk+mt7ITHmXQKO0YwFY5AhUsH62nvaOAR/xrtUgX+r0VwfY1Ox/vnWwKxLej8 gxHmaSAGRplUM9meDqau/5SpTl6RZQxlofKiuT0oMkYmQmp/l/PtvvsDSAU8TTqn ZioYOkUdUXdpAKL7k/GYR6dl7x+I9sGjX8BPhNlwxMS5//JpmSlu7AWSTIpyfN/e wwTUR9yHMYkdhQVxXQdMQt2p9oa8M8vXxh4D110dkLOR3Upq0FTciphwV2l9r5LL i0bEPr/dBOwbYbPnUwMOA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1669402164; x= 1669488564; bh=qSwMgI2OtLz9r3Impfi8s3wMyvwbK+OT4UFwNSWFP9Y=; b=f 2FMfXkiqv3NCt7qkG2uLiSEzLRN+4AoMGLNJ2r4wMJ4w4lsbcSwu8x6GcX14MCHH 8jzJvYgYt4KREmrdCwT/waV29Jx6dO6EDNoH6CENqRh/8xERpucX9pnywunTneAN xd1G8WQPb8tyvQ2f133otUsN0ILJAU3UmSZ1Mi3J2iS2xvaXzD62L3i7wQyZ9Nmv Q/tn1H2kHj2w5GlAx779vlfAvN9KREjeO1AY8u467V/T2rmSPiJ/jBN0AA2S8Kod 1OhYLK0Ft2MnDMXhdJVPF1evGyYhqxvwS261kK8Ez0fCffhpuAGGO75p55/qjqCu ddYDzgG8ITkgfaM/IOQcA==
X-ME-Sender: <xms:NA6BY6YzLb6PWOK49dK8RV8_XBU3fJ8LWl706ssujxtiBgfDlUUuZA> <xme:NA6BY9Y9pG6-nYVKZEV7s7VMH2gFwy1UC6yzAbeDOIO-FZMVXdKhurp7-QolVkCxC FzdN9f0hNWjxRs7>
X-ME-Received: <xmr:NA6BY0_wJDgkQPCSF_pUUMr8VxNpmuTUifpklXoqQ4oR_u0efldbTZNL--n-R6k>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvgedrieehgdduudejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefkffggfgfvfhfhvefujggtgfesth ekredttdefjeenucfhrhhomhepuegvnhhsohhnucfouhhithgvuceosggvnhhsohhnpghm uhhithgvsegvmhgrihhlphhluhhsrdhorhhgqeenucggtffrrghtthgvrhhnpeffheevvd ektdethfdthfdvgfevfeeiueetgeejiedvgedvhefgfefhudekieeuvdenucffohhmrghi nhepihgrtghrrdhorhhgpdhhuggvvhgrlhgvnhgtvgdrtggrnecuvehluhhsthgvrhfuih iivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepsggvnhhsohhnpghmuhhithgvsegv mhgrihhlphhluhhsrdhorhhg
X-ME-Proxy: <xmx:NA6BY8q3WGctgTTG31F8Cm_KqxI0VqBrRMRraD1VUD4tdXhp9hcmHw> <xmx:NA6BY1qBYYxAJdY-JMMzL_iUeCECA7NPrRlQWt4xm-rCS3B8Mvk-nA> <xmx:NA6BY6SLmSso3fUF-aTpjIIgBqWjCREh1-R8OTyYHjHReDRLPequLg> <xmx:NA6BY82ftfwmfLZuX9aj20GcWRkxf5T7P8mKBDSFTYjOL8-1vUWAIw>
Feedback-ID: ic1e8415a:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 25 Nov 2022 13:49:22 -0500 (EST)
Message-ID: <93812c25-0dce-bfc5-6bf9-6f0df314eea3@emailplus.org>
Date: Fri, 25 Nov 2022 21:49:11 +0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0
To: cfrg@irtf.org
References: <23111ace-bdb3-2168-5379-74048b77d063@emailplus.org> <54CF8B57-D0DC-4877-8B12-E9A94AB5C9A5@shiftleft.org> <CAPpfmGCvpzGSB_87=R3hD-Ei_Pmidke3PgypNeDbh0VwSsYuMw@mail.gmail.com> <3AA65304-1780-41E7-8595-8664EFDC4D20@shiftleft.org> <CAPpfmGAPwriFCJ5qHK=jZBNdVEZE5twXTgc=3toHA31EjBVppw@mail.gmail.com> <764b3aa8-faa3-4332-bf70-136f8433b858@redhat.com>
Content-Language: en-US
From: Benson Muite <benson_muite@emailplus.org>
In-Reply-To: <764b3aa8-faa3-4332-bf70-136f8433b858@redhat.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/9CHXTEFdSuRcsxz1nSgE3lQ5w2Y>
Subject: Re: [CFRG] RFC 8032 Erratum: EdDSA test vectors
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Nov 2022 18:49:32 -0000
On 11/25/22 16:04, Hubert Kario wrote: > On Thursday, 24 November 2022 17:58:19 CET, François Garillot wrote: >> Hi Mike, >> >>> Perhaps we should then change the RFC to indicate that >>> implementations SHOULD use the weaker, cofactored verification equation? >> >> If Ed25519 was a greenfield or niche project, that would perhaps be >> ideal. Other changes (e.g. strongly-binding signatures), detailed in >> the paper as well as in other publications ([1]) may also deserve >> consideration. In fact, some library maintainers working in a >> consensus context have already adopted some of these changes (see [2] >> for some detailed rationale). >> >> Yet considering there is a plethora of load-bearing libraries that use >> cofactorless verification exclusively in a wide range of contexts >> today, their maintainers might favour compatibility with historical >> verification decisions. A good middle ground then seems to be >> mandating the documentation of their implementation's behaviour on -at >> least- the cofactored / cofactorless edge case, which is where the >> test vectors may help. >> >> [1]: https://eprint.iacr.org/2020/823 The reference [2] is interesting, as a hardware implementation of EdDSA does not allow edge cases. It is unclear how many other hardware implementations there are, since these are more difficult to change compared to software implementations. [2]: >> https://hdevalence.ca/blog/2020-10-04-its-25519am > > And the RFC can also allow for the behaviour to change with a configuration > option... Maybe adding some context is helpful, in particular to aid use in new applications which seem to be growing and to ensure upgrade in legacy applications where it is necessary. The number of library implementations are not so large, and at least for the openly available and widely deployed ones, making required changes seems feasible. > >> -- >> FG >> >> >> On Thu, Nov 24, 2022 at 11:06 AM Mike Hamburg <mike@shiftleft.org> wrote: >> Hi François, >> >> That makes sense: it’s entirely reasonable to include these test >> vectors with a note that they aren’t technically required by the RFC. >> >> Perhaps we should then change the RFC to indicate that implementations >> SHOULD use the weaker, cofactored verification equation? >> >> Cheers, >> — Mike >> >> On Nov 24, 2022, at 3:16 PM, François Garillot <francois@garillot.net> >> wrote: >> >> Hi Mike, >> >> I would caution against excluding the test vectors for >> cofactored/cofactorless verification: Table 3 of the paper explains >> that, unless a library uses a cofactored verification equation, batch >> verification and iterated single-signature verification will not agree >> on all signature sets. Such a disagreement is consequential in some >> contexts: for instance, it could make a library using a cofactorless >> verification equation delicate to use in a BFT consensus protocol. >> Those test vectors seem important to include, so as to encourage >> libraries to document this implementation choice. >> >> Table 5 of the paper documents the FIPS186-5 recommendations, to the >> best of the authors' knowledge. >> >
- [CFRG] RFC 8032 Erratum: EdDSA test vectors Benson Muite
- Re: [CFRG] RFC 8032 Erratum: EdDSA test vectors Mike Hamburg
- Re: [CFRG] RFC 8032 Erratum: EdDSA test vectors François Garillot
- Re: [CFRG] RFC 8032 Erratum: EdDSA test vectors Mike Hamburg
- Re: [CFRG] RFC 8032 Erratum: EdDSA test vectors François Garillot
- Re: [CFRG] RFC 8032 Erratum: EdDSA test vectors Hubert Kario
- Re: [CFRG] RFC 8032 Erratum: EdDSA test vectors Benson Muite