Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final proposal for domain separation (context labels) for ed25519

Ilari Liusvaara <> Mon, 09 May 2016 07:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 08FA412D0A6; Mon, 9 May 2016 00:09:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.896
X-Spam-Status: No, score=-2.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.996] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tuKhcEPny1cX; Mon, 9 May 2016 00:09:53 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D22E012B05E; Mon, 9 May 2016 00:09:52 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id AA94F31A5; Mon, 9 May 2016 10:09:50 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([IPv6:::ffff:]) by localhost ( [::ffff:]) (amavisd-new, port 10024) with ESMTP id oNPdlTN-prMK; Mon, 9 May 2016 10:09:50 +0300 (EEST)
Received: from LK-Perkele-V2 ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 36B42286; Mon, 9 May 2016 10:09:50 +0300 (EEST)
Date: Mon, 9 May 2016 10:09:48 +0300
From: Ilari Liusvaara <>
To: Martin Thomson <>
Message-ID: <>
References: <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.6.0 (2016-04-01)
Archived-At: <>
Resent-From: <>
Cc: Simon Josefsson <>,,
Subject: Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final proposal for domain separation (context labels) for ed25519
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 09 May 2016 07:09:56 -0000

On Mon, May 09, 2016 at 10:23:31AM +1000, Martin Thomson wrote:
> On 6 May 2016 at 20:17, Ilari Liusvaara <> wrote:
> >
> > So yeah, just use separate keys. Don't cause problems for everybody
> > by using contexts.
> As an author of a document that defines the use of contexts, how do
> you reconcile this view with what the document says?

To actually use contexts, you need a way to do contexts all the way
up to lowermost common layer, which might very well be the signature
primitive itself. This impiles that all the needed contexts exist
and can be specified via an API (existing ones don't support it!).
At the level of raw signatures, this would imply defining abstract
API model and then having all context-capable signatures, either
obtained by transforming non-context-capable scheme (the transform
is too trivial to contain here) or having natively context-capable

And then the protocol itself needs to be self-consistent. But that
is needed anyway (and is harder requirement than one might think).

Here's one abstract API model of signature scheme with contexts:

keygen: () -> (privkey, pubkey)
sign: (privkey, context<0..255>, message<0..>) -> signature
verify: (pubkey, context<0..255>, message<0..>, signature) -> boolean

With correctness (it verifies its own signatures) and unforgeability
(can't compute signatures for (context,message) one hasn't seen
without private key).

The algorithms can be random.

> I agree with the idea that there is a moral superiority in using
> different keys.  That's an inarguable statement from a position of
> great integrity.
> djb's one-bit protocol examples highlight that there is an inherent
> futility in attempting domain isolation at any layer of a protocol
> stack that might conceivably be used in support of some high-layer
> protocol.

Well, nothing prevents having multiple contexts at different levels,
but all contexts involved need to be able to be specified to be

E.g. openpgp -> git-push-signature. That's not interchangeable with
git-push-signature nor openpgp.
> We find that reuse of signature keys for different purposes is rife in
> the real world.  A firm requirement of TLS 1.3 is that existing keys
> can be used with the new protocol.  It would not deploy otherwise, and
> yet we endorse that which we all agree to be a sin and do what we can
> to avoid problems.

Also, TLS keys get reused in CSR signing, and CSRs are based upon ASN.1,
which is let's say pretty different from TLS syntax...

> I disagree with the notion of there being "serious" or "fundamental"
> usability problems. 

The reason for those usability problems: APIs and what is offered.