Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final proposal for domain separation (context labels) for ed25519

[Ilari Liusvaara <ilariliusvaara@welho.com>]

On Mon, May 09, 2016 at 11:04:20PM -0400, Benjamin Kaduk wrote:
> On Mon, 9 May 2016, Ilari Liusvaara wrote:
> 
> > On Mon, May 09, 2016 at 10:23:31AM +1000, Martin Thomson wrote:
> > > On 6 May 2016 at 20:17, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> > > >
> > > > So yeah, just use separate keys. Don't cause problems for everybody
> > > > by using contexts.
> > >
> > > As an author of a document that defines the use of contexts, how do
> > > you reconcile this view with what the document says?
> >
> > To actually use contexts, you need a way to do contexts all the way
> > up to lowermost common layer, which might very well be the signature
> > primitive itself. This impiles that all the needed contexts exist
> > and can be specified via an API (existing ones don't support it!).
> 
> I'm still not conviced that we're all talking about the same thing when we
> say "context".
> 
> The two different "context"s I've seen talked about are:
> 
> (1) Ed448ctx-style, as an "extra signature input" that is mixed into the
> signature in a way that prevents shifting content from the context input
> to the data input of the signature algorithm (or vice versa).

And there is a transform that obtains signature scheme with contexts from
scheme without one. Obviously not needed if scheme already has contexts.

> (2) "flat"-style, as in "a string that is prepended or appended to the
> data to be signed" that provides only partial domain-separation but can be
> bolted on to existing signature algorithms post-facto.  (E.g., as in
> https://github.com/unicorn-wg/context-labels)

That is just broken. You can not add signature-level contexts into
existing signature scheme without obtaining a new scheme. At least not
reliably, which in cryptography means the same as not at all.

> Clearly your statement is true for (1)-style contexts, but it seems that
> for (2)-style contexts, any participant in the call chain could choose to
> conver the context into part of the signature input and thereby translate
> from a context-ful API to a context-free one.

And looks like I got the layers wrong way around, it should have been
"uppermost common layer".

But basically, if you need contexts, you require them. Anything else is
just too error-prone.

EdDSA spec says not to use signature-level key-binding, even if it works
just fine with EdDSA. The reason why is that there are many _other_
signature schemes where signature-level key-binding utterly fails.

> > At the level of raw signatures, this would imply defining abstract
> > API model and then having all context-capable signatures, either
> > obtained by transforming non-context-capable scheme (the transform
> > is too trivial to contain here) or having natively context-capable
> > schemes.
> 
> And here we get into all the complications that makes djb dislike extra
> inputs to signature algorithms (and rightly so).

Well, the alternatives besides just giving different keys to things that
aren't known to play well together are even worse.
 
> > Well, nothing prevents having multiple contexts at different levels,
> > but all contexts involved need to be able to be specified to be
> > correct.
> >
> > E.g. openpgp -> git-push-signature. That's not interchangeable with
> > git-push-signature nor openpgp.
> 
> prepending "git-push-signature" || 0 || "openpgp" || 0 to the data to be
> signed (as in my (2) above) seems naturally composable.

Well, this is about contexts at different layers (if multiple layers have
contexts). Then all have to match.

And if so, then it is unlikely to be implemented via such prepend.

> > > We find that reuse of signature keys for different purposes is rife in
> > > the real world.  A firm requirement of TLS 1.3 is that existing keys
> > > can be used with the new protocol.  It would not deploy otherwise, and
> > > yet we endorse that which we all agree to be a sin and do what we can
> > > to avoid problems.
> >
> > Also, TLS keys get reused in CSR signing, and CSRs are based upon ASN.1,
> > which is let's say pretty different from TLS syntax...
> >
> > > I disagree with the notion of there being "serious" or "fundamental"
> > > usability problems.
> >
> > The reason for those usability problems: APIs and what is offered.
> 
> I agree that for (1), the API situation is a mess and there are not any
> currently usable library APIs.

And thus contexts are currently unusable, as such APIs are prerequisite
for usage of contexts.

> My question is, what are the downsides of (2)?  It can perhaps offer a
> false sense of security to protocol designers and/or implementors that
> ought to be using separate keys, but if we spin it as something to be used
> in addition to key separation, maybe it's not so bad.  Are there other
> disadvantages of (2)?

That kind of construction is just a minefield.


-Ilari