Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final proposal for domain separation (context labels) for ed25519

Watson Ladd <> Tue, 10 May 2016 15:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3DDAD12B054; Tue, 10 May 2016 08:42:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Nijo1-zlBmQJ; Tue, 10 May 2016 08:42:52 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 81A2D12D1F0; Tue, 10 May 2016 08:42:50 -0700 (PDT)
Received: by with SMTP id m188so21264191vka.1; Tue, 10 May 2016 08:42:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=H6qQJggAr46NziOTIBtX8zAojufhxsOFn1VqMLyCnJM=; b=GMHYg0dylelRx3goD32Nuo3YeK/T4X+MWlxCrWSkr6ZD49cMMiXrbcW+aU4SM98UrD bJE3qqGFypWcrzbJzVgkFykcFltzAHlJTkSJS9ST3JPobS+w2pFhw4Y6X2A89illE9/Z 2L37thymf6aPTaP9ABPFzWxGqPQdo8v5NPlIRixmLyLujiqC7ltvB55WgKiYUR0T1HSE zKSUdSdjFZoL/J+UL93pXUmTv7fpOAS6Ppyrl/LdyUY5ZkWANy2PqhFEQyReWcAC3SHB PiJeZHkiJJ9OQuTBZNaa4WGE1DTHwHwv/JzCDcBH3pVG/wl86TN3vCTfh8fGdYKphDjq wPAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=H6qQJggAr46NziOTIBtX8zAojufhxsOFn1VqMLyCnJM=; b=Zt5br+96VoEjfhr77MXQhA9fhVYtkfBAt8Z812JGT8tXeWM52Wl3vBdDMt9WooSXbQ +3kqjKZTl+fhIE04bloOCm9NIq5P25Op0V2dN1nu1yaw16zoqFB7eYz96y6wpRiw0JXC HZm1IINFGR1IemxiXutFKH4uviSllBEuZSApcN6Q7yhtmwRebaruytK6uR1uyrKxwP9j D6jbMPUqmUvr0WZccnhGmFFbSDYcXoqpesMgNKJnCTfKmTBjIW1NsKYhg5FOYTPE9oYz MoQFdDXjlLRiKjxov4wSjr1xwZN5wKOl/MykTylpZQe7QoKJpINWgCKdn4b8kLYfyGt9 LZBA==
X-Gm-Message-State: AOPr4FVqiusGL9havIgdxdYEfdAo89axdSHUBgcu8hCIAxGBOZAWDiJ8fK3xWdsWmp5W+of7XAz64hwgguJa4A==
MIME-Version: 1.0
X-Received: by with SMTP id m70mr10215068vkf.70.1462894969480; Tue, 10 May 2016 08:42:49 -0700 (PDT)
Received: by with HTTP; Tue, 10 May 2016 08:42:49 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <>
Date: Tue, 10 May 2016 08:42:49 -0700
Message-ID: <>
From: Watson Ladd <>
To: Simon Josefsson <>
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
Resent-From: <>
Cc:, "" <>
Subject: Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final proposal for domain separation (context labels) for ed25519
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 10 May 2016 15:42:55 -0000

On Tue, May 10, 2016 at 2:16 AM, Simon Josefsson <> wrote:
> Martin Thomson <> writes:
>> On 6 May 2016 at 20:17, Ilari Liusvaara <> wrote:
>>> So yeah, just use separate keys. Don't cause problems for everybody
>>> by using contexts.
>> As an author of a document that defines the use of contexts, how do
>> you reconcile this view with what the document says?
> Hi Martin.
> The difference between personal opinion and group consensus decisions?
> I'm just speculating what Ilari's reasons are though.
>> But I see those examples as illustrative of an insufficient degree of
>> redundancy.  For, if ever there were fans of redundancy, it would be
>> the military.  While conceivably you could build a protocol that
>> defers all self-identification and context to the crypto that supports
>> it, in the cases illustrated, it shows itself as unwise in the extreme
>> in light of the propensity of people to do bad things.
> I suspect there is fundamental disagreement between fans of redundancy
> and fans of lesser complexity.
> In my experience, redundancy (=complexity) in security systems have too
> many time been used as a way to get through the system.  Redundancy can
> act as a slowdown factor and mitigator, but if your primitives are weak
> then you are vulnerable no matter what.  The academic optimistic view
> appears to be that it should be possible to find strong primitives, and
> to trust that they are strong.  History shows that everything is broken
> eventually, but history hasn't killed the optimism.

Let's consider an actual protocol, TLS 1.3. TLS 1.3 cannot rely on the
context mechanism of Ed25519ctx because it must work with RSA
signatures as well. Introducing contexts won't actually make it more
secure so long as it has to work with RSA. But introducing contexts
will force everyone to complicate their implementation, which we know
leads to bugs.

> My thoughts are that it is possible to achieve what the proponents of
> redundancy (contexts) want and please the people who want the least
> complexity, at the same time.  Just define a low-level primitive like
> Ed25519 as it is, and deal with higher-level aspects like
> cross-protocol/domain mitigators at the protocol level, or at another
> crypto primitive (ed25519ctx) which can be opt-in by the people who have
> drunk that particular Kool-Aid.
> Thanks,
> /Simon
> _______________________________________________
> Cfrg mailing list

"Man is born free, but everywhere he is in chains".