Re: [Cfrg] On the differences of Ed25519/448 and how it affects a vote on twoshakes-d
Ilari Liusvaara <ilariliusvaara@welho.com> Sat, 12 December 2015 15:17 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB34D1A87EE for <cfrg@ietfa.amsl.com>; Sat, 12 Dec 2015 07:17:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3kWHbR6YoHx6 for <cfrg@ietfa.amsl.com>; Sat, 12 Dec 2015 07:17:26 -0800 (PST)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) by ietfa.amsl.com (Postfix) with ESMTP id 5A3AC1A87EB for <cfrg@irtf.org>; Sat, 12 Dec 2015 07:17:26 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 4650A305; Sat, 12 Dec 2015 17:17:25 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id gSsb8NoqqGmZ; Sat, 12 Dec 2015 17:17:25 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-35-116.bb.dnainternet.fi [87.92.35.116]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id E65AA14F; Sat, 12 Dec 2015 17:17:24 +0200 (EET)
Date: Sat, 12 Dec 2015 17:17:21 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Bryan Ford <brynosaurus@gmail.com>
Message-ID: <20151212151721.GC6039@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAA4PzX18bcS_awPg-YDAoo90537Ot=s_nf7k_Vt75OVSdvtDrQ@mail.gmail.com> <87fuzcng51.fsf@latte.josefsson.org> <20151209125944.GA26766@LK-Perkele-V2.elisa-laajakaista.fi> <566AEB08.9070302@st.com> <566BDBE9.4000808@gmail.com> <20151212111448.GB6039@LK-Perkele-V2.elisa-laajakaista.fi> <C79B46AA-62EA-4D93-A850-62D85422B9B6@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <C79B46AA-62EA-4D93-A850-62D85422B9B6@gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/C6kFpvPKBevBYSm0fYT-a9okVTg>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] On the differences of Ed25519/448 and how it affects a vote on twoshakes-d
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Dec 2015 15:17:28 -0000
On Sat, Dec 12, 2015 at 01:14:00PM +0100, Bryan Ford wrote: > On Dec 12, 2015, at 12:14 PM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > > This brings to mind the following (bit crazy): > > > > - Leave Ed25519 as is. > > - Drop Ed25519ph > > - Add Ed25519dom, with context and hash-signing capabilities. > > - Drop Ed448ph > > - Rename Ed448 to Ed448dom, with context and hash-signing capabilties. > > This seems like a potentially pretty reasonable "sweet spot" compromise between the semi-conflicting goals of (a) domain separation, (b) alignment between Ed448 and Ed25519, and (c) backward compatibility with current Ed25529 uses without prehashing or domain separation. > > The one downside I see is that "pure" Ed25519 wouldn't be domain- > separated from ed25519dom, i.e., signatures generated with the former > could in principle get misinterpreted as the latter and vice versa. > But this is probably a small risk we can live with for backward- > compatibility reasons. Those two would be separated at key level (like Ed25519 and Ed25519ph are currently). And hash-signing capabilities imply that separation is one-sided only (prehash does not have domain prefix). Omitting the separation on the other side won't cause problems because all info to generate the prefixes is either public or requires knowledge of the private key. And lack of IUF on domain is not a problem either, since domains are supposed to be short. -Ilari
- [Cfrg] On the differences of Ed25519/448 and how … Björn Edström
- [Cfrg] On the differences of Ed25519/448 and how … Björn Edström
- Re: [Cfrg] On the differences of Ed25519/448 and … Bryan A Ford
- Re: [Cfrg] On the differences of Ed25519/448 and … Simon Josefsson
- Re: [Cfrg] On the differences of Ed25519/448 and … Ilari Liusvaara
- Re: [Cfrg] On the differences of Ed25519/448 and … Gilles Van Assche
- Re: [Cfrg] On the differences of Ed25519/448 and … Tony Arcieri
- Re: [Cfrg] On the differences of Ed25519/448 and … Ilari Liusvaara
- Re: [Cfrg] On the differences of Ed25519/448 and … Bryan A Ford
- Re: [Cfrg] On the differences of Ed25519/448 and … Bryan A Ford
- Re: [Cfrg] On the differences of Ed25519/448 and … Bryan Ford
- Re: [Cfrg] On the differences of Ed25519/448 and … Ilari Liusvaara
- Re: [Cfrg] On the differences of Ed25519/448 and … Tony Arcieri
- Re: [Cfrg] On the differences of Ed25519/448 and … Simon Josefsson
- Re: [Cfrg] On the differences of Ed25519/448 and … Brian Smith
- Re: [Cfrg] On the differences of Ed25519/448 and … Simon Josefsson
- Re: [Cfrg] On the differences of Ed25519/448 and … Simon Josefsson
- Re: [Cfrg] On the differences of Ed25519/448 and … Ilari Liusvaara
- Re: [Cfrg] On the differences of Ed25519/448 and … Alexey Melnikov
- Re: [Cfrg] On the differences of Ed25519/448 and … Tony Arcieri