IETF Logo Mail Archive

Re: [Cfrg] I-D Action: draft-irtf-cfrg-eddsa-08.txt

Yoav Nir <ynir.ietf@gmail.com> Thu, 25 August 2016 21:06 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FD1012B02C for <cfrg@ietfa.amsl.com>; Thu, 25 Aug 2016 14:06:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i0CHqnSC4Qi7 for <cfrg@ietfa.amsl.com>; Thu, 25 Aug 2016 14:06:47 -0700 (PDT)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 465AF126D74 for <cfrg@ietf.org>; Thu, 25 Aug 2016 14:06:47 -0700 (PDT)
Received: by mail-wm0-x22e.google.com with SMTP id i5so90755740wmg.0 for <cfrg@ietf.org>; Thu, 25 Aug 2016 14:06:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=Rek/FQ3OV4vJ5NN07V1H/+lX16+JQIZ/GMYMiyxtGzQ=; b=H/dlLA33KtJm/dic+gnk04PCW4nvHbK0vQ04Xf/wt8zJYrqnmABdfnptM9u5aksNVz tDIFD3jHe+NtnZ2rPfLfebsnBh63Yonyj0WhNB2w5ErHZDFTIxXiU6Kz6tSzMWVJv0Z4 LKkEWAOsMdzEzsvfIp28ww0+qhfVUV4CyfktLNOruy/dUyAoQFTXQ0/qdFXMwinleuOy kAQHV2mAI3VAaztl+EHPQspeEndqqRcTjabyAWGdGJLnHuuKR0TNnS6V2kl0g0dxDnvb FtaVpJ0qdOTIiCJt3/GnfJZz1zkfhNXP64tth1FnLwXC28r1x6mhI1jQnb3y1GXpayZV Wekg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=Rek/FQ3OV4vJ5NN07V1H/+lX16+JQIZ/GMYMiyxtGzQ=; b=fLAHp4X1aDZEU68wVNbz138SQTgnX1L0db/aBLWVAG8oFS/WggpUXlV8htKxEPYEP2 7SzTQfR6/u/+wWsZz4VGgWkhmkCe3G6PXn61fkSEqlG48euoourT/ypf6GYG4lFN7oWY RFEQuYS9bm4oCTioaY5sv5Rh00ydTPPWInfpZ3nYcIPMrDhvfi7WSx90OOJnYFaodsiy /8uPOVQ3n3Qk3T0THsjXmZUobinn9Ia9mhG7c1jBotoo0BAVLXRR/UtfzrK43sFjoDeN AhBmFvD8xi6D77k8Nu6JmdSye6WEZYO3MhKumqHaXtb6ta5vktPCMvgXnUn5lj9djqz1 IjRQ==
X-Gm-Message-State: AE9vXwO5/2lVLZ3mKo/eSeNgvqM4RBj/vFaHHzTWBxJ/YY6IH8u4MQooZMlTHxmpQZjU6w==
X-Received: by 10.28.37.67 with SMTP id l64mr10058269wml.105.1472159205455; Thu, 25 Aug 2016 14:06:45 -0700 (PDT)
Received: from [192.168.1.14] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id g1sm16907201wjy.5.2016.08.25.14.06.44 for <cfrg@ietf.org> (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 25 Aug 2016 14:06:44 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <147160042450.24153.3490570099010698852.idtracker@ietfa.amsl.com>
Date: Fri, 26 Aug 2016 00:06:41 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <DA93E216-3C40-465F-A580-4F31C9909355@gmail.com>
References: <147160042450.24153.3490570099010698852.idtracker@ietfa.amsl.com>
To: "<cfrg@ietf.org>" <cfrg@ietf.org>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/DkDuDeCEAoh6xTjyI4yIKEuFPkc>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-eddsa-08.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2016 21:06:49 -0000

Hi.

I’ve read this draft in the context of writing both RFC4492bis for TLS and draft-nir-ipsecme-eddsa for IPsecME. So of course I’m mainly interested in selecting the right variant for each key length. I’ll get back to that, bit first some things that I found that I don’t think are clear enough:

Section 10.3 begins like this:
   Contexts can be used to separate uses of the protocol between
   different protocols (which is very hard to reliably do otherwise)

So I think you meant to separate uses of the *algorithm* between different protocols.

The section proceeds to give some warnings about using contexts. The first paragraph requires not to use parts of the message for the context, but prohibits this with a SHOULD NOT. No explanation is given as to why not, nor in what cases you would do so anyway (it is a SHOULD NOT rather than a MUST NOT). The third paragraph is about percolating the context string through APIs which currently do not have context parameters. That is pretty clear although I don’t like the re-use of the word “protocol” at the very end. I think API is more correct.

The second paragraph, I don’t understand:
      Contexts SHOULD NOT be used oppurtunistically, as that kind of use
      is very error-prone.  If contexts are used, one SHOULD require all
      signature schemes avaiable for use in that purpose support
      contexts.

What does that even mean? AFAIK EdDSA is the only scheme with contexts. So if I plan to use EdDSA with context I SHOULD use contexts in, say, RSA? That can’t work, so should I use contexts only when EdDSA is the only defined signature algorithm for the protocol? I don’t think that’s what was meant.

Section 10.5 explains well the considerations for choosing between 25519 and 448. It also makes the case for not using the pre-hashed version if it can be avoided. Then there’s this text about contexts:
   Ed25519ctx and Ed448 have contexts.  However, this is balanced by the
   problems noted in section about contexts.
   On implementation front, Ed25519 is widely implemented, and has many
   high-quality implementations.  The others have much worse support.

I’m assuming that “section about contexts” is 10.3. Might be worth to clarify that with a reference. And I’m guessing the problems noted are the ones in that second paragraph, although I still don’t understand why it is error-prone.


So with all that in mind, which variants should I choose for TLS and IKE?  Obviously the pre-hashed variants are out, as there is a SHOULD NOT against their use and neither TLS nor IKE sign any prohibitively large messages. These are not like the multi-megabyte CRLs discussed recently on the curdle list. So it comes down to contexts. Do I define some context strings like “IKEv2 Initiator Sign”, “TLS Server Sign”, etc. Or do I use the non-context (or empty context) versions because both protocols also support other signature schemes such as RSA, DSA and ECDSA?

Thanks

Yoav


> On 19 Aug 2016, at 12:53 PM, internet-drafts@ietf.org wrote:
> 
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Crypto Forum of the IETF.
> 
>        Title           : Edwards-curve Digital Signature Algorithm (EdDSA) 
>        Authors         : Simon Josefsson
>                          Ilari Liusvaara
> 	Filename        : draft-irtf-cfrg-eddsa-08.txt
> 	Pages           : 59
> 	Date            : 2016-08-19
> 
> Abstract:
>   The elliptic curve signature scheme Edwards-curve Digital Signature
>   Algorithm (EdDSA) is described.  The algorithm is instantiated with
>   recommended parameters for the edwards25519 and edwards448 curves.
>   An example implementation and test vectors are provided.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-irtf-cfrg-eddsa/
> 
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-irtf-cfrg-eddsa-08
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-eddsa-08
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email