Re: [Cfrg] Summary of the poll: Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

[Alexey Melnikov <alexey.melnikov@isode.com>]

Alyssa,

On 19/06/2015 19:00, Alyssa Rowan wrote:
> On 2015-06-19 07:27, D. J. Bernstein wrote:
>
>> I understand that the chairs are saying that the following
>> position has rough consensus:
> I've largely stayed out of this poll as I don't have an incredibly
> strong opinion here, but I'd also like clarity.
>
> EdDSA(H(m)) is weaker than EdDSA(m). Of course we desire
> collision-resistance in any hash that we choose, but EdDSA(m) doesn't
> NEED it.
>
> If we propose a change to Ed25519 that makes it weaker, we'll need to
> be very, very careful to justify why: otherwise our recommendations to
> the upstream working group may well not be useful in contrast to
> existing rough consensus and running code in, e.g., GnuPG and OpenSSH.
> If we don't have a strong opinion, is it really worth the change?
Just a reminder that CFRG is not trying to rubber-stamp any particular 
signature algorithm. CFRG might end up converging on something based on 
EdDSA, but at the moment it is too early to tell.

> TLS WG don't seem to have any concerns about Ed25519 implementation:
> they're in fact talking about which OIDs to allocate. They are the
> ones who will implement it in a way which most interacts with
> init-update-final APIs: if they don't care to change it, need we?
TLS WG will not assign an OID until the signature recommendation is 
settled in CFRG. Stephen (Security AD) was quite clear that he is 
against proliferation of multiple ciphers/signatures/etc and that he 
wants the signature issue to be settled in CFRG first.

Best Regards,
Alexey