IETF Logo Mail Archive

Re: [Cfrg] Ed448 hash choice

Björn Edström <be@bjrn.se> Thu, 22 October 2015 10:38 UTC

Return-Path: <bjorn.edstrom@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45ADD1A044D for <cfrg@ietfa.amsl.com>; Thu, 22 Oct 2015 03:38:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8XwwM5MjVbUT for <cfrg@ietfa.amsl.com>; Thu, 22 Oct 2015 03:38:32 -0700 (PDT)
Received: from mail-pa0-x22b.google.com (mail-pa0-x22b.google.com [IPv6:2607:f8b0:400e:c03::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29DF41A040C for <cfrg@ietf.org>; Thu, 22 Oct 2015 03:38:32 -0700 (PDT)
Received: by pabrc13 with SMTP id rc13so83765726pab.0 for <cfrg@ietf.org>; Thu, 22 Oct 2015 03:38:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=bBRbRqOrQZAlXOd0DM6AXWYREVvTiQ3lw6uNmznfkJ8=; b=UAKbVX8+qgl5mumH6K94Zs4erbFUPh57frFlBTZ1W6/EM2mnRkBQmYwWOe2uMU8paG RouTdx/TCxrocmYZlg9a0ndc636o12w79wSPtWy+2vEzqnn/PYDKRePewz6547FWqIC+ krJyrJ8JlLa6Zro4QaeLHtFkx/f2GUMRK7rcn3VkrtNhJmQbcQSykTHun4ovmj/ew/Rx pnFXthKBusnFxnnKPO130JLtLeBR0foGeYHh0e3oMD+ua/bT2m5+i7ym2kOavFakmdyM aYAAbfNLnisHB0TBqGDoC7ee5pIr5A425+PMPaGLFND8NfnCf2sRTAxmUnyDQT0bupTA tgBg==
MIME-Version: 1.0
X-Received: by 10.66.228.233 with SMTP id sl9mr16965355pac.139.1445510311817; Thu, 22 Oct 2015 03:38:31 -0700 (PDT)
Sender: bjorn.edstrom@gmail.com
Received: by 10.66.217.138 with HTTP; Thu, 22 Oct 2015 03:38:31 -0700 (PDT)
In-Reply-To: <87a8rb42ia.fsf@latte.josefsson.org>
References: <87twprupdy.fsf@latte.josefsson.org> <56272D73.7070906@shiftleft.org> <20151021132052.GB4130@LK-Perkele-V2.elisa-laajakaista.fi> <CACsn0ckiSVPd7Hbzq5Tt_NBuj8ycrSzqjU832FFUYhFsEHxeGA@mail.gmail.com> <5627B8F6.7030003@shiftleft.org> <D24D338A.20EA8%uri@ll.mit.edu> <5627C68A.1040902@shiftleft.org> <87twpj45zz.fsf@latte.josefsson.org> <CAA4PzX1gvH4tAQc0bMEg6=CbNt5LtAxP3dsUt3MVu1=kQMKXoQ@mail.gmail.com> <87a8rb42ia.fsf@latte.josefsson.org>
Date: Thu, 22 Oct 2015 12:38:31 +0200
X-Google-Sender-Auth: x8muG558hXBWdOt3Skrw3ZtW3Ys
Message-ID: <CAA4PzX16sMXx8UiMi2ehdy7NdUrko29TYZNrt-mKtpVTVH-k-w@mail.gmail.com>
From: Björn Edström <be@bjrn.se>
To: Simon Josefsson <simon@josefsson.org>, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>, Alexey Melnikov <alexey.melnikov@isode.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/F6llnUQ0SKd8_F4lTUfwPkh2NO4>
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] Ed448 hash choice
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2015 10:38:33 -0000

I like the idea of a time fixed poll to keep the work moving forward.
Kenny, Alexey?

(Also +1 for changing everything to big endian ;-)).

Cheers
Björn


On Thu, Oct 22, 2015 at 12:32 PM, Simon Josefsson <simon@josefsson.org> wrote:
> Björn Edström <be@bjrn.se> writes:
>
>> I'm gonna chime in with my two cents and vote for option 1, that is
>> SHAKE256 internally and SHA3-512 for the pre-hash. Ed25519 should be
>> left as-is.
>
> Maybe we can do a poll for complete Ed448 hash proposals to consider,
> with a fixed timeline, and then a poll between these proposals, also
> with a fixed timeline?  That seems to be one way of proceeding.
>
>> I don't have super strong opinions on the above from a technical merit
>> and I will not sleep bad at night if another option is decided. I am
>> however getting quite strong opinions that a decision should be made
>> soon before a hundred more emails will be written on this (slightly
>> bikeshed-y) topic. :-)
>
> We haven't discussed nearly as long as endianness yet. :-)
>
>> 4) I believe that regardless of what is recommended for Ed448ph,
>> people will use Ed448 on hashes in various ways anyway. So personally
>> I see Ed448ph more of a recommendation than a construct that really
>> needs to be specified to the same extent as Ed448. It could very well
>> be the case that the committee decides on one pre-hash and it will be
>> used completely differently in TLS.1.3 should TLS 1.3 get support for
>> a cipher suite with Ed448. So I don't think that the discussions about
>> what will happen with TLS 1.3 are relevant enough to change the work
>> on this draft.
>
> It may be that TLS uses Ed25519/Ed448 directly instead of
> Ed25519ph/Ed448ph too.  I don't believe pre-hashing make sense for
> interactive TLS-like protocols that sign short messages.
>
> /Simon

v2.23.0 | Report a Bug | By Email