[Cfrg] On the differences of Ed25519/448 and how it affects a vote on twoshakes-d
Björn Edström <be@bjrn.se> Wed, 09 December 2015 01:48 UTC
Return-Path: <bjorn.edstrom@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EBEF1A700A for <cfrg@ietfa.amsl.com>; Tue, 8 Dec 2015 17:48:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.921
X-Spam-Level:
X-Spam-Status: No, score=0.921 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zzB96I98Rj6W for <cfrg@ietfa.amsl.com>; Tue, 8 Dec 2015 17:48:20 -0800 (PST)
Received: from mail-pf0-x235.google.com (mail-pf0-x235.google.com [IPv6:2607:f8b0:400e:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CD151A0025 for <cfrg@irtf.org>; Tue, 8 Dec 2015 17:48:18 -0800 (PST)
Received: by pfnn128 with SMTP id n128so21223122pfn.0 for <cfrg@irtf.org>; Tue, 08 Dec 2015 17:48:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=02vKAO0yX/KrGffdrREPUCX2WnCYjiB1CsBM4qHsY8E=; b=b5liNB95CTA5xN6vhopuw7nUb+akYWc038DiBCRlzHdRxbzAnEc0IjIXM3vE3LsD5F nZswUlJc7sGYdb6JgBL+T2XXOBUkgZupkdmf1Q3nFzN7OwN+gBxqpxl70IqKBnJ3l1xZ kY2sfU6XWiA5Y2AK400EegpoOFCYSKIe49rZdhkXVcIhbx+3KQcVZaEwdXhX9zl+cJK2 mTpTxVy7IITu1mb3/QJDDaPqqi2ue3JJW2G3nEJhciQDBvDGHHDVsNDfD7w4RXnWbdyF DENGxPra637YJ4cTs9/tjeJGeNAfy9geS7AlB7zQFhGnEOFbtKngvhCDn0O+8AT1S6rL BiNw==
MIME-Version: 1.0
X-Received: by 10.98.14.155 with SMTP id 27mr9441122pfo.92.1449625697719; Tue, 08 Dec 2015 17:48:17 -0800 (PST)
Sender: bjorn.edstrom@gmail.com
Received: by 10.66.20.131 with HTTP; Tue, 8 Dec 2015 17:48:17 -0800 (PST)
Date: Wed, 09 Dec 2015 02:48:17 +0100
X-Google-Sender-Auth: vgV1w6gSrPDlFFFFNIkgwJ84oww
Message-ID: <CAA4PzX18bcS_awPg-YDAoo90537Ot=s_nf7k_Vt75OVSdvtDrQ@mail.gmail.com>
From: Björn Edström <be@bjrn.se>
To: cfrg@irtf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/GOPQ6lgJcfrXboexQmgNk_ZIZW8>
Subject: [Cfrg] On the differences of Ed25519/448 and how it affects a vote on twoshakes-d
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2015 01:48:21 -0000
Hi cfrg, For the vote [1] I'm thinking about the twoshakes-d proposal [2] and I can't decide what to vote on it. I'd like to talk this over because it touches some larger questions. 1) Ed25519 and Ed448 are described in the same draft. We see them as being part of a "family" of constructs that share certain properties or behavior with each other. They are quite similar after all. For some definition of "related", the authors consider the constructs related enough to be grouped together in one I.D. Here's the subtle part. Do we see the relation as being in "shape and form" or do we see the relation as "solving a common signing problem at different strength levels"? If we take the former view, then in my opinion we can't practically go for twoshakes-d, since that will change the shape and form of Ed448 to differ significantly from Ed25519 (which we really shouldn't touch too much in this regard since it's already deployed widely). If we take the latter view, then we can do whatever we want with Ed448, as long as it's not very unreasonable, and if it is done in the spirit of improving the strength level (which is already quite spinal tap-grade). In this view of the world twoshakes-d is pretty fine, since domain separation has security benefits. -- 2) Do we see HashEdDSA (such as Ed448ph) as a "signing construct with IUF" in it's own right i.e. a different beast, or do we see HashEdDSA as a recommendation for what hash the user will plug in into PureEdDSA to get IUF? The draft as is *could* have been written as "To get IUF behavior with Ed448 an implementation SHOULD use <hash>" (i,e. skipping the entire definition of HashEdDSA and the *ph versions) but since the *ph versions are defined and named that implies a black box signing construct view, from the point of view of the user (in my crypto library I have 4 primitives instead of 2). If we take the view that Ed448ph is a "signing construct" black box on it's own, then the twoshakes-d proposal is fine. The black box will take care of initializing the pre-hash for the user and the internals are hidden. If we take the view that Ed448ph is just a recommendation that for IUF you should do Ed448(SHAKE(prefix||...)), which is likely what is gonna happen in practice in actual source code, then we are in murkier waters and have a slight preference against twoshakes-d for two minor reasons: a) implementation errors, i.e. missing to take the prefix into account and 2) coupling. With "coupling" I mean that the signature context (which is seen as a different thing than the hashing context) must now live slightly longer and is more spread out, depending on protocol design. Thoughts? Cheers Björn [1] Poll: hash functions for Ed448 (ends on December 22nd) [2] http://www.ietf.org/mail-archive/web/cfrg/current/msg07629.html
- [Cfrg] On the differences of Ed25519/448 and how … Björn Edström
- [Cfrg] On the differences of Ed25519/448 and how … Björn Edström
- Re: [Cfrg] On the differences of Ed25519/448 and … Bryan A Ford
- Re: [Cfrg] On the differences of Ed25519/448 and … Simon Josefsson
- Re: [Cfrg] On the differences of Ed25519/448 and … Ilari Liusvaara
- Re: [Cfrg] On the differences of Ed25519/448 and … Gilles Van Assche
- Re: [Cfrg] On the differences of Ed25519/448 and … Tony Arcieri
- Re: [Cfrg] On the differences of Ed25519/448 and … Ilari Liusvaara
- Re: [Cfrg] On the differences of Ed25519/448 and … Bryan A Ford
- Re: [Cfrg] On the differences of Ed25519/448 and … Bryan A Ford
- Re: [Cfrg] On the differences of Ed25519/448 and … Bryan Ford
- Re: [Cfrg] On the differences of Ed25519/448 and … Ilari Liusvaara
- Re: [Cfrg] On the differences of Ed25519/448 and … Tony Arcieri
- Re: [Cfrg] On the differences of Ed25519/448 and … Simon Josefsson
- Re: [Cfrg] On the differences of Ed25519/448 and … Brian Smith
- Re: [Cfrg] On the differences of Ed25519/448 and … Simon Josefsson
- Re: [Cfrg] On the differences of Ed25519/448 and … Simon Josefsson
- Re: [Cfrg] On the differences of Ed25519/448 and … Ilari Liusvaara
- Re: [Cfrg] On the differences of Ed25519/448 and … Alexey Melnikov
- Re: [Cfrg] On the differences of Ed25519/448 and … Tony Arcieri