IETF Logo Mail Archive

[Cfrg] On the differences of Ed25519/448 and how it affects a vote on twoshakes-d

Björn Edström <be@bjrn.se> Wed, 09 December 2015 01:48 UTC

Return-Path: <bjorn.edstrom@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EBEF1A700A for <cfrg@ietfa.amsl.com>; Tue, 8 Dec 2015 17:48:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.921
X-Spam-Level:
X-Spam-Status: No, score=0.921 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zzB96I98Rj6W for <cfrg@ietfa.amsl.com>; Tue, 8 Dec 2015 17:48:20 -0800 (PST)
Received: from mail-pf0-x235.google.com (mail-pf0-x235.google.com [IPv6:2607:f8b0:400e:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CD151A0025 for <cfrg@irtf.org>; Tue, 8 Dec 2015 17:48:18 -0800 (PST)
Received: by pfnn128 with SMTP id n128so21223122pfn.0 for <cfrg@irtf.org>; Tue, 08 Dec 2015 17:48:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=02vKAO0yX/KrGffdrREPUCX2WnCYjiB1CsBM4qHsY8E=; b=b5liNB95CTA5xN6vhopuw7nUb+akYWc038DiBCRlzHdRxbzAnEc0IjIXM3vE3LsD5F nZswUlJc7sGYdb6JgBL+T2XXOBUkgZupkdmf1Q3nFzN7OwN+gBxqpxl70IqKBnJ3l1xZ kY2sfU6XWiA5Y2AK400EegpoOFCYSKIe49rZdhkXVcIhbx+3KQcVZaEwdXhX9zl+cJK2 mTpTxVy7IITu1mb3/QJDDaPqqi2ue3JJW2G3nEJhciQDBvDGHHDVsNDfD7w4RXnWbdyF DENGxPra637YJ4cTs9/tjeJGeNAfy9geS7AlB7zQFhGnEOFbtKngvhCDn0O+8AT1S6rL BiNw==
MIME-Version: 1.0
X-Received: by 10.98.14.155 with SMTP id 27mr9441122pfo.92.1449625697719; Tue, 08 Dec 2015 17:48:17 -0800 (PST)
Sender: bjorn.edstrom@gmail.com
Received: by 10.66.20.131 with HTTP; Tue, 8 Dec 2015 17:48:17 -0800 (PST)
Date: Wed, 09 Dec 2015 02:48:17 +0100
X-Google-Sender-Auth: vgV1w6gSrPDlFFFFNIkgwJ84oww
Message-ID: <CAA4PzX18bcS_awPg-YDAoo90537Ot=s_nf7k_Vt75OVSdvtDrQ@mail.gmail.com>
From: Björn Edström <be@bjrn.se>
To: cfrg@irtf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/GOPQ6lgJcfrXboexQmgNk_ZIZW8>
Subject: [Cfrg] On the differences of Ed25519/448 and how it affects a vote on twoshakes-d
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2015 01:48:21 -0000

Hi cfrg,

For the vote [1] I'm thinking about the twoshakes-d proposal [2] and I
can't decide what to vote on it. I'd like to talk this over because it
touches some larger questions.

1) Ed25519 and Ed448 are described in the same draft. We see them as
being part of a "family" of constructs that share certain properties
or behavior with each other. They are quite similar after all. For
some definition of "related", the authors consider the constructs
related enough to be grouped together in one I.D.

Here's the subtle part. Do we see the relation as being in "shape and
form" or do we see the relation as "solving a common signing problem
at different strength levels"?

If we take the former view, then in my opinion we can't practically go
for twoshakes-d, since that will change the shape and form of Ed448 to
differ significantly from Ed25519 (which we really shouldn't touch too
much in this regard since it's already deployed widely).

If we take the latter view, then we can do whatever we want with
Ed448, as long as it's not very unreasonable, and if it is done in the
spirit of improving the strength level (which is already quite spinal
tap-grade). In this view of the world twoshakes-d is pretty fine,
since domain separation has security benefits.

--

2) Do we see HashEdDSA (such as Ed448ph) as a "signing construct with
IUF" in it's own right i.e. a different beast, or do we see HashEdDSA
as a recommendation for what hash the user will plug in into PureEdDSA
to get IUF?

The draft as is *could* have been written as "To get IUF behavior with
Ed448 an implementation SHOULD use <hash>" (i,e. skipping the entire
definition of HashEdDSA and the *ph versions) but since the *ph
versions are defined and named that implies a black box signing
construct view, from the point of view of the user (in my crypto
library I have 4 primitives instead of 2).

If we take the view that Ed448ph is a "signing construct" black box on
it's own, then the twoshakes-d proposal is fine. The black box will
take care of initializing the pre-hash for the user and the internals
are hidden.

If we take the view that Ed448ph is just a recommendation that for IUF
you should do Ed448(SHAKE(prefix||...)), which is likely what is gonna
happen in practice in actual source code, then we are in murkier
waters and have a slight preference against twoshakes-d for two minor
reasons: a) implementation errors, i.e. missing to take the prefix
into account and 2) coupling. With "coupling" I mean that the
signature context (which is seen as a different thing than the hashing
context) must now live slightly longer and is more spread out,
depending on protocol design.

Thoughts?

Cheers
Björn

[1] Poll: hash functions for Ed448 (ends on December 22nd)
[2] http://www.ietf.org/mail-archive/web/cfrg/current/msg07629.html

v2.23.0 | Report a Bug | By Email