IETF Logo Mail Archive

Re: [CFRG] (Re: EdDSA square roots (RFC 8032))

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Tue, 15 February 2022 15:09 UTC

Return-Path: <prvs=00452c4725=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36BDB3A0D42 for <cfrg@ietfa.amsl.com>; Tue, 15 Feb 2022 07:09:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jOkz3x5hFhFw for <cfrg@ietfa.amsl.com>; Tue, 15 Feb 2022 07:08:59 -0800 (PST)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F01713A0D41 for <cfrg@irtf.org>; Tue, 15 Feb 2022 07:08:58 -0800 (PST)
Received: from LLEX2019-3.mitll.ad.local (llex2019-3.llan.ll.mit.edu [172.25.4.125]) by MX3.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 21FF8vNc323687 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for <cfrg@irtf.org>; Tue, 15 Feb 2022 10:08:57 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=c01fOGWQcTPJ+EPPpZgfxF+oQTCTcwgrMWK6EssmM8OXHF6oUsuYus6Ix2k7yS7TJvW7XGcvHnzkrxIAf5Zw0EZ98J3KTMUNzP6bKV9VZBucj18inKytvgqLLZd8DX9GVfaFRdue14+HRO7IZdlbgCLO2VW2wIywoekM9HIdfkkG6pMvS59yTEFEVJFXBdO5eSFeHmBSo0KB8BOGrDRd1i1OLXp2Wz1X6dBxJ9WvxgGaTH46zYhcZoV2p+eI2QNHUp96q9r6CwtBC93KwHDOSwdQOO5xsYPK95yk9EM9w3DtC/4hBDBDxSQpjyfsZnDd3Al6oL7C3P/92zCOKGHAxA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=H75xwHaGZV8FcRkcV9vZ9+hu+3gPxVpmgUd/1mpnqS0=; b=gBqlQxuBlGV6PCJutarohL7EC0iTObtW9TVmZirlgJxhE/0BMHUI6J+DqJUFDtHQ6+YsDC7v2ROXr7TEtSRUmdivm8ebAo8Lw5e4SlgpUWSH/OHCdzyeG4zoX+U9d2uW4cYwqCIIXC1y5vCWqmPoLxA2JfzDmWvi5tXm57ClMrejusaizPmcgDraWehYxs+owGPZLXtudC5BGniqtbDSzX4fBwFBgTjabOiQ31vs0ZpmSua4RwDHKOwptnFIMdWI3yl6vsZ6nFIeEBXQcAWPChwFtY/zpBZnPq5qrszFM7DT2PtdtmEClEPM2kAaZs+urbebncFFhQpaRKsbXpGRDA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] (Re: EdDSA square roots (RFC 8032))
Thread-Index: AQHYIndYuG4p5u4VDky5/FurbHfSIKyUYyEA
Date: Tue, 15 Feb 2022 15:08:53 +0000
Message-ID: <EC273DEF-0F12-47B1-BA26-D8E9FC7EEF98@ll.mit.edu>
References: <b9c6c307-849b-c9ae-104d-53ab72bb98fe@gmail.com> <YcRrOf79lUxxNWjF@LK-Perkele-VII2.locald> <a58c69c8-195a-0bed-c272-1dc1e45381dd@gmail.com> <YcSiV08Ielip1nVZ@LK-Perkele-VII2.locald> <766CE918-B2F0-476C-8CE9-6A57F1938A40@vpnc.org> <HE1PR0701MB3050400B0EEA3F5505FB07E389249@HE1PR0701MB3050.eurprd07.prod.outlook.com> <YgoQhbwv/UFLbXxF@LK-Perkele-VII2.locald> <HE1PR0701MB305089C44BCA616D3A616E5B89339@HE1PR0701MB3050.eurprd07.prod.outlook.com> <cfffeb4d-2146-03b3-f962-a6235480e0e6@gmail.com>
In-Reply-To: <cfffeb4d-2146-03b3-f962-a6235480e0e6@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.56.21121100
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8be9d8b2-bcc9-4d7b-27f3-08d9f095149c
x-ms-traffictypediagnostic: BN0P110MB0981:EE_
x-microsoft-antispam-prvs: <BN0P110MB0981710B91BCB6D2793FE9F990349@BN0P110MB0981.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:3631;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Mu2uBBzUbrylhWDZ9SbneyfP62ln2+p5M5ZnHeyD6jGkXxLHA2w8i3dU78/rL0YWRVh07EEvihopAaBkN7xuWl7SYXY/fa87GRQpHkQQ81rOHskzLWuS8bN1OG9i92wLurw+DVpOUjgje6Vjwtv0TAzj3YBvFunLE5qaiA5avyNcWnKzjaIovcyH0o6yPW8QhHwvs2SkBEjvOvk/dv0/FF++s8/X3KckePRDt+41i87PZs25PIYEWt4BmD/PfweGUsyTZX3uPd4FQbaokiY6N0hOvjLNwOWYWsPZhVL8v9oEyHWiOF9mO16yPEuvFpyWj7NFAfZ2I7kouOOC/VL0zaApupfxM6zJcWIqIMNut63/CpnK+dv9trZ3O6VIPDUCwYs25Dz8XQTugGx9lhOqjhhL8SMVtoKI9SlrT8guk1Hb580hE5jCgzTndF+OGkqifgDWhyjQXVWqA7eQuVLHpFyNULuv04IussTL4py/KlOYLaS1aJ3uCY+VfCi+apehBo4dwnc53cfn4KGoTNHqOE0l3vpCkrhqOC+gYKcZZxixIfAc2xgbllzndEiLJ3kwEqXA6ZchKHu0Fe37Dc/PjfLvcOry3VFD238jssYkzewLi0Enj+pPXbovPqec88+PZ668SNXRj71iGmpJb86zv0kQ/pDI08qizJpu8UaMCZQmHDZviYuiW+juca4DTQ3PQ/+8JWQ9LKVisrZnsPr94dJwC5NdjSH+Qx3QJpcv+RM=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(366004)(38070700005)(99936003)(122000001)(166002)(38100700002)(2906002)(966005)(6486002)(498600001)(5660300002)(66946007)(66446008)(76116006)(66556008)(64756008)(66476007)(6916009)(53546011)(83380400001)(71200400001)(6506007)(33656002)(8676002)(186003)(8936002)(40140700001)(26005)(2616005)(75432002)(86362001)(6512007)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: xO52R1ULHC6tgV6BpPKF/DiiFxladDxhecQLzexJB0j0Aotv7BcHcA9UYB4KeeJ6TrXyoeXqhFxC115pLoW13G9HCbXUPTZ40bWop56T77bQYFK5e2iE4PbdsctmbFJgmtwyYql0ItXhm/n3zLS+0g==
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3727764532_1623084400"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 8be9d8b2-bcc9-4d7b-27f3-08d9f095149c
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Feb 2022 15:08:53.5426 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB0981
X-Proofpoint-ORIG-GUID: UgPoCqaAozfuG9dTgq0QuT9FmGmpen_i
X-Proofpoint-GUID: UgPoCqaAozfuG9dTgq0QuT9FmGmpen_i
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.816 definitions=2022-02-15_04:2022-02-14, 2022-02-15 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 mlxscore=0 mlxlogscore=999 suspectscore=0 spamscore=0 bulkscore=0 malwarescore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2201110000 definitions=main-2202150088
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/JHXjzGmnHqJK0Z6aVp4Kgvyr0Fs>
Subject: Re: [CFRG] (Re: EdDSA square roots (RFC 8032))
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Feb 2022 15:09:05 -0000

I second the concern here. What are the advantages of qDSA over ECDSA and EdDSA? 

How many “pre-Quantum” signature algorithms to we want to standardize, and why?

 

Also, shouldn’t we specify the algorithms in a way conducive to validation testing? E.g., recall the discussion about implementer “forgetting” to add PH(M).

--

Regards,

Uri

 

There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.

The other is to make it so complex there are no obvious deficiencies.

                                                                                                                                     -  C. A. R. Hoare

 

 

From: CFRG <cfrg-bounces@irtf.org> on behalf of Rene Struik <rstruik.ext@gmail.com>
Date: Tuesday, February 15, 2022 at 09:21
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Ilari Liusvaara <ilariliusvaara@welho.com>, CFRG <cfrg@irtf.org>
Subject: [CFRG] (Re: EdDSA square roots (RFC 8032))

 

Hi John:

 

You wrote: "Only one type of key (and code) for DH and signatures". 

 

Doesn't co-factor ECDH and ECDSA with NIST's P-256 curve (or with short-Weierstrass curve Wei25519 [1]) already do this? Or, doesn't this count, since not sexy enough, or not coming from the right stable? BTW - it would be trivial to define Schnorr signatures (if that is the only thing that counts) with short-Weierstrass curves, without introducing yet more zoos of variants, roll-yet-something-new encoding formats, confusion, etc.

 

BTW - qDSA is again deterministic (to fit with the dogma of the day). There is nothing to preclude implementation of Ed25519 with Montgomery ladders (where only verification speed suffers compared to "Shamir's trick"), so I do not see the competitive advantage (but am happy to be educated here).

 

What would the benefit be of taking on yet another shiny object now? Shouldn't one first try and fix the current half-baked (pardon le mot) mess? 

 

Rene

 

Ref: [1] https://datatracker.ietf.org/doc/draft-ietf-lwig-curve-representations/ 

(see also https://www.ietf.org/archive/id/draft-struik-lwig-curve-representations-00.txt of Nov 17, 2017)

 

 

On 2022-02-15 1:42 a.m., John Mattsson wrote:

>Then if one really wants to optimize code size, there is qDSA,
>which can share vast majority of code with montgomery-ladder key
>exchange code, like unclamped curve25519.

 

Yes, I agree. I strongly think CFRG should look more at all aspects of signatures for IoT. It would then make more sense to look at new designs such as qDSA. I re-read the qDSA paper. It seems very promising with:

 

- Small memory footprint.

- Small code size.

- Only one type of key (and code) for DH and signatures.

- Fast (lower latency is good. Not sure power consumption is a practical problem).

 

I think it could make a lot of sense to standardize qDSA with a variable-length hash function like SHAKE128. SHA-256 is the old standard, I don't think we need to drag that into the future. 

 

Cheers,

John

 

From: CFRG <cfrg-bounces@irtf.org> on behalf of Ilari Liusvaara <ilariliusvaara@welho.com>
Date: Monday, 14 February 2022 at 09:20
To: cfrg@irtf.org <cfrg@irtf.org>
Subject: Re: [CFRG] EdDSA square roots (RFC 8032)

On Sun, Jan 30, 2022 at 09:45:36PM +0000, John Mattsson wrote:
> I agree with Paul that RFC8032bis would make a lot of sense. In
> addition to the issues discussed in this thread:
> 
> - Purely deterministic per-message nonces are highly problematic both
>   in IoT devices and in multi-signer settings. The issues are so
>   significant that the only choices are to not use EdDSA or to
>   implement the signing in a non-compliant way.
> 
> - Current constrained IoT devices use SHA-256 (in the future maybe
>   SHAKE256, KangarooTwelve, or NIST LWC). Implementing SHA-512 just
>   for EdDSA is not likely to happen. If EdDSA do not support the
>   _hash_ function supported on the device, they will likely use ECDSA
>   instead.

(Have fun with bit order if using ECDSA with SHAKE256 or
KangarooTwelve... I do not think the latter is even defined).

And I do not think it is possible to make EdDSA use SHA-256. What one
could do is define a new signature algorithm that is similar to what
EdDSA would be with arbitrary signature algorithm.


One example construction (closely modelled after Ed25519):


Parameters:

 * A group.
   + Assumed to be dlog-hard.
   + Generator G, of order l.
   + has constant-length octet-string encoding.
 * Hash function H
   + Assumed to be preimage-resistant.
   + Assumed to be from octets to octets.


Keygen:

1) Generate a random number a in range [1,l).
2) Let A=a*G (scalar multiplication)
3) Public key is encode(A), private key is a.


Signing:

1) Let r be random/noisy/deterministic per-message nonce in range
   [0,256^roctets), where roctets is big enough (what is big enough
   depends on l).
2) Let R = r*G (scalar multiplication)
3) Let h = le_decode(H(encode(R)|encode(A)|M))
4) Let s = (r+h*a)%l
5) Signature is encode(R)|le_encode(s). Where s is encoded using minimal
   constant-length encoding.

Note: If G is chosen so that l is the same as in Ed25519, then roctets
is at least 32. For l equal to one in Ed448, roctets is at least 56. One
way of determining roctets is to pick least value that gives entropy
loss of less than 1/sqrt(l).

Note: If G is chosen to be the same group as in Ed25519, and H is chosen
to be SHA-512, then the signatures will with overwhelming probability
pass Ed25519 signature verification. On the other hand, no natural
choice of G and H gives something compatible with Ed448.


Verifying:

1) Decode R, A and s. If decoding fails, reject.
2) Let h = le_decode(H(encode(R)|encode(A)|M))
3) Check s*G =? R + h*A holds  (*'s are scalar multiplications).

Note: For some beyond-standard-signature-security properties, check that
the encodings are canonical, and R and A have high order. Any legimate
signature is extremely unlikely to fail these checks.



For prehashing, I think it is better to do that at higher layer, which
can apply things like salting hashes in order to counter some attacks
against hash function used. 


Then if one really wants to optimize code size, there is qDSA,
which can share vast majority of code with montgomery-ladder key
exchange code, like unclamped curve25519.



-Ilari 

_______________________________________________
CFRG mailing list
CFRG@irtf.org
https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-40f7d10cf9eb7c69&q=1&e=bc1044a0-1981-4657-818f-5ae3dd11e71d&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg



_______________________________________________
CFRG mailing list
CFRG@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg
 
-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 287-3867

v2.23.0 | Report a Bug | By Email