IETF Logo Mail Archive

Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final proposal for domain separation (context labels) for ed25519

Benjamin Kaduk <kaduk@MIT.EDU> Thu, 21 April 2016 20:54 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A2F612E30E; Thu, 21 Apr 2016 13:54:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.217
X-Spam-Level:
X-Spam-Status: No, score=-5.217 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bfiy6RrR0HJi; Thu, 21 Apr 2016 13:54:26 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55E8212DC05; Thu, 21 Apr 2016 13:54:26 -0700 (PDT)
X-AuditID: 1209190e-cffff70000004bd5-51-57193e00768b
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id F1.75.19413.00E39175; Thu, 21 Apr 2016 16:54:25 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id u3LKsNa6027596; Thu, 21 Apr 2016 16:54:24 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u3LKsJfh032517 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 21 Apr 2016 16:54:22 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id u3LKsIxI014518; Thu, 21 Apr 2016 16:54:18 -0400 (EDT)
Date: Thu, 21 Apr 2016 16:54:18 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
In-Reply-To: <87zismzo9o.fsf@alice.fifthhorseman.net>
Message-ID: <alpine.GSO.1.10.1604211649520.26829@multics.mit.edu>
References: <87bn543id1.fsf@alice.fifthhorseman.net> <D33CFF00.6A70D%kenny.paterson@rhul.ac.uk> <11c960b5f1fa42aaaf4cd0a6961332ec@usma1ex-dag1mb1.msg.corp.akamai.com> <87ziso1m0l.fsf@alice.fifthhorseman.net> <20160420142953.GA23528@LK-Perkele-V2.elisa-laajakaista.fi> <87potk1de7.fsf@alice.fifthhorseman.net> <20160420182617.GA23652@LK-Perkele-V2.elisa-laajakaista.fi> <87bn540xh3.fsf@alice.fifthhorseman.net> <20160421043947.GA24394@LK-Perkele-V2.elisa-laajakaista.fi> <alpine.GSO.1.10.1604211349530.26829@multics.mit.edu> <20160421195014.GA26169@LK-Perkele-V2.elisa-laajakaista.fi> <87zismzo9o.fsf@alice.fifthhorseman.net>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmplleLIzCtJLcpLzFFi42IR4hTV1mW0kww32J5q0bi5kdXi6K42FovW 7s9MFtfXPWW3eL97OovF9d1PmRzYPCYfWcDscba7ndVjyZKfTB4XDvcwe9zunsMWwBrFZZOS mpNZllqkb5fAlXHm7iHWgpMCFZfOt7I0MDbzdjFyckgImEgcnnOZrYuRi0NIoI1JYvbDw0wQ zkZGiZZtD5ghnENMElu6V7JAOA2MEqd7jzGD9LMIaEtMXTQPzGYTUJGY+WYjG4gtIqAvcebu BVYQm1mgm0ni6fFUEFtYoETixNyTYDWcAqYS/3pfg/XyCjhK/Jg4GWr1FxaJRS8WgCVEBXQk Vu+fwgJRJChxcuYTFoihWhLLp29jmcAoMAtJahaS1AJGplWMsim5Vbq5iZk5xanJusXJiXl5 qUW6xnq5mSV6qSmlmxjBoS3Jt4NxUoP3IUYBDkYlHl4OeYlwIdbEsuLK3EOMkhxMSqK8axUl w4X4kvJTKjMSizPii0pzUosPMUpwMCuJ8EZZAuV4UxIrq1KL8mFS0hwsSuK8jAwMDEIC6Ykl qdmpqQWpRTBZGQ4OJQneRTZAjYJFqempFWmZOSUIaSYOTpDhPEDDLUBqeIsLEnOLM9Mh8qcY FaXEeQVAEgIgiYzSPLhecOrZzaT6ilEc6BVh3h6QKh5g2oLrfgU0mAloMP9dUZDBJYkIKakG RvXiN9Zi3doL2vymCjToZD+IXOlWEdmVdF9uWRJHwM5YP4mv1Sw3JoheyQycWZoefNvZ3Hx1 cWkpn8inO9ENh74KZ/16q5j5K5f50Nopaxv6BGI1DNZKu3XcD9E2Wrsxls9bke/NVoGZc6tm Bc7SrBHt1fC2WHCk8FioaMjLR3y7Zh1/ZSqsxFKckWioxVxUnAgAC/2YXRgDAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/KM0bq54O8TngSh5n67AvGBdXOb8>
Cc: Ondřej Surý <ondrej@sury.org>, "draft-irtf-cfrg-eddsa.all@ietf.org" <draft-irtf-cfrg-eddsa.all@ietf.org>, "Kaduk, Ben" <bkaduk@akamai.com>, "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final proposal for domain separation (context labels) for ed25519
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Apr 2016 20:54:28 -0000

Hmm, Ilari's messages are not making it into either my MIT or my Akamai
inbox; that's quite unfortunate.

On Thu, 21 Apr 2016, Daniel Kahn Gillmor wrote:

> On Thu 2016-04-21 15:50:14 -0400, Ilari Liusvaara wrote:
> > I actually implemented the scheme (modifying the python reference
> > implementation in the draft (modifying H(x) to be SHA512(context|x)).
> >
> > - Modified and base scheme generate identical signatures and validate
> >   identical signatures for empty context (as expected).
> > - Signature of ('abc','def') is different from signature of ('abcd','ef')
> >   and does not cross-validate. Nor does either cross-validate with
> >   ('',abcdef).
>
> Is this because you're including the NUL octet between the context and
> the signature, or for some other reason?  if so, then i'd phrase it as:
>
>  signature of ('abc\0', 'def') is different from signature of ('abcd\0', 'ef')
>
> which i think everyone would agree is the right outcome.
>
> Or are you talking about some other scheme?

I think Ilari is talking about the Ed448 scheme already describe in the
document, which uses the function:

   dom(x, y)  The octet string "SigEd448" || octet(x) ||
      octet(OLEN(y)) || y, where x is in range 0-255 and y is octet
      string of at most 255 octets.  "SigEd448" is in ASCII (8 octets).

which length-prefixes the context before including it in the signed data,
among other things.  (The dom() output is then concatenated with other
data before being passed to SHAKE256 as H(x).)


> > [ben kaduk wrote:]
> >> From where I am sitting, it seems like there are two options: does
> >> the signing API include a context input?  If yes, use that input; if
> >> no, prepend the context to the message to be signed in my own code.
> >> What am I missing?
> >
> > This does not work.
>
> Why not?  Can you explain more?

I think we all need to be more clear about whether we are talking about
the existing Ed448 context scheme, or the bits in
http://unicorn-wg.github.io/context-labels/ .

My comments in this thread have centered on the latter.

-Ben

v2.23.0 | Report a Bug | By Email