IETF Logo Mail Archive

[CFRG] (Re: EdDSA square roots (RFC 8032))

Rene Struik <rstruik.ext@gmail.com> Tue, 15 February 2022 14:20 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4958C3A0C53 for <cfrg@ietfa.amsl.com>; Tue, 15 Feb 2022 06:20:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tJe1RP6oY4HC for <cfrg@ietfa.amsl.com>; Tue, 15 Feb 2022 06:20:44 -0800 (PST)
Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com [IPv6:2607:f8b0:4864:20::f36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6CFC3A0C56 for <cfrg@irtf.org>; Tue, 15 Feb 2022 06:20:43 -0800 (PST)
Received: by mail-qv1-xf36.google.com with SMTP id v10so17725245qvk.7 for <cfrg@irtf.org>; Tue, 15 Feb 2022 06:20:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:content-language:to :references:from:subject:in-reply-to; bh=930V0Btym99grlMIufEsVNQYRH1NSmgpVszMqWoUiWI=; b=Mnc3oZyz08S/0+6yBNBlDJvISNoZX+6Gi6HnqzYvdM0Z6hkpi5gktZ90RYoqosU2e1 BhIGNl1gWisU67Z3uAliQRYVxO4yJnJkB2zD8rXHtilBkhSj35lBbYNUj53y6um3A0At Ify9hBmSjDm++uHk16BChfMBJSc7bRvPmpXhk2dQw1n38r+6gs/a3QfReSQ9SYfDSm/p 4JvpsEnf31Cr+j3iseCqxm2n/gV/bbn4cLQ12jDPQOazMY7jxdD6Cljj2/DejKcpZz1w vGwBTFtfkzDu6b2cajAx2yesNJgYt2nN01oQilAV+18Ete3vYfDDrDXanF1AcZTULLeg fwpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent :content-language:to:references:from:subject:in-reply-to; bh=930V0Btym99grlMIufEsVNQYRH1NSmgpVszMqWoUiWI=; b=InyHXeeAvv1CDVcpe82ujwR+q2xccsappdlWo6g7IImn3a55ssgdkws5XwXFSNe9Yj vlrbip382mDPxWwMML2n/5NVBmemqQDee7j4AI2Z7R+dQToabHF7L2/g0b99huu2Jlh6 718RX4WhyWt3cNfY2Vvr1YfaxAdrR03JXZEEoP+vQSwDIx+zd9gutTOH10qHhPbeHNLS AgloGlh5vqeN47XxFgVSTnnkKggu78DDwSNYc52a8YeX3ydFLuxq3bdsnlSPefnXxxow fHl+hRn7KCefVVwp3qS1prWkjlJcRRumsYy9LUg0jtZHdP37s/csbbxj9cLytC0QKWFl ITAg==
X-Gm-Message-State: AOAM532BEjRkFbkDh1nrQfdjkUhhm+d10fzxMn2Jk03q7wC2aC0j+0Sg zr3i52IkobswMffWmFozxwhInQOltEE=
X-Google-Smtp-Source: ABdhPJwGO9qWLC1eWS5Y4vLn9JNKI2zw6mpuWRwgFn10Hv76RhgQrWmWC9NMJ4yGN4RS6XyRgRr2yQ==
X-Received: by 2002:a0c:ff4a:: with SMTP id y10mr2620245qvt.7.1644934842012; Tue, 15 Feb 2022 06:20:42 -0800 (PST)
Received: from ?IPV6:2607:fea8:8a0:1397:b920:3bac:c83:f4e3? ([2607:fea8:8a0:1397:b920:3bac:c83:f4e3]) by smtp.gmail.com with ESMTPSA id i13sm17524087qko.91.2022.02.15.06.20.40 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 15 Feb 2022 06:20:41 -0800 (PST)
Content-Type: multipart/alternative; boundary="------------jI6vpJC859Ev1STAnnN8ELiX"
Message-ID: <cfffeb4d-2146-03b3-f962-a6235480e0e6@gmail.com>
Date: Tue, 15 Feb 2022 09:20:39 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.6.0
Content-Language: en-US
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Ilari Liusvaara <ilariliusvaara@welho.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <b9c6c307-849b-c9ae-104d-53ab72bb98fe@gmail.com> <YcRrOf79lUxxNWjF@LK-Perkele-VII2.locald> <a58c69c8-195a-0bed-c272-1dc1e45381dd@gmail.com> <YcSiV08Ielip1nVZ@LK-Perkele-VII2.locald> <766CE918-B2F0-476C-8CE9-6A57F1938A40@vpnc.org> <HE1PR0701MB3050400B0EEA3F5505FB07E389249@HE1PR0701MB3050.eurprd07.prod.outlook.com> <YgoQhbwv/UFLbXxF@LK-Perkele-VII2.locald> <HE1PR0701MB305089C44BCA616D3A616E5B89339@HE1PR0701MB3050.eurprd07.prod.outlook.com>
From: Rene Struik <rstruik.ext@gmail.com>
In-Reply-To: <HE1PR0701MB305089C44BCA616D3A616E5B89339@HE1PR0701MB3050.eurprd07.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/KOMUKUCXS_a9-L-Ceb8F4kH6dqE>
Subject: [CFRG] (Re: EdDSA square roots (RFC 8032))
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Feb 2022 14:20:50 -0000

Hi John:

You wrote: "Only one type of key (and code) for DH and signatures".

Doesn't co-factor ECDH and ECDSA with NIST's P-256 curve (or with 
short-Weierstrass curve Wei25519 [1]) already do this? Or, doesn't this 
count, since not sexy enough, or not coming from the right stable? BTW - 
it would be trivial to define Schnorr signatures (if that is the only 
thing that counts) with short-Weierstrass curves, without introducing 
yet more zoos of variants, roll-yet-something-new encoding formats, 
confusion, etc.

BTW - qDSA is again deterministic (to fit with the dogma of the day). 
There is nothing to preclude implementation of Ed25519 with Montgomery 
ladders (where only verification speed suffers compared to "Shamir's 
trick"), so I do not see the competitive advantage (but am happy to be 
educated here).

What would the benefit be of taking on yet another shiny object now? 
Shouldn't one first try and fix the current half-baked (pardon le mot) 
mess?

Rene

Ref: [1] 
https://datatracker.ietf.org/doc/draft-ietf-lwig-curve-representations/
(see also 
https://www.ietf.org/archive/id/draft-struik-lwig-curve-representations-00.txt 
of Nov 17, 2017)


On 2022-02-15 1:42 a.m., John Mattsson wrote:
>
> >Then if one really wants to optimize code size, there is qDSA,
> >which can share vast majority of code with montgomery-ladder key
> >exchange code, like unclamped curve25519.
>
> Yes, I agree. I strongly think CFRG should look more at all aspects of 
> signatures for IoT. It would then make more sense to look at new 
> designs such as qDSA. I re-read the qDSA paper. It seems very 
> promising with:
>
> - Small memory footprint.
>
> - Small code size.
>
> - Only one type of key (and code) for DH and signatures.
>
> - Fast (lower latency is good. Not sure power consumption is a 
> practical problem).
>
> I think it could make a lot of sense to standardize qDSA with 
> avariable-length hash function like SHAKE128. SHA-256 is the old 
> standard, I don't think we need to drag that into the future.
>
> Cheers,
>
> John
>
> *From: *CFRG <cfrg-bounces@irtf.org> on behalf of Ilari Liusvaara 
> <ilariliusvaara@welho.com>
> *Date: *Monday, 14 February 2022 at 09:20
> *To: *cfrg@irtf.org <cfrg@irtf.org>
> *Subject: *Re: [CFRG] EdDSA square roots (RFC 8032)
>
> On Sun, Jan 30, 2022 at 09:45:36PM +0000, John Mattsson wrote:
> > I agree with Paul that RFC8032bis would make a lot of sense. In
> > addition to the issues discussed in this thread:
> >
> > - Purely deterministic per-message nonces are highly problematic both
> >   in IoT devices and in multi-signer settings. The issues are so
> >   significant that the only choices are to not use EdDSA or to
> >   implement the signing in a non-compliant way.
> >
> > - Current constrained IoT devices use SHA-256 (in the future maybe
> >   SHAKE256, KangarooTwelve, or NIST LWC). Implementing SHA-512 just
> >   for EdDSA is not likely to happen. If EdDSA do not support the
> >   _hash_ function supported on the device, they will likely use ECDSA
> >   instead.
>
> (Have fun with bit order if using ECDSA with SHAKE256 or
> KangarooTwelve... I do not think the latter is even defined).
>
> And I do not think it is possible to make EdDSA use SHA-256. What one
> could do is define a new signature algorithm that is similar to what
> EdDSA would be with arbitrary signature algorithm.
>
>
> One example construction (closely modelled after Ed25519):
>
>
> Parameters:
>
>  * A group.
>    + Assumed to be dlog-hard.
>    + Generator G, of order l.
>    + has constant-length octet-string encoding.
>  * Hash function H
>    + Assumed to be preimage-resistant.
>    + Assumed to be from octets to octets.
>
>
> Keygen:
>
> 1) Generate a random number a in range [1,l).
> 2) Let A=a*G (scalar multiplication)
> 3) Public key is encode(A), private key is a.
>
>
> Signing:
>
> 1) Let r be random/noisy/deterministic per-message nonce in range
>    [0,256^roctets), where roctets is big enough (what is big enough
>    depends on l).
> 2) Let R = r*G (scalar multiplication)
> 3) Let h = le_decode(H(encode(R)|encode(A)|M))
> 4) Let s = (r+h*a)%l
> 5) Signature is encode(R)|le_encode(s). Where s is encoded using minimal
>    constant-length encoding.
>
> Note: If G is chosen so that l is the same as in Ed25519, then roctets
> is at least 32. For l equal to one in Ed448, roctets is at least 56. One
> way of determining roctets is to pick least value that gives entropy
> loss of less than 1/sqrt(l).
>
> Note: If G is chosen to be the same group as in Ed25519, and H is chosen
> to be SHA-512, then the signatures will with overwhelming probability
> pass Ed25519 signature verification. On the other hand, no natural
> choice of G and H gives something compatible with Ed448.
>
>
> Verifying:
>
> 1) Decode R, A and s. If decoding fails, reject.
> 2) Let h = le_decode(H(encode(R)|encode(A)|M))
> 3) Check s*G =? R + h*A holds  (*'s are scalar multiplications).
>
> Note: For some beyond-standard-signature-security properties, check that
> the encodings are canonical, and R and A have high order. Any legimate
> signature is extremely unlikely to fail these checks.
>
>
>
> For prehashing, I think it is better to do that at higher layer, which
> can apply things like salting hashes in order to counter some attacks
> against hash function used.
>
>
> Then if one really wants to optimize code size, there is qDSA,
> which can share vast majority of code with montgomery-ladder key
> exchange code, like unclamped curve25519.
>
>
>
> -Ilari
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-40f7d10cf9eb7c69&q=1&e=bc1044a0-1981-4657-818f-5ae3dd11e71d&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg 
> <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-40f7d10cf9eb7c69&q=1&e=bc1044a0-1981-4657-818f-5ae3dd11e71d&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg>
>
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg


-- 
email:rstruik.ext@gmail.com  | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 287-3867

v2.23.0 | Report a Bug | By Email