IETF Logo Mail Archive

Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final proposal for domain separation (context labels) for ed25519

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 20 April 2016 21:41 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26D7A12E983; Wed, 20 Apr 2016 14:41:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJKYlafcohUe; Wed, 20 Apr 2016 14:41:31 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by ietfa.amsl.com (Postfix) with ESMTP id 716FE12E7C4; Wed, 20 Apr 2016 14:41:31 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 6E4BFF991; Wed, 20 Apr 2016 17:41:28 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 54A381FFE0; Wed, 20 Apr 2016 17:41:28 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
In-Reply-To: <20160420182617.GA23652@LK-Perkele-V2.elisa-laajakaista.fi>
References: <87bn543id1.fsf@alice.fifthhorseman.net> <D33CFF00.6A70D%kenny.paterson@rhul.ac.uk> <11c960b5f1fa42aaaf4cd0a6961332ec@usma1ex-dag1mb1.msg.corp.akamai.com> <87ziso1m0l.fsf@alice.fifthhorseman.net> <20160420142953.GA23528@LK-Perkele-V2.elisa-laajakaista.fi> <87potk1de7.fsf@alice.fifthhorseman.net> <20160420182617.GA23652@LK-Perkele-V2.elisa-laajakaista.fi>
User-Agent: Notmuch/0.21+128~g620f892 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Wed, 20 Apr 2016 17:41:28 -0400
Message-ID: <87bn540xh3.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/Na3SiQTmyA_BBSBE_LKR5hr2gBQ>
Cc: Robert Edmonds <edmonds@debian.org>, "draft-irtf-cfrg-eddsa.all@ietf.org" <draft-irtf-cfrg-eddsa.all@ietf.org>, "cfrg@ietf.org" <cfrg@ietf.org>, Ondřej Surý <ondrej@sury.org>, "Kaduk, Ben" <bkaduk@akamai.com>, Martin Thomson <martin.thomson@gmail.com>
Subject: Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final proposal for domain separation (context labels) for ed25519
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2016 21:41:33 -0000

On Wed 2016-04-20 14:26:17 -0400, Ilari Liusvaara wrote:
> On Wed, Apr 20, 2016 at 11:57:36AM -0400, Daniel Kahn Gillmor wrote:
>> On Wed 2016-04-20 10:29:53 -0400, Ilari Liusvaara wrote:
>> > Also, anyone up to some quick analysis to show that doesn't interact
>> > harmfully with Ed25519 when using the same keys?
>> 
>> eh?  this is specifically and only about how to apply a context label in
>> Ed25519 and Ed25519ph, since it's already defined for Ed448 -- what do
>> you mean "interact harmfully with Ed25519" ?
>
> Suppose attacker can get signatures for arbitrary (context,message) pairs
> under some key, can he forge a signature for some (context',message') under
> that key that he didn't see?

sure, by definition if context' is a prefix of context, and message' is
just the concatenation of (context - context' || message), then it's a
viable forgery.

This is the price we pay for backward compatibility, but it's actually a
*better* situation than we have without a recommended way to use a
context label.

Without a context label, any arbitrary message can be treated as a
"forgery" by simply replaying it in a different context. (e.g. i sign
an ASN.1 sequence of two integers, and you understand it as signed
finite-field DHE params, but i wanted you to understand it as an RSA
public key)

With a context label, for every domain that defines a sane context
(e.g. the guidance i suggested of printable-ascii followed by '\0'), we
can rule out inter-domain replay as a successful forgery because no
context will be a prefix of any other context.

Furthermore, in practice, if we don't specify a standard way to use a
context label for domain separation in Ed25519, different schemes may
apply the context label in different ways, potentially allowing for some
message collision.

>> > Also, that wouldn't solve the troublesome interaction between Ed25519
>> > and Ed25519ph...
>> 
>> That's true, this proposal doesn't try to solve that problem.  I hope it
>> can be evaluated independently.
>
> I actually once implemented variant of Ed25519 with contexts done like
> Ed448. Separate variant, so needed its own keys. It would be very easy
> to build Ed25519ph-like scheme by just using SHA-512(msg) as prehash
> and marking the message as prehashed (there is no need for context in
> inner hash).

i'm sure we could propose an entirely new variant that has the same
robustness as Ed448, but it would fail the backward compatibility goals
that i thought the group (including you) had previously identified. In
my proposal here, i am trying to work within those constraints.  Are you
saying that Ed25519ph doesn't need the backward compatibility?

If you're proposing a fix to a separate problem, is it something we can
consider separately?

   --dkg

v2.23.0 | Report a Bug | By Email