Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final proposal for domain separation (context labels) for ed25519
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 22 April 2016 15:29 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEA0112D642 for <cfrg@ietfa.amsl.com>; Fri, 22 Apr 2016 08:29:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F1fflUPODnBD for <cfrg@ietfa.amsl.com>; Fri, 22 Apr 2016 08:29:34 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by ietfa.amsl.com (Postfix) with ESMTP id 644A712D1B8 for <cfrg@ietf.org>; Fri, 22 Apr 2016 08:29:34 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 5E5A8F991; Fri, 22 Apr 2016 11:29:32 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id B48F720057; Fri, 22 Apr 2016 11:29:32 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Ilari Liusvaara <ilariliusvaara@welho.com>, "cfrg@ietf.org" <cfrg@ietf.org>
In-Reply-To: <20160422112842.GA28192@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20160420182617.GA23652@LK-Perkele-V2.elisa-laajakaista.fi> <87bn540xh3.fsf@alice.fifthhorseman.net> <20160421043947.GA24394@LK-Perkele-V2.elisa-laajakaista.fi> <alpine.GSO.1.10.1604211349530.26829@multics.mit.edu> <20160421195014.GA26169@LK-Perkele-V2.elisa-laajakaista.fi> <87zismzo9o.fsf@alice.fifthhorseman.net> <20160422062121.GA27448@LK-Perkele-V2.elisa-laajakaista.fi> <CABkgnnVd28WHT+wpMxVd+XczkiJmExkjTewG5B_a1uKgTMo7+A@mail.gmail.com> <20160422091618.GB27448@LK-Perkele-V2.elisa-laajakaista.fi> <CABkgnnUGSWYe+Z4t63GpNipLLUx4G43U+ARL+jYL825k6QraMw@mail.gmail.com> <20160422112842.GA28192@LK-Perkele-V2.elisa-laajakaista.fi>
User-Agent: Notmuch/0.21+128~g620f892 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Fri, 22 Apr 2016 11:29:32 -0400
Message-ID: <87mvoly84j.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/Nu-swUhhQzm4szQaJjNwqHfdqAA>
Subject: Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final proposal for domain separation (context labels) for ed25519
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2016 15:29:35 -0000
On Fri 2016-04-22 07:28:43 -0400, Ilari Liusvaara wrote: > 1) More vulernable to attacks there. can you describe the attacks you're concerned about? > Or just split on key. May be bit painful (and sometimes not possible > at all, e.g. TLS versus CSR) but much better than dealing with the > API mess. I don't think the API mess is as worrisome as you do. We've had API changes for primitives in the past (i already mentioned HKDF's evolution from previous context-free KDF schemes), and they haven't caused the sky to fall. We already have a plan for how people can continue using the primitive without a context label, and we can provide a well-defined (granted, suboptimal) way for people to use it *with* a context label as well. >> I'm having a hard time understanding what you want out of this >> conversation. Maybe you could try to explain whether you think that >> context is a good idea and maybe how you would prefer that we solve >> the problem. > > It is not possible to retrofit contexts into Ed25519 in a way that > I would be even remotely comfortable with. This is because Ed25519 > lacks any space to put any extensions to. Right, this is the backward-compatibility issue. So, we're trying to propose a standard way that people who want contexts can use them with Ed25519 that doesn't break backward compatibility with context-free Ed25519. This is guaranteed to be weaker protection than a scheme that included contexts from the beginning; but we're not at the beginning -- the deployed base of "pure" Ed25519 is too large. However, it seems likely to offer better protection than either: a) no one does domain separation at all even in cases where key separation is not possible b) different protocols make up their own domain separation mechanisms, which may or may not collide with each other No one is arguing that this is a perfect thing to do for Ed25519, we're arguing that we should do something which is better than nothing at all. This is the curse of trying to improve a deployed base. it should be familiar to anyone who works at the IETF :/ > Just adding contexts to Ed25519 without splitting variant would > leave it open for trivial attacks (or cryptographic screwedness > I really do not want to see). Are there other "trivial attacks" beyond confusing signature with a sane context with a context-free signature? Is there other cryptographic screwedness we should be aware of? I don't understand how to split the variant in a way that is successfully incompatible with "pure" Ed25519, since as you say Ed25519 has no extension mechanism. Are you proposing a way to do this that i'm not seeing? --dkg
- [Cfrg] draft-irtf-cfrg-eddsa -- one final proposa… Daniel Kahn Gillmor
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Paterson, Kenny
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Salz, Rich
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Daniel Kahn Gillmor
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Salz, Rich
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Daniel Kahn Gillmor
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Russ Housley
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… D. J. Bernstein
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Benjamin Kaduk
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Daniel Kahn Gillmor
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Daniel Kahn Gillmor
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… David Jacobson
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Martin Thomson
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Benjamin Kaduk
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Daniel Kahn Gillmor
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Benjamin Kaduk
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Martin Thomson
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Martin Thomson
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Daniel Kahn Gillmor
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Simon Josefsson
- [Cfrg] Side inputs to signature systems, take 2 D. J. Bernstein
- Re: [Cfrg] Side inputs to signature systems, take… Natanael
- Re: [Cfrg] Side inputs to signature systems, take… David Jacobson
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Daniel Kahn Gillmor
- Re: [Cfrg] Side inputs to signature systems, take… Daniel Kahn Gillmor
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Simon Josefsson
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Martin Thomson
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Benjamin Kaduk
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Ilari Liusvaara
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Simon Josefsson
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Martin Thomson
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Martin Thomson
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Bryan Ford
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Dang, Quynh (Fed)
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… D. J. Bernstein
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Bryan Ford
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… Richard Outerbridge
- Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final pro… D. J. Bernstein