IETF Logo Mail Archive

Re: [Cfrg] On the differences of Ed25519/448 and how it affects a vote on twoshakes-d

Tony Arcieri <bascule@gmail.com> Mon, 28 December 2015 22:03 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19D0D1AC3E2 for <cfrg@ietfa.amsl.com>; Mon, 28 Dec 2015 14:03:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yM0pFu1VUQuh for <cfrg@ietfa.amsl.com>; Mon, 28 Dec 2015 14:03:00 -0800 (PST)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23EF41AC3B7 for <cfrg@irtf.org>; Mon, 28 Dec 2015 14:03:00 -0800 (PST)
Received: by mail-io0-x22e.google.com with SMTP id o67so314474870iof.3 for <cfrg@irtf.org>; Mon, 28 Dec 2015 14:03:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=afeEJqWJq4+QTxK5jNVLckFjDM2er4ixq08ZPK5uy3I=; b=0aCkgQUN2UMnlTfGSkUlH3uC7u7/RS8Fb9faKpWj/yOb4c2KBx4/d/AlsK5Y8FJ0Us 9IL0tK2I6K5AJXD3uBWNMZig4hb+WJSnIW/FpqtbupCQVx1tpLHZEtU5sew5eOa6Fd+N KxNoyMMZiy2Ik5isoEI2+qUaZj0RlyUgL1Jl+b5C/sapNPr1XJSpZr6GSlyJNwRP7XiW RRXX2aqMoD/hraXwCNOzfjfHqn53nZHrFRcCuRpk41gmB1R724w7hLMeE4qGolViIL7r eMIon5ODKB6J+iwEfD8XQaYGhWP1UbkekB9JMGf359YB3UmArsOlXjGNks9uWLXoH+2g zaBQ==
X-Received: by 10.107.134.78 with SMTP id i75mr53118313iod.74.1451340179315; Mon, 28 Dec 2015 14:02:59 -0800 (PST)
MIME-Version: 1.0
Received: by 10.79.37.140 with HTTP; Mon, 28 Dec 2015 14:02:39 -0800 (PST)
In-Reply-To: <56816029.6020300@isode.com>
References: <CAA4PzX18bcS_awPg-YDAoo90537Ot=s_nf7k_Vt75OVSdvtDrQ@mail.gmail.com> <87fuzcng51.fsf@latte.josefsson.org> <20151209125944.GA26766@LK-Perkele-V2.elisa-laajakaista.fi> <566AEB08.9070302@st.com> <CAHOTMV+1am7eyn_H8JLdR_GCU9twonduEpxRnQTJEVOb+Gq6jg@mail.gmail.com> <566BDF12.9060501@gmail.com> <CAHOTMV+DD1qnHAtEBvKy-7hQgsq6vF5Ba4v_WCvEei24VNK=uQ@mail.gmail.com> <56816029.6020300@isode.com>
From: Tony Arcieri <bascule@gmail.com>
Date: Mon, 28 Dec 2015 14:02:39 -0800
Message-ID: <CAHOTMV+dsxxTj7tNcnPf4mADCkS+Drsu9q9YN92SBqVnSn+CPg@mail.gmail.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Content-Type: multipart/alternative; boundary="001a113ecbbad6235d0527fc770e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/QWVn9PUgJ7GcuFaRIZXW1lU1jlQ>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] On the differences of Ed25519/448 and how it affects a vote on twoshakes-d
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Dec 2015 22:03:02 -0000

On Mon, Dec 28, 2015 at 8:15 AM, Alexey Melnikov <alexey.melnikov@isode.com>
wrote:

> My personal preference would be to use the decision for 448 as the
> future template, however I realize that that might be a rathole I would
> rather not descend into right now.
>
> So realistically, if CFRG ever to recommend another EC curve, we would
> have to [quicly] revisit hash choices. As a co-chair, I would like to
> see a justification why future hash choices would be different from what
> we pick for Ed448.


As someone who +1'd twoshakes-d for the Ed448 decision, I guess it's
probably a bit late to change my mind, and once the SHA2/3 families are
agreed upon as standards, there's little need to change.

The only reason I have any reluctance is because there haven't been, to my
knowledge, any sort of attack on the SHA2 family, and it continues to
provide the best performance.

Ryan Sleevi recently detailed a history of the role of (broken) hash
functions in digital signatures on TLS certificates:

https://medium.com/@sleevi_/a-history-of-hard-choices-c1e1cc9bb089#.ykzwmnjyp

My main takeaway from this was if there were any reason to doubt the SHA2
family now, we should immediately move away from it, but thus far there is
not.

I don't doubt that SHAKE256 is the more conservative choice, but I do speak
as someone who cares about the capacity of TLS-terminating frontend
servers. I'm guessing people who are interested in FourQ would probably
want the most performant option in a hash function (given the performance
impact of scalar multiplication will greatly outweigh that of calculating a
hash)

I guess my point is: if this is to be a framework for future curves, is
there any possibility of specifying both a SHA2 and SHA3 option?
(effectively parameterizing the signature algorithm around a hash function
in addition to a curve)

--
Tony Arcieri

v2.23.0 | Report a Bug | By Email