Re: [Cfrg] Message Digest Algorithm Choice for CMS with Ed448

Derek Atkins <derek@ihtfp.com> Mon, 14 November 2016 16:29 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4505D1295DC for <cfrg@ietfa.amsl.com>; Mon, 14 Nov 2016 08:29:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ihtfp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KPyuqsL8TPLl for <cfrg@ietfa.amsl.com>; Mon, 14 Nov 2016 08:29:00 -0800 (PST)
Received: from mail2.ihtfp.org (mail2.ihtfp.org [IPv6:2001:470:e448:1::3a11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D42931294D2 for <cfrg@irtf.org>; Mon, 14 Nov 2016 08:29:00 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 96D8EE2040; Mon, 14 Nov 2016 11:28:59 -0500 (EST)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 24049-06; Mon, 14 Nov 2016 11:28:57 -0500 (EST)
Received: from securerf.ihtfp.org (unknown [IPv6:2001:470:e448:2:ea2a:eaff:fe7d:235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id A9632E203F; Mon, 14 Nov 2016 11:28:57 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1479140937; bh=Muhb+ByX9MejRq2aOXg1r/ABcQ+hDMSMoJd9IrQhH84=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=XFyF18jjKFHFQePbwGuvwsdVaG1J4vdlHqOD23n627say+KYf1FWSFwMM4FfxWSO8 /ZkWTyTi7ESBfFki9GtWxPlDgzovWTqIqRaU7V+SesXM2BbNgaQD/aETb3ZGY6KUEp T8UlEmskouMbCGxhovSuEJkl7+aBDc0SXnfy8XEY=
Received: (from warlord@localhost) by securerf.ihtfp.org (8.15.2/8.14.8/Submit) id uAEGSuoc003297; Mon, 14 Nov 2016 11:28:56 -0500
From: Derek Atkins <derek@ihtfp.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
References: <7DDD1353-96FC-4E70-8427-AA9C6F499232@vigilsec.com> <683700509df04d2eb8874fd292462946@XCH-RTP-006.cisco.com> <20161113061303.GA3000@LK-Perkele-V2.elisa-laajakaista.fi>
Date: Mon, 14 Nov 2016 11:28:56 -0500
In-Reply-To: <20161113061303.GA3000@LK-Perkele-V2.elisa-laajakaista.fi> (Ilari Liusvaara's message of "Sun, 13 Nov 2016 08:13:03 +0200")
Message-ID: <sjmlgwmrpo7.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/RI_o7D8YyFhhSojvPXDBDmLDagQ>
Cc: Russ Housley <housley@vigilsec.com>, IRTF CFRG <cfrg@irtf.org>, "Scott Fluhrer \(sfluhrer\)" <sfluhrer@cisco.com>
Subject: Re: [Cfrg] Message Digest Algorithm Choice for CMS with Ed448
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Nov 2016 16:29:02 -0000

Ilari Liusvaara <ilariliusvaara@welho.com> writes:

> On Sun, Nov 13, 2016 at 04:20:28AM +0000, Scott Fluhrer (sfluhrer) wrote:
>> 
>> > -----Original Message-----
>> > From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Russ Housley
>> > Sent: Saturday, November 12, 2016 10:55 PM
>> > To: IRTF CFRG
>> > Subject: [Cfrg] Message Digest Algorithm Choice for CMS with Ed448
>
>> > What message digest algorithm should be used in step 1?
>> > 
>> > It seems that SHA3-512 would be a good choice to avoid having to implement
>> > more that one message digest algorithm to generate the signature or
>> > validate it.
>> 
>> How about SHAKE256, with the output limited to 256 bits?  SHAKE256 in
>> that mode ought to have the same security properties as SHA3-256 (as
>> they are the same except for different end-message padding).
>
> Eeh... Except SHAKE256 has 256-bit collision resistance, so one needs
> 512-bit output to reach that bound. And this is signatures right, where
> collision resistance is the most important?

It depends which security service of signatures you're asking about.
For non-repudiation, yes, collision resistance is important.  However
preimage resistance is important for integrity/forging security.

> The preimage resistances cap at 256 bits, but those aren't that
> important with signatures, and 256 bits is above the security level of
> the curve anyway.

Luckily for most hashes the preimage resistance is the full size of the
hash, whereas collision resistance is half.  So even though preimage
resistance is important we should focus on collision resistance when
choosing sizes.

> So 512-bit output?

If you want 256-bit collision resistance then yes, you would need
512-bit output.

>
> -Ilari

-derek

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant