Re: [CFRG] RFC 8032 Erratum: EdDSA test vectors
Hubert Kario <hkario@redhat.com> Fri, 25 November 2022 13:05 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1255FC14CE2B for <cfrg@ietfa.amsl.com>; Fri, 25 Nov 2022 05:05:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L7RqPPuoxeCI for <cfrg@ietfa.amsl.com>; Fri, 25 Nov 2022 05:04:55 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABD20C14CE2A for <cfrg@ietf.org>; Fri, 25 Nov 2022 05:04:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1669381494; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WLQvSNnNtm/QU3FlYLXhRn5TpVlYUKIkqCghf8iWwrI=; b=bSvbSnXfdoVELCQ0aTDMHffpVuK7YGYkoaNI7htZc1ycpC+I3hl01t1gLD5yrvu1uHueWo Eh8XGxViFYYHfe77DUdrTGLzZ2IgTQd2GsLkhb+juujSJHjNbGunETWBmx11jPrLkOfXdE s67NdMqziWAFUmiYPyUIqAFntikIZ/w=
Received: from mail-ej1-f70.google.com (mail-ej1-f70.google.com [209.85.218.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-443-2U0troEqPYmcATxsQrnbyw-1; Fri, 25 Nov 2022 08:04:53 -0500
X-MC-Unique: 2U0troEqPYmcATxsQrnbyw-1
Received: by mail-ej1-f70.google.com with SMTP id oz34-20020a1709077da200b007adc8d68e90so2244415ejc.11 for <cfrg@ietf.org>; Fri, 25 Nov 2022 05:04:53 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:user-agent:organization:references :in-reply-to:message-id:mime-version:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=WLQvSNnNtm/QU3FlYLXhRn5TpVlYUKIkqCghf8iWwrI=; b=Lhi2FNNBl//VXo2eAxuwWt52NsMv7Pez7Bt4YbFLzOQ1sXXkmff+kOMAKphkbz3O6Y vSDKqSWxkQ+WnMe/Bo4aiVs0+eQ/wJK0VthugxDtV35l8FdWfgBvgiuDNOBycrll6jtG nzlV+YrRSAUfGtcx5pZrl0Z9I6UT5Gxn8xQFbLD3cGxuQen//2H8Um+EOpInx7SNifiE pnRSukHGt2LLvt7N64CPZF9Y9D9TBMCGa6Z4oCZbPOkGWLNdtDnglAYTKtlOZ63n7gGi 52CPcgFICrNG4JgtDkLNa+KqqDrZPKzhflzlksjtEB70FqkcB1EwfIEPDwEs6dVi1Yv/ DnFw==
X-Gm-Message-State: ANoB5pmYSgmvLRSoDERctVygO9uu7cR1Z1gNLZmOFBI9S8SywrXaKoXl eq9M6k6nMYx3E5UMgWpmwOdDnAZD3KTVo6Kyi/OXRUJMetHOn1WsgoycPqv+1L9Iz53bQdvfT6r XxL4n
X-Received: by 2002:a17:906:2c10:b0:7ad:d051:538f with SMTP id e16-20020a1709062c1000b007add051538fmr32491492ejh.401.1669381491392; Fri, 25 Nov 2022 05:04:51 -0800 (PST)
X-Google-Smtp-Source: AA0mqf40NCJmgfBKoAuTujOkn46QOXGD6zSYoXqjx7Bxb/+eZZqAYrhJtAk9n1YniLnz8w3F9dio3Q==
X-Received: by 2002:a17:906:2c10:b0:7ad:d051:538f with SMTP id e16-20020a1709062c1000b007add051538fmr32491451ejh.401.1669381490795; Fri, 25 Nov 2022 05:04:50 -0800 (PST)
Received: from localhost (ip-94-112-137-58.bb.vodafone.cz. [94.112.137.58]) by smtp.gmail.com with ESMTPSA id ey3-20020a0564022a0300b00461816beef9sm1724758edb.14.2022.11.25.05.04.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Nov 2022 05:04:50 -0800 (PST)
From: Hubert Kario <hkario@redhat.com>
To: François Garillot <francois@garillot.net>
Cc: Mike Hamburg <mike@shiftleft.org>, cfrg@ietf.org
Date: Fri, 25 Nov 2022 14:04:49 +0100
MIME-Version: 1.0
Message-ID: <764b3aa8-faa3-4332-bf70-136f8433b858@redhat.com>
In-Reply-To: <CAPpfmGAPwriFCJ5qHK=jZBNdVEZE5twXTgc=3toHA31EjBVppw@mail.gmail.com>
References: <23111ace-bdb3-2168-5379-74048b77d063@emailplus.org> <54CF8B57-D0DC-4877-8B12-E9A94AB5C9A5@shiftleft.org> <CAPpfmGCvpzGSB_87=R3hD-Ei_Pmidke3PgypNeDbh0VwSsYuMw@mail.gmail.com> <3AA65304-1780-41E7-8595-8664EFDC4D20@shiftleft.org> <CAPpfmGAPwriFCJ5qHK=jZBNdVEZE5twXTgc=3toHA31EjBVppw@mail.gmail.com>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.15.6; xcb; Linux; Fedora release 36 (Thirty Six)
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/SsSE2nytI68qNfxnUNdtP8UWh5Y>
Subject: Re: [CFRG] RFC 8032 Erratum: EdDSA test vectors
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Nov 2022 13:05:00 -0000
On Thursday, 24 November 2022 17:58:19 CET, François Garillot wrote: > Hi Mike, > >> Perhaps we should then change the RFC to indicate that >> implementations SHOULD use the weaker, cofactored verification >> equation? > > If Ed25519 was a greenfield or niche project, that would > perhaps be ideal. Other changes (e.g. strongly-binding > signatures), detailed in the paper as well as in other > publications ([1]) may also deserve consideration. In fact, some > library maintainers working in a consensus context have already > adopted some of these changes (see [2] for some detailed > rationale). > > Yet considering there is a plethora of load-bearing libraries > that use cofactorless verification exclusively in a wide range > of contexts today, their maintainers might favour compatibility > with historical verification decisions. A good middle ground > then seems to be mandating the documentation of their > implementation's behaviour on -at least- the cofactored / > cofactorless edge case, which is where the test vectors may > help. > > [1]: https://eprint.iacr.org/2020/823 > [2]: https://hdevalence.ca/blog/2020-10-04-its-25519am And the RFC can also allow for the behaviour to change with a configuration option... > -- > FG > > > On Thu, Nov 24, 2022 at 11:06 AM Mike Hamburg <mike@shiftleft.org> wrote: > Hi François, > > That makes sense: it’s entirely reasonable to include these > test vectors with a note that they aren’t technically required > by the RFC. > > Perhaps we should then change the RFC to indicate that > implementations SHOULD use the weaker, cofactored verification > equation? > > Cheers, > — Mike > > On Nov 24, 2022, at 3:16 PM, François Garillot > <francois@garillot.net> wrote: > > Hi Mike, > > I would caution against excluding the test vectors for > cofactored/cofactorless verification: Table 3 of the paper > explains that, unless a library uses a cofactored verification > equation, batch verification and iterated single-signature > verification will not agree on all signature sets. Such a > disagreement is consequential in some contexts: for instance, it > could make a library using a cofactorless verification equation > delicate to use in a BFT consensus protocol. Those test vectors > seem important to include, so as to encourage libraries to > document this implementation choice. > > Table 5 of the paper documents the FIPS186-5 recommendations, > to the best of the authors' knowledge. > -- Regards, Hubert Kario Principal Quality Engineer, RHEL Crypto team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
- [CFRG] RFC 8032 Erratum: EdDSA test vectors Benson Muite
- Re: [CFRG] RFC 8032 Erratum: EdDSA test vectors Mike Hamburg
- Re: [CFRG] RFC 8032 Erratum: EdDSA test vectors François Garillot
- Re: [CFRG] RFC 8032 Erratum: EdDSA test vectors Mike Hamburg
- Re: [CFRG] RFC 8032 Erratum: EdDSA test vectors François Garillot
- Re: [CFRG] RFC 8032 Erratum: EdDSA test vectors Hubert Kario
- Re: [CFRG] RFC 8032 Erratum: EdDSA test vectors Benson Muite