IETF Logo Mail Archive

Re: [Cfrg] Finishing Ed448 definition

Bryan Ford <brynosaurus@gmail.com> Thu, 26 November 2015 09:32 UTC

Return-Path: <brynosaurus@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A368F1B3807 for <cfrg@ietfa.amsl.com>; Thu, 26 Nov 2015 01:32:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rYyWlDTO0xbY for <cfrg@ietfa.amsl.com>; Thu, 26 Nov 2015 01:32:47 -0800 (PST)
Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D505B1B3803 for <cfrg@irtf.org>; Thu, 26 Nov 2015 01:32:46 -0800 (PST)
Received: by wmuu63 with SMTP id u63so13574335wmu.0 for <cfrg@irtf.org>; Thu, 26 Nov 2015 01:32:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=2iFRmaQIifH6f+AnnrulFVLjjsjxGwLRgu0FpeewvEg=; b=Krtb2tHFxCAOtLyyPHbcRvlTnhU/Z+iuWsLusdB4ILIvPr6WROqkeiKJuDzfKKQJY4 UV77etdwSmYs/YZdOy0Lm1yrbhsf2wtCxzUM1ZBJXJ8CB6FvoO/49XxWzS1LOBTpevfn dEqdaLT70jLbwZV8ArzqfDK7Uy9FuLItZ5TxsvH4zeVWKlbCVyArM3Z4BkukqMYkZz19 we8jYHUML+iI5k9fFtqIfNOaVumZpsTBITJbI0kR0tGtVrzpx10MY1eLO6hPKOZUUL1P ++/CdcWUduyI7R4VJuNwoJx5h6zvIEJQY3vOOi2HcBrHOdzNhTf2pWBIV5XF7utK/E3h lsDA==
X-Received: by 10.28.30.206 with SMTP id e197mr2352392wme.97.1448530365495; Thu, 26 Nov 2015 01:32:45 -0800 (PST)
Received: from [10.223.209.163] (83.228.197.178.dynamic.wless.zhbmb00p-cgnat.res.cust.swisscom.ch. [178.197.228.83]) by smtp.gmail.com with ESMTPSA id z10sm1804975wmg.4.2015.11.26.01.32.41 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 26 Nov 2015 01:32:43 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Bryan Ford <brynosaurus@gmail.com>
X-Mailer: iPhone Mail (13B143)
In-Reply-To: <87io4pxhkn.fsf@latte.josefsson.org>
Date: Thu, 26 Nov 2015 10:32:38 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <32FEDB05-C70E-47EE-A6C3-7FFA982F9BF6@gmail.com>
References: <56508C20.7090009@isode.com> <565109E4.7000904@gmail.com> <5655E8F3.8050404@st.com> <87io4pxhkn.fsf@latte.josefsson.org>
To: Simon Josefsson <simon@josefsson.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/TV46lc92tJOEvFcjK45M8hdw1p4>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Finishing Ed448 definition
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2015 09:32:48 -0000

> On Nov 26, 2015, at 9:58 AM, Simon Josefsson <simon@josefsson.org> wrote:
> 
> Gilles Van Assche <gilles.vanassche@st.com> writes:
> 
>> Hi Bryan,
>> 
>> I have a preference for your second proposal "twoshakes-d", for its
>> domain separation between PureEdDSA and HashEdDSA. This would have the
>> practical advantage of allowing a single key to be used for both options
>> (if certified as such), without input clashes at the internal hash level.
> 
> That would be nice -- but having Ed25519 and Ed448 differ this
> significantly would appear like a strange design choice to me.

This occurred to me to and I agree that it would be nice for the two to be (more) consistent.  I think a domain separation scheme like the one I proposed would be trivial to "back-port" to Ed25519 to make them consistent if we feel that's valuable; I didn't want to suggest this in my proposal for Ed448 though since the call was formally only for Ed448 hash proposals and I didn't want to violate the scope of the call. :)

I suggest we treat the possibility of "back-porting" domain separation to Ed25519 as a separate discussion issue that's (mostly) orthogonal to what to do for Ed448 - but with that in mind, here are three possible back-porting approaches I considered:

1. Direct back-port: just change the Ed25519-based spec to add the same 'dom' prefixes to the hash inputs in exactly the same way as for Ed448, with the 'SigEd448' changed appropriately to (eg) 'SigEd255' or 'SigEd25519'.  Advantage: domain separation features completely consistent across the two curves. Disadvantage: breaks binary signature compatibility with existing "classic" Ed25519 signatures. 

2. Back-port with silent compatibility exception: define the Ed25519 sig scheme to do domain separation in the same way as Ed448, *except* in the one special case of PureEd25529 with an empty context string, in which case the dom prefix becomes empty (no domain separation) for backward compatibility with classic Ed25519. Advantage: mostly consistent across curves, and backward compatible. Disadvantage: hokey special case, and the slight security risk that a use of PureEd25519 with empty context string being confused with a domain-separated use of Ed25519. 

3. Back-port directly as in #1, so both PureEd* and HashEd* are always domain separsted and incompatible with classic Ed25519, but define an additional eg 'BareEd25519' scheme variant just for backward compatibility with non-domain-separsted classic Ed25519. Encourage all new applications/protocols to use PureEd* or BareEd* while defining BareEd25519 as being available for legacy compatibility. 

I guess my (slight) preference would be for #3 followed by #1. I'm sure other variants are possible. 

Cheers
B

> So for me, at this point, I would prefer twoshake-s, or both my other
> proposals (SHAKE256+SHA3-512 and SHA2-512/912+SHA2-512), over
> twoshakes-d.
> 
> /Simon

v2.23.0 | Report a Bug | By Email