IETF Logo Mail Archive

[Cfrg] On the differences of Ed25519/448 and how it affects a vote on twoshakes-d

Björn Edström <be@bjrn.se> Wed, 09 December 2015 01:40 UTC

Return-Path: <bjorn.edstrom@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAE2D1A6F0B for <cfrg@ietfa.amsl.com>; Tue, 8 Dec 2015 17:40:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.921
X-Spam-Level:
X-Spam-Status: No, score=0.921 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PFRD5XFoJIJM for <cfrg@ietfa.amsl.com>; Tue, 8 Dec 2015 17:40:13 -0800 (PST)
Received: from mail-pf0-x231.google.com (mail-pf0-x231.google.com [IPv6:2607:f8b0:400e:c00::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 428DD1A6F38 for <cfrg@ietf.org>; Tue, 8 Dec 2015 17:40:13 -0800 (PST)
Received: by pfdd184 with SMTP id d184so21086141pfd.3 for <cfrg@ietf.org>; Tue, 08 Dec 2015 17:40:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=rR7Ldy7oPYGUAxMIO57+roV5mZ7/xBUnhE0E9hb0MsE=; b=l6Rukk64fGT6a6UGsQmKzdtEUMskcoiaJ99Y+1v7o3XjzpY4EjfZ4rpMS8efzQaDXr ChOnlGqv017/TOoLTYb2nELY9Qxqu4Mhr0DOtdj7dVnTecO3rKPNlTn3NVLOWbe1OBdi OhX9KY+jl0yuBUIdSAnbHH/bSj5W1FXxY01y+Fxnmr8x/G+F9mGQsISzeF3I71oc68Zi iYP5+m6W5yr7aSgCOomK7CbHYypSbFUhoctcLvEfvGMmF4ARg+31rszXXO6Z1R+vGQrR 1rtOl8BHSkoOg53QKGiDKuRioLJZyO2o4gEyjrgsLnhbsJ+IGR2WBLwg3zd5sjYZs1Fs k4lQ==
MIME-Version: 1.0
X-Received: by 10.98.86.10 with SMTP id k10mr9404447pfb.85.1449625212769; Tue, 08 Dec 2015 17:40:12 -0800 (PST)
Sender: bjorn.edstrom@gmail.com
Received: by 10.66.20.131 with HTTP; Tue, 8 Dec 2015 17:40:12 -0800 (PST)
Date: Wed, 09 Dec 2015 02:40:12 +0100
X-Google-Sender-Auth: 8n8mEZkmZhMKzk9-mtFX5Gu1wOw
Message-ID: <CAA4PzX2XEOwB6AONu1=YbO9fDGK+_XBw6a-JPjfcMhS-8xtcZw@mail.gmail.com>
From: Björn Edström <be@bjrn.se>
To: cfrg@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/XMIDtaf8_uiSiZjcFAlJUZrO6DI>
Subject: [Cfrg] On the differences of Ed25519/448 and how it affects a vote on twoshakes-d
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2015 01:40:15 -0000

For the vote [1] I'm thinking about the twoshakes-d proposal [2] and I
can't decide what to vote on it. I'd like to talk this over because it
touches some larger questions.

1) Ed25519 and Ed448 are described in the same draft. We see them as
being part of a "family" of constructs that share certain properties
or behavior with each other. They are quite similar after all. For
some definition of "related", the authors consider the constructs
related enough to be grouped together in one I.D.

Here's the subtle part. Do we see the relation as being in "shape and
form" or do we see the relation as "solving a common signing problem
at different strength levels"?

If we take the former view, then in my opinion we can't practically go
for twoshakes-d, since that will change the shape and form of Ed448 to
differ significantly from Ed25519 (which we really shouldn't touch too
much in this regard since it's already deployed widely).

If we take the latter view, then we can do whatever we want with
Ed448, as long as it's not very unreasonable, and if it is done in the
spirit of improving the strength level (which is already quite spinal
tap-grade). In this view of the world twoshakes-d is pretty fine,
since domain separation has security benefits.

--

2) Do we see HashEdDSA (such as Ed448ph) as a "signing construct with
IUF" in it's own right i.e. a different beast, or do we see HashEdDSA
as a recommendation for what hash the user will plug in into PureEdDSA
to get IUF?

The draft as is *could* have been written as "To get IUF behavior with
Ed448 an implementation SHOULD use <hash>" (i,e. skipping the entire
definition of HashEdDSA and the *ph versions) but since the *ph
versions are defined and named that implies a black box signing
construct view, from the point of view of the user (in my crypto
library I have 4 primitives instead of 2).

If we take the view that Ed448ph is a "signing construct" black box on
it's own, then the twoshakes-d proposal is fine. The black box will
take care of initializing the pre-hash for the user and the internals
are hidden.

If we take the view that Ed448ph is just a recommendation that for IUF
you should do Ed448(SHAKE(prefix||...)), which is likely what is gonna
happen in practice in actual source code, then we are in murkier
waters and have a slight preference against twoshakes-d for two minor
reasons: a) implementation errors, i.e. missing to take the prefix
into account and 2) coupling. With "coupling" I mean that the
signature context (which is seen as a different thing than the hashing
context) must now live slightly longer and is more spread out,
depending on protocol design.

Thoughts?

Cheers
Björn

[1] Poll: hash functions for Ed448 (ends on December 22nd)
[2] http://www.ietf.org/mail-archive/web/cfrg/current/msg07629.html

v2.23.0 | Report a Bug | By Email