[Cfrg] On the differences of Ed25519/448 and how it affects a vote on twoshakes-d
Björn Edström <be@bjrn.se> Wed, 09 December 2015 01:40 UTC
Return-Path: <bjorn.edstrom@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAE2D1A6F0B for <cfrg@ietfa.amsl.com>; Tue, 8 Dec 2015 17:40:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.921
X-Spam-Level:
X-Spam-Status: No, score=0.921 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PFRD5XFoJIJM for <cfrg@ietfa.amsl.com>; Tue, 8 Dec 2015 17:40:13 -0800 (PST)
Received: from mail-pf0-x231.google.com (mail-pf0-x231.google.com [IPv6:2607:f8b0:400e:c00::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 428DD1A6F38 for <cfrg@ietf.org>; Tue, 8 Dec 2015 17:40:13 -0800 (PST)
Received: by pfdd184 with SMTP id d184so21086141pfd.3 for <cfrg@ietf.org>; Tue, 08 Dec 2015 17:40:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=rR7Ldy7oPYGUAxMIO57+roV5mZ7/xBUnhE0E9hb0MsE=; b=l6Rukk64fGT6a6UGsQmKzdtEUMskcoiaJ99Y+1v7o3XjzpY4EjfZ4rpMS8efzQaDXr ChOnlGqv017/TOoLTYb2nELY9Qxqu4Mhr0DOtdj7dVnTecO3rKPNlTn3NVLOWbe1OBdi OhX9KY+jl0yuBUIdSAnbHH/bSj5W1FXxY01y+Fxnmr8x/G+F9mGQsISzeF3I71oc68Zi iYP5+m6W5yr7aSgCOomK7CbHYypSbFUhoctcLvEfvGMmF4ARg+31rszXXO6Z1R+vGQrR 1rtOl8BHSkoOg53QKGiDKuRioLJZyO2o4gEyjrgsLnhbsJ+IGR2WBLwg3zd5sjYZs1Fs k4lQ==
MIME-Version: 1.0
X-Received: by 10.98.86.10 with SMTP id k10mr9404447pfb.85.1449625212769; Tue, 08 Dec 2015 17:40:12 -0800 (PST)
Sender: bjorn.edstrom@gmail.com
Received: by 10.66.20.131 with HTTP; Tue, 8 Dec 2015 17:40:12 -0800 (PST)
Date: Wed, 09 Dec 2015 02:40:12 +0100
X-Google-Sender-Auth: 8n8mEZkmZhMKzk9-mtFX5Gu1wOw
Message-ID: <CAA4PzX2XEOwB6AONu1=YbO9fDGK+_XBw6a-JPjfcMhS-8xtcZw@mail.gmail.com>
From: Björn Edström <be@bjrn.se>
To: cfrg@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/XMIDtaf8_uiSiZjcFAlJUZrO6DI>
Subject: [Cfrg] On the differences of Ed25519/448 and how it affects a vote on twoshakes-d
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2015 01:40:15 -0000
For the vote [1] I'm thinking about the twoshakes-d proposal [2] and I can't decide what to vote on it. I'd like to talk this over because it touches some larger questions. 1) Ed25519 and Ed448 are described in the same draft. We see them as being part of a "family" of constructs that share certain properties or behavior with each other. They are quite similar after all. For some definition of "related", the authors consider the constructs related enough to be grouped together in one I.D. Here's the subtle part. Do we see the relation as being in "shape and form" or do we see the relation as "solving a common signing problem at different strength levels"? If we take the former view, then in my opinion we can't practically go for twoshakes-d, since that will change the shape and form of Ed448 to differ significantly from Ed25519 (which we really shouldn't touch too much in this regard since it's already deployed widely). If we take the latter view, then we can do whatever we want with Ed448, as long as it's not very unreasonable, and if it is done in the spirit of improving the strength level (which is already quite spinal tap-grade). In this view of the world twoshakes-d is pretty fine, since domain separation has security benefits. -- 2) Do we see HashEdDSA (such as Ed448ph) as a "signing construct with IUF" in it's own right i.e. a different beast, or do we see HashEdDSA as a recommendation for what hash the user will plug in into PureEdDSA to get IUF? The draft as is *could* have been written as "To get IUF behavior with Ed448 an implementation SHOULD use <hash>" (i,e. skipping the entire definition of HashEdDSA and the *ph versions) but since the *ph versions are defined and named that implies a black box signing construct view, from the point of view of the user (in my crypto library I have 4 primitives instead of 2). If we take the view that Ed448ph is a "signing construct" black box on it's own, then the twoshakes-d proposal is fine. The black box will take care of initializing the pre-hash for the user and the internals are hidden. If we take the view that Ed448ph is just a recommendation that for IUF you should do Ed448(SHAKE(prefix||...)), which is likely what is gonna happen in practice in actual source code, then we are in murkier waters and have a slight preference against twoshakes-d for two minor reasons: a) implementation errors, i.e. missing to take the prefix into account and 2) coupling. With "coupling" I mean that the signature context (which is seen as a different thing than the hashing context) must now live slightly longer and is more spread out, depending on protocol design. Thoughts? Cheers Björn [1] Poll: hash functions for Ed448 (ends on December 22nd) [2] http://www.ietf.org/mail-archive/web/cfrg/current/msg07629.html
- [Cfrg] On the differences of Ed25519/448 and how … Björn Edström
- [Cfrg] On the differences of Ed25519/448 and how … Björn Edström
- Re: [Cfrg] On the differences of Ed25519/448 and … Bryan A Ford
- Re: [Cfrg] On the differences of Ed25519/448 and … Simon Josefsson
- Re: [Cfrg] On the differences of Ed25519/448 and … Ilari Liusvaara
- Re: [Cfrg] On the differences of Ed25519/448 and … Gilles Van Assche
- Re: [Cfrg] On the differences of Ed25519/448 and … Tony Arcieri
- Re: [Cfrg] On the differences of Ed25519/448 and … Ilari Liusvaara
- Re: [Cfrg] On the differences of Ed25519/448 and … Bryan A Ford
- Re: [Cfrg] On the differences of Ed25519/448 and … Bryan A Ford
- Re: [Cfrg] On the differences of Ed25519/448 and … Bryan Ford
- Re: [Cfrg] On the differences of Ed25519/448 and … Ilari Liusvaara
- Re: [Cfrg] On the differences of Ed25519/448 and … Tony Arcieri
- Re: [Cfrg] On the differences of Ed25519/448 and … Simon Josefsson
- Re: [Cfrg] On the differences of Ed25519/448 and … Brian Smith
- Re: [Cfrg] On the differences of Ed25519/448 and … Simon Josefsson
- Re: [Cfrg] On the differences of Ed25519/448 and … Simon Josefsson
- Re: [Cfrg] On the differences of Ed25519/448 and … Ilari Liusvaara
- Re: [Cfrg] On the differences of Ed25519/448 and … Alexey Melnikov
- Re: [Cfrg] On the differences of Ed25519/448 and … Tony Arcieri