IETF Logo Mail Archive

Re: [Cfrg] key as message prefix => multi-key security

Simon Josefsson <simon@josefsson.org> Thu, 26 November 2015 08:54 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F30B1B374D for <cfrg@ietfa.amsl.com>; Thu, 26 Nov 2015 00:54:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iK4oB2xt64lE for <cfrg@ietfa.amsl.com>; Thu, 26 Nov 2015 00:54:48 -0800 (PST)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 894911B372E for <cfrg@ietf.org>; Thu, 26 Nov 2015 00:54:48 -0800 (PST)
Received: from latte.josefsson.org ([155.4.17.2]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id tAQ8saji029063 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Thu, 26 Nov 2015 09:54:38 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Eike Kiltz <eike.kiltz@rub.de>
References: <20150930225622.21805.qmail@cr.yp.to> <20151120074529.15234.qmail@cr.yp.to> <CAKt=43p6X+Byb_a-pin-OVS8RXi82AFpzML80KzeYWKve0aG6A@mail.gmail.com>
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
X-Hashcash: 1:22:151126:eike.kiltz@rub.de::LN8gcrwBN7D91xc+:2wJ3
X-Hashcash: 1:22:151126:cfrg@ietf.org::NyOfwTw7zyWj9c1E:52wp
Date: Thu, 26 Nov 2015 09:54:35 +0100
In-Reply-To: <CAKt=43p6X+Byb_a-pin-OVS8RXi82AFpzML80KzeYWKve0aG6A@mail.gmail.com> (Eike Kiltz's message of "Sat, 21 Nov 2015 16:33:03 +0100")
Message-ID: <87mvu1xhro.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/XcdHwN-vUoHywebaB0qS7Q4dMIs>
Cc: cfrg@ietf.org
Subject: Re: [Cfrg] key as message prefix => multi-key security
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2015 08:54:50 -0000

Eike Kiltz <eike.kiltz@rub.de> writes:

> Our results show that key-prefixing does not provide any advantage
> for multi-user security so we recommend to reconsider this decision.

Wouldn't that make the new proposal incompatible with Ed25519?

While this question is theoretically interesting, my opinion is that we
are past the point where making changes to EdDSA (beyond the already
agreed on pre-hash mode and Curve448 addition) will be useful for what
we are doing here.

Had the situation been the reverse -- i.e., if EdDSA did NOT perform
key-prefixing and that were shown to NOT lead to multi-key security --
that would be a security weakness and it would be useful to fixing that.

As far as I understand the situation now, your point is that one
component of EdDSA has been shown to not be strictly necessary.  Is that
accurate?  If so, I don't believe that is a strong enough motivation to
damage compatibility with already deployed Ed25519.

/Simon

v2.23.0 | Report a Bug | By Email