IETF Logo Mail Archive

Re: [Cfrg] On the differences of Ed25519/448 and how it affects a vote on twoshakes-d

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 09 December 2015 13:00 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAE0A1A90B1 for <cfrg@ietfa.amsl.com>; Wed, 9 Dec 2015 05:00:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BQcYmYZqqe-z for <cfrg@ietfa.amsl.com>; Wed, 9 Dec 2015 05:00:12 -0800 (PST)
Received: from filtteri2.pp.htv.fi (filtteri2.pp.htv.fi [213.243.153.185]) by ietfa.amsl.com (Postfix) with ESMTP id 6B8A81A90BB for <cfrg@irtf.org>; Wed, 9 Dec 2015 04:59:48 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by filtteri2.pp.htv.fi (Postfix) with ESMTP id 08B2C19BF49; Wed, 9 Dec 2015 14:59:47 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from smtp4.welho.com ([213.243.153.38]) by localhost (filtteri2.pp.htv.fi [213.243.153.185]) (amavisd-new, port 10024) with ESMTP id n86XbDJYby-9; Wed, 9 Dec 2015 14:59:46 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-35-116.bb.dnainternet.fi [87.92.35.116]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp4.welho.com (Postfix) with ESMTPSA id BE50D5BC005; Wed, 9 Dec 2015 14:59:46 +0200 (EET)
Date: Wed, 09 Dec 2015 14:59:44 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Simon Josefsson <simon@josefsson.org>
Message-ID: <20151209125944.GA26766@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAA4PzX18bcS_awPg-YDAoo90537Ot=s_nf7k_Vt75OVSdvtDrQ@mail.gmail.com> <87fuzcng51.fsf@latte.josefsson.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <87fuzcng51.fsf@latte.josefsson.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/Z_O4a9QePNAaNcMPrkoCN6e3V6I>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] On the differences of Ed25519/448 and how it affects a vote on twoshakes-d
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2015 13:00:16 -0000

On Wed, Dec 09, 2015 at 10:08:26AM +0100, Simon Josefsson wrote:
> Björn Edström <be@bjrn.se> writes:
> 
> > Hi cfrg,
> >
> > For the vote [1] I'm thinking about the twoshakes-d proposal [2] and I
> > can't decide what to vote on it. I'd like to talk this over because it
> > touches some larger questions.
> >
> > 1) Ed25519 and Ed448 are described in the same draft. We see them as
> > being part of a "family" of constructs that share certain properties
> > or behavior with each other. They are quite similar after all. For
> > some definition of "related", the authors consider the constructs
> > related enough to be grouped together in one I.D.
> 
> If we select twoshakes-d, I believe we should consider separating
> Ed25519(ph) and Ed448 into two documents.  While sharing some elements,
> they have become different beasts.  Ed25519(ph) is domain separated by
> naming, Ed448 will be domain separated by parameters.  The separate
> algorithm Ed448ph no longer makes any sense; whether to prehash or not
> becomes a parameter to the process instead.

Yeah, algorithm that prehashes internally is quite different from one
that takes the prehash as parameter.

> If the twoshakes-d domain separation is a good domain separation
> algorithm or not is something I don't feel qualified to judge, but I
> don't feel comfortable with it as it is novel.  The algorithms will
> behave different and have different security considerations.

I also don't feel comfortable with it. I think there are two main issues
with it, one is easy to fix and the other is hard to fix:

- The easy-to-fix one: I think instead of simple prehashed/not flag,
  one should have indication of prehash algorithm. Different protocols
  have different preferences there, and also the likelyhood of the
  prehash breaking seems immensely greater than the main hash.

  There is precendent for this kind of operation: PKCS#1 v1.5 RSA
  signatures try to perform hash separation (but fail at it, for
  reasons unrelated to the interface).

  This also comes up in practice: E.g. Adding PureEdDSA to TLS is
  very simple conceptually: Have curve for each scheme (there are
  64,000+ curve IDs free, so not running out) and use the reserved-
  for-future none hash. Then HashEdDSA is completely different matter,
  with interactions being much murkier (due to fixed prehash, which
  might not even have existing choice).

- The hard-to-fix one: Contexts. While cute idea and very useful for
  blocking cross-protocol attacks that are so darn hard to block any
  other way, the interface parts are concerning.

  It is not just plumbing the context into the API of the library
  handling signatures. It is also plumbing the context into interface
  of all sorts of frameworks different protocols use (that don't
  support contexts of their own), and there are quite many of these.

  Also, for any protocol to take the option of using contexts, the
  contexts must be reliably available (especially with hacks like
  how contexts were added to Ed25519-like scheme).



-Ilari

v2.23.0 | Report a Bug | By Email