IETF Logo Mail Archive

Re: [Cfrg] Ed448 hash choice

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 21 October 2015 19:38 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DE3B1A92BB for <cfrg@ietfa.amsl.com>; Wed, 21 Oct 2015 12:38:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oxVBgEVWaOyU for <cfrg@ietfa.amsl.com>; Wed, 21 Oct 2015 12:38:48 -0700 (PDT)
Received: from filtteri1.pp.htv.fi (filtteri1.pp.htv.fi [213.243.153.184]) by ietfa.amsl.com (Postfix) with ESMTP id 0D76B1A92BD for <cfrg@ietf.org>; Wed, 21 Oct 2015 12:38:48 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by filtteri1.pp.htv.fi (Postfix) with ESMTP id 3F2D221BA68; Wed, 21 Oct 2015 22:38:47 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from smtp5.welho.com ([213.243.153.39]) by localhost (filtteri1.pp.htv.fi [213.243.153.184]) (amavisd-new, port 10024) with ESMTP id 2jZybz7xjsrB; Wed, 21 Oct 2015 22:38:47 +0300 (EEST)
Received: from LK-Perkele-V2 (87-92-35-116.bb.dnainternet.fi [87.92.35.116]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp5.welho.com (Postfix) with ESMTPSA id 1061F5BC005; Wed, 21 Oct 2015 22:38:47 +0300 (EEST)
Date: Wed, 21 Oct 2015 22:38:45 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Quynh Dang <quynh97@gmail.com>
Message-ID: <20151021193845.GB4832@LK-Perkele-V2.elisa-laajakaista.fi>
References: <87twprupdy.fsf@latte.josefsson.org> <56272D73.7070906@shiftleft.org> <20151021132052.GB4130@LK-Perkele-V2.elisa-laajakaista.fi> <CACsn0ckiSVPd7Hbzq5Tt_NBuj8ycrSzqjU832FFUYhFsEHxeGA@mail.gmail.com> <5627B8F6.7030003@shiftleft.org> <D24D338A.20EA8%uri@ll.mit.edu> <5627C68A.1040902@shiftleft.org> <BN1PR09MB124E9B3184753AD5EF04258F3380@BN1PR09MB124.namprd09.prod.outlook.com> <20151021191250.GA4712@LK-Perkele-V2.elisa-laajakaista.fi> <CAE3-qLRR6jPPJMFRG=Ct6PS1ounh=oMBCs=6OunUW5UJXMqd_w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAE3-qLRR6jPPJMFRG=Ct6PS1ounh=oMBCs=6OunUW5UJXMqd_w@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/gTzS2aMkFrbCgj5121Oq6dXjtK4>
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] Ed448 hash choice
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2015 19:38:49 -0000

On Wed, Oct 21, 2015 at 03:26:17PM -0400, Quynh Dang wrote:
> Hi IIari,
> 
> On Wed, Oct 21, 2015 at 3:12 PM, Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
> >
> > If you are talking about fixing TLS 1.3 PRF-hash to SHA-3, then I
> > regard fixing that a _very_ bad idea. TLS is very vulernable to
> > breakage of the prf-hash. Replacing it is horrible enough, but
> > if it takes a version bump, we are utterly screwed.
> >
> 
> In TLS 1.2, PRF depends on cipher suite, but default is HMAC with SHA256.
> This default could be a SHA3 (no HMAC and no many rounds to generate keys).

No ciphersuite that works with TLS 1.3 has default PRF. All the
ciphersuites have explicit PRF hashes.

The reason for this is that TLS 1.2 grandfathered SHA-256 PRF for old
ciphersuites but required explicit PRF for new ones. But none of these
old ciphersuites are AEAD, and thus none work with TLS 1.3.
 
> Everything is built from a Keccak permutation including a possible
> (potential) authenticated encryption function in the future and this would
> be efficient!

Well, I don't think TLS WG would mind too much a draft specifying
ciphersuites with all symmetric parts based on Keccak (e.g. SHA3-256
PRF-hash and some Keccak sponge AEAD).

Unfortunately, it doesn't look like you can replace HKDF or even HMAC,
since those are seemingly fixed in the specs.


-Ilari

v2.23.0 | Report a Bug | By Email