IETF Logo Mail Archive

Re: [Cfrg] Ed448 hash choice

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Wed, 21 October 2015 18:28 UTC

Return-Path: <prvs=7736a16afd=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E91931A89AA for <cfrg@ietfa.amsl.com>; Wed, 21 Oct 2015 11:28:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.207
X-Spam-Level:
X-Spam-Status: No, score=-4.207 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Woblnr4lfsDT for <cfrg@ietfa.amsl.com>; Wed, 21 Oct 2015 11:28:38 -0700 (PDT)
Received: from mx1.ll.mit.edu (MX1.LL.MIT.EDU [129.55.12.45]) by ietfa.amsl.com (Postfix) with ESMTP id 72FD21A89AB for <cfrg@ietf.org>; Wed, 21 Oct 2015 11:28:38 -0700 (PDT)
Received: from LLE2K10-HUB01.mitll.ad.local (LLE2K10-HUB01.mitll.ad.local) by mx1.ll.mit.edu (unknown) with ESMTP id t9LISVK8011927; Wed, 21 Oct 2015 14:28:35 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: "Dang, Quynh" <quynh.dang@nist.gov>, Mike Hamburg <mike@shiftleft.org>, Watson Ladd <watsonbladd@gmail.com>, Ilari Liusvaara <ilariliusvaara@welho.com>, "cfrg@ietf.org" <cfrg@ietf.org>, Simon Josefsson <simon@josefsson.org>
Thread-Topic: [Cfrg] Ed448 hash choice
Thread-Index: AQHRB/Yh3He57ANcW0S/weiC4ud0gp51wtWAgAB26gCAAAiYgIAAJs0A///AgoCAAE+uAIAAEqoA///An4A=
Date: Wed, 21 Oct 2015 18:28:34 +0000
Message-ID: <D24D517A.20EE8%uri@ll.mit.edu>
References: <87twprupdy.fsf@latte.josefsson.org> <56272D73.7070906@shiftleft.org> <20151021132052.GB4130@LK-Perkele-V2.elisa-laajakaista.fi> <CACsn0ckiSVPd7Hbzq5Tt_NBuj8ycrSzqjU832FFUYhFsEHxeGA@mail.gmail.com> <5627B8F6.7030003@shiftleft.org> <D24D338A.20EA8%uri@ll.mit.edu> <5627C68A.1040902@shiftleft.org> <BN1PR09MB124E9B3184753AD5EF04258F3380@BN1PR09MB124.namprd09.prod.outlook.com>
In-Reply-To: <BN1PR09MB124E9B3184753AD5EF04258F3380@BN1PR09MB124.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.5.150821
x-originating-ip: [172.25.177.187]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3528282503_156156036"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151, 1.0.33, 0.0.0000 definitions=2015-10-21_13:2015-10-21,2015-10-21,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1508030000 definitions=main-1510210305
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/lsmBymxxnFjt3-79Zz2f4zReVqA>
Subject: Re: [Cfrg] Ed448 hash choice
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2015 18:28:42 -0000

> It is hard for me to understand why TLS 1.3 is not using SHA3 right now. The
> protocol is completely new,  implementing a new simple elegant SHA3 function
> would be a very small expense.
> 
> 
> 
> A SHA3 function at 256 bit of security level would be security efficient for
> all purposes and cipher suites. It can be used to build a much more efficient
> and elegant key derivation method than what is currently specified.
> 
> 
> 
> Later, one could have an authenticated encryption based on Keccak. That would
> make the protocol very elegant. As Gilles from the Keccak team pointed out
> Keccak is very green which is a huge benefit.


+1



> On 10/21/2015 09:23 AM, Blumenthal, Uri - 0553 - MITLL wrote:
>>> Is the point of this exercise to find a generic solution so that we can add
>>> support for new curves without another quagmire of polling?  If that's the
>>> problem, then it seems we have to either:
>>> 
>>> 1) Use SHA-512/n for everything including Ed25519 and Ed448, as DJB
>>> specified.
>> 
>> It seems that the consensus has been to not use SHA-512/n, or any other
>> construct that would “contort” SHA-2.
>> 
>>> 2) Use SHAKE256 for everything including Ed25519 and Ed448, which will annoy
>>> existing users.
>> 
>> I’d be happy with this decision, BTW.
>> 
>>> 3) Give up and say it's per curve or per deployment or whatever, in which
>>> case we can use SHA512 for Ed448.
>> 
>> Or 4) Keep using whatever we use now for Ed25519, and use SHAKE256 for Ed448.
>> 
>>> Right?
>> 
>> Almost. :-)
> I'm happy with SHAKE256 and 912 bits.  I don't see it as an especially better
> or worse option than SHA-512.  Is the idea that SHAKE-256 will be the default
> choice for any future curves as well, unless there is further discussion about
> them?
> 
> Two other issues while we're on this topic:
> 1) I don't especially like mandating the prehash, because for TLS we will want
> to sign hashes of the running session state, which are already going to be
> SHA256.  If the prehash is something else, users will need an extra running
> hash context during the handshake.  (Not to mention that by mandating any hash
> that's not SHA256, we're forcing IoT devices to implement multiple hashes
> which isn't free.)
> 
> 2) Are we really going to give up on having a single key compatible with EdDSA
> and EdDSAph?  That seems like an unnecessary proliferation.  I would have
> liked keys which can be used for DH and signing, but not allowing both signing
> algorithms is frustrating.
> 
> Cheers,
> -- Mike

v2.23.0 | Report a Bug | By Email