Re: [Cfrg] Finishing Ed448 definition
Bryan A Ford <brynosaurus@gmail.com> Sun, 22 November 2015 00:18 UTC
Return-Path: <brynosaurus@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF9521B2F1C for <cfrg@ietfa.amsl.com>; Sat, 21 Nov 2015 16:18:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QLBfoanD4UU7 for <cfrg@ietfa.amsl.com>; Sat, 21 Nov 2015 16:18:50 -0800 (PST)
Received: from mail-vk0-x22b.google.com (mail-vk0-x22b.google.com [IPv6:2607:f8b0:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 223191B2D91 for <cfrg@irtf.org>; Sat, 21 Nov 2015 16:18:50 -0800 (PST)
Received: by vkay187 with SMTP id y187so18488489vka.3 for <cfrg@irtf.org>; Sat, 21 Nov 2015 16:18:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type; bh=JevHcFxMgkZx4VzNM/YTOyNs1B0Legz1yLDsETl1IrI=; b=JDtHvkj3GI4BNd+epoxDYu/8G+npO+fOjQQ/X5BsDw5mHAQHHEEVHrePO6DiEHstOH 0g3Bvmv671aC359fW1pJUrhRdqFZUwdFjUpmVF4WFAB9nQhb8//lI+yOFvvdMqZ5jJkM LD5upYK1detV45cNraMkAXzPO29LHuYWAefHx7slSYUH/amw6n+j81jXSTE6R0tkA3v9 +rQIkXBr7HtbbSz5xXr4fmM7mc3d64StL8r99SU5Fvc7rUjxYR/qWvpeyGjdJcPxVGMo j/lfR+rqqclHprUZ4v1Ibt7Fw2ompH8pz1am9K0GNeLzlounMhMOG93Jlldutm9sHxR7 65Hg==
X-Received: by 10.31.50.13 with SMTP id y13mr8886953vky.128.1448151529224; Sat, 21 Nov 2015 16:18:49 -0800 (PST)
Received: from proz.local ([107.1.187.90]) by smtp.gmail.com with ESMTPSA id g133sm5148494vke.25.2015.11.21.16.18.46 for <cfrg@irtf.org> (version=TLSv1/SSLv3 cipher=OTHER); Sat, 21 Nov 2015 16:18:46 -0800 (PST)
To: cfrg@irtf.org
References: <56508C20.7090009@isode.com>
From: Bryan A Ford <brynosaurus@gmail.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <565109E4.7000904@gmail.com>
Date: Sat, 21 Nov 2015 16:18:44 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <56508C20.7090009@isode.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms040204090209060308020106"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/nQ9eiOcUoPRBBoPc9-mG90B2B48>
Subject: Re: [Cfrg] Finishing Ed448 definition
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Nov 2015 00:18:53 -0000
Here are two closely-related proposals for the pre-hashing and internal hashing scheme. For discussion purposes let's call them "twoshakes-s" and "twoshakes-d". Both are defined in clearly-demarked sections below. --- #1: twoshakes-s ("s" is for "simple"): This scheme uses the SHAKE256 extensible-output functions (XOFs) to implement both the internal hash and prehash. The internal hash uses the first 912 bits (114 octets) of the output produced by SHAKE256, whereas the prehash uses the first 512 bits (64 octets) of SHAKE256-produced output. In PureEdDSA, the prehash PH(M) is the identity function, PH(M)=M. In HashEdDSA, the prehash PH(M) is computed as SHAKE256(M, 512), where M is the message to be hashed and the second parameter determines the number of bits of output the SHAKE256 XOR produces. Note that this notation is consistent with the two-parameter definition of SHAKE256 in section 6.3 of FIPS 202. The internal hash H(M) is similarly computed as SHAKE256(M, 912), yielding a 912-bit output. (Note that the M here merely names the internal hash's input parameter, not the message ultimately input to the EdDSA scheme. In its usage by EdDSA this M will be substituted with 'Prefix || M' or 'R || A || M' in the signing process.) Design justification: The overall justification for using SHAKE256 for both internal hash and prehash, as discussed already on this list, is: (a) implementations need only a single symmetric crypto primitive (Keccak) for both; and (b) SHAKE256 operates the underlying Keccak sponge function with a rate and capacity designed to be appropriate for a 256-bit security level, and not at an overly-conservative rate as she SHA3-* hashes do. This latter performance consideration is important mainly for the prehash, since the prehash can be used to operate on long messages making its hashing throughput potentially significant (and not necessarily always dominated by the cost of the public-key operations). This scheme has the advantage of simplicity and consistency with how the Ed25519 signature scheme works, only dropping in SHAKE256 with appropriate output-size parameters in place of SHA-512. I do not perceive any real security problem with using the same SHAKE256 XOF (with different output-size parameters) for the two hashes, because in practice part of the input M will always be different for the XOF's different uses, yielding implicit domain-separation. In particular: - The secret per-message 'r' value gets computed using the internal hash as SHAKE256(prefix || M, 912), which depends on the secret and cryptographically unique 'prefix'. - The Schnorr challenge gets computed using the internal hash (again) as SHAKE256(R || A || M, 912), where R depends on r and in turn on the secret prefix, and hence should be cryptographically unique and unpredictable to anyone not holding the private signing key. Argued another way, if there was a real problem with using SHAKE256 for both the internal hash and prehash in Ed448, it seems the same problem would probably exist with using SHA-512 for both the internal hash and prehash in Ed25519. Still, in case we would like to make the design a bit more conservative with explicit domain separation, I suggest the following alternative scheme. --- #2: twoshakes-d ("d" is for "domain-separated"): This scheme again uses the SHAKE256 extensible-output functions (XOFs) to implement both hashes, with the inputs prefixed as specified below for explicit domain separation purposes. The scheme accepts two optional, application-defined parameters for customization, but applications simply needing a generic signature scheme (and APIs offering no convenient way to specify optional parameters) can simply use the defaults as specified below: - Prehash: 1-bit flag, default True - Context: octet string of length 0..255, default empty (0-octet) In PureEdDSA, the prehash PH(M) is the identity function, PH(M)=M. In HashEdDSA, the prehash PH(M) is computed as SHAKE256(dom||M, 512), where dom is a domain separation prefix defined below with the Flags octet set to 0x02. The 512 parameter means use the first 512 bits of SHAKE256 output as the hash prehash output. The internal hash H(M) is computed as SHAKE256(dom||M, 912), where dom is defined below, with the Flags octet it contains set to 0x00 for PureEdDSA or to 0x01 for HashEdDSA. The 912 again means use the first 912 bits of SHAKE256 output as the internal hash output. The domain separation prefix 'dom' in each case above consists of: - 8 octets: the ASCII characters "SigEd448" - 1 octet: Flags, as defined below - 1 octet: length of optional Context string, 0-255 (0 meaning empty) - 0-255 octets: Context string The Flags octet is defined as follows: - Bit 0: Prehash parameter: 0 for PureEdDSA or 1 for HashEdDSA. - Bit 1: 0 for the internal hash, 1 for the prehash - Bits 2-7: reserved, MUST be zero Justification for this design: The 8-octet 'SigEd448' prefix provides (weak) explicit domain separation of EdDSA+Goldilocks's use of SHAKE256 from other independent uses of SHAKE256. It is not by any means essential to the scheme's security but is included merely as a low-cost conservative precaution. The optional Context parameter enables applications to distinguish signatures intended for use in one context from signatures intended for another. In particular, if a signature S is generated with one context C1, i.e., S = Sign_C1(M), then any attempt to verify S in a different context C2 != C1 will fail, i.e., Verify_C2(M) = False. A Context could simply be a well-known application- or protocol-defined name, or a hash or random number to allow more fine-grained context separation. The document defining how EdDSA is to be used in a given application or protocol is expected to specify how the Context parameter is to be determined. The Flags octet provides explicit domain separation between the three uses of SHAKE256 in EdDSA+Goldilocks: namely the prehash (flags=0x02), the PureEdDSA internal hash (flags=0x00), or the HashEdDSA internal hash (flags=0x01). Any or all of these domain separation provisions could of course be dropped without affecting the resulting signature scheme's security in any one use-case considered independently, but are included as a conservative security precaution that costs little in terms of either performance or implementation complexity. As such, I feel these domain-separation provisions are useful but am also fine with dropping any of them if the balance of the WG feels they are not worth the trouble. (Or just go with twoshakes-s above.) --- Cheers Bryan On 11/21/15 7:22 AM, Alexey Melnikov wrote: > Dear CFRG participants, > Chairs would like to get Ed448 finished and send > draft-irtf-cfrg-eddsa to RFC Editor. > > In order to do that, we need to pick 1) pre-hashing algorithm and 2) > 912-bit internal hash function. > > Chairs would like to ask participants to submit their detailed > implementable proposals within 1 week (till November 29th). After that > we will have a Quaker poll to settle on one choice for each of the above > (alternatively chairs can just pick something and ask for objections). > > Best Regards, > Kenny and Alexey > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] Finishing Ed448 definition Alexey Melnikov
- Re: [Cfrg] Finishing Ed448 definition Bryan A Ford
- Re: [Cfrg] Finishing Ed448 definition Gilles Van Assche
- Re: [Cfrg] Finishing Ed448 definition Mike Hamburg
- Re: [Cfrg] Finishing Ed448 definition Simon Josefsson
- Re: [Cfrg] Finishing Ed448 definition Simon Josefsson
- Re: [Cfrg] Finishing Ed448 definition Bryan Ford
- Re: [Cfrg] Finishing Ed448 definition Ilari Liusvaara
- Re: [Cfrg] Finishing Ed448 definition Ilari Liusvaara