Re: [Cfrg] EC - next steps to get draft-irtf-cfrg-curves done
Andrey Jivsov <crypto@brainhub.org> Tue, 10 February 2015 22:41 UTC
Return-Path: <crypto@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEF3A1A1A48 for <cfrg@ietfa.amsl.com>; Tue, 10 Feb 2015 14:41:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XuPlsuCGxmWc for <cfrg@ietfa.amsl.com>; Tue, 10 Feb 2015 14:41:10 -0800 (PST)
Received: from resqmta-po-12v.sys.comcast.net (resqmta-po-12v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:171]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 726C61A0126 for <cfrg@irtf.org>; Tue, 10 Feb 2015 14:41:10 -0800 (PST)
Received: from resomta-po-02v.sys.comcast.net ([96.114.154.226]) by resqmta-po-12v.sys.comcast.net with comcast id qmgi1p0044tLnxL01mhAY1; Tue, 10 Feb 2015 22:41:10 +0000
Received: from [IPv6:::1] ([71.202.164.227]) by resomta-po-02v.sys.comcast.net with comcast id qmh91p0044uhcbK01mh9eY; Tue, 10 Feb 2015 22:41:10 +0000
Message-ID: <54DA8905.1060800@brainhub.org>
Date: Tue, 10 Feb 2015 14:41:09 -0800
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Tony Arcieri <bascule@gmail.com>
References: <54D9E0F1.7050600@isode.com> <54DA42E1.50007@cs.tcd.ie> <CACsn0ckrsBX4zNrQznReR8MrgR6T7SGGk0=xxviK0mN5p5ec4Q@mail.gmail.com> <D10025F4.3E69B%kenny.paterson@rhul.ac.uk> <CAHOTMVKDm+o6ZwUcER8hyT7=1QyOVLmbSsYsffBWx3v-FNipTg@mail.gmail.com> <54DA8121.9030603@brainhub.org> <CAHOTMVKa5W1e6M9hPdBH36Ubrrk8r82xoik6uJtOJb4vNRmZFw@mail.gmail.com>
In-Reply-To: <CAHOTMVKa5W1e6M9hPdBH36Ubrrk8r82xoik6uJtOJb4vNRmZFw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1423608070; bh=RJP9rOITS9HYxBCbQBTTsIFk01BLtr53MIlDpUDRsPo=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=DgPre7C5tFUu+ulG+sG2u3e3xEYn6S2OWr2si9BgP484TNOGur6T6Y2Kyto1h9bLK 1eHI68KtzebFSPkkQt/dseMWhfTJP5FNLcj3xO/L1X5rRotkTtHLoExYgUpm3L0CXU U5pUhECMPZyM8PR6SS6t2+4DdnKjBQAZ7RjIN8DrNTIsEf3V+gBr/OEa9JCVi20Dr/ y9Tvm8zjA8yGEmmmi5QrNK6Q8vpflIkD97cmFItfvPOxDYisK/2hZWi/DIOqFM3DUE kojO3EA8JWg5OmkyXVmV6NQDnX9qtlQNpo3hEh5/GlYPHcFUSzd5B3SlpYwKdxsmPH 5p1RMCDMhjkHA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/n_IpKQIG6hd9JGORMrVymEC__OM>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] EC - next steps to get draft-irtf-cfrg-curves done
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Feb 2015 22:41:13 -0000
On 02/10/2015 02:14 PM, Tony Arcieri wrote: > On Tue, Feb 10, 2015 at 2:07 PM, Andrey Jivsov <crypto@brainhub.org > <mailto:crypto@brainhub.org>> wrote: > > The above reads a bit odd. Often the hash function cannot be > perfectly matches to the curve size, thus the expansion or > contraction rules are defined and relied upon. > > e.g. one can use SHA-256 with P-384. > > > Can you show me an ECDSA specification that says it's allowed to use > SHA-256 with P-384? > > -- > Tony Arcieri http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf sec "4.6 DSA Signature Generation" for DSA defines the truncation/expansion. Sec "6.4 ECDSA Digital Signature Generation and Verification" discusses the implications of mismatch of the strength of the hash function. The section then prescribes: "When the length of the output of the hash function is greater than the bit length of n, then the leftmost n bits of the hash function output block shall be used in any calculation using the hash function output during the generation or verification of a digital signature." The section also says that weaker hash function "ordinarily should not be used", but doesn't prohibit this (otherwise why discuss the implications of the mismatch earlier in the section?). Because weaker hash is an implicit default in many online protocols and in offline protocols you never know the capabilities of all the verifiers, please consider that prohibiting P-384 with SHA-256 would have an effect of punishing these who want stronger security of P-384 (or a single X.509 cert that works for all security levels).
- [Cfrg] EC - next steps to get draft-irtf-cfrg-cur… Alexey Melnikov
- Re: [Cfrg] EC - next steps to get draft-irtf-cfrg… Stephen Farrell
- Re: [Cfrg] EC - next steps to get draft-irtf-cfrg… Watson Ladd
- Re: [Cfrg] EC - next steps to get draft-irtf-cfrg… Alexey Melnikov
- Re: [Cfrg] EC - next steps to get draft-irtf-cfrg… Paterson, Kenny
- Re: [Cfrg] EC - next steps to get draft-irtf-cfrg… Andy Lutomirski
- Re: [Cfrg] EC - next steps to get draft-irtf-cfrg… Paterson, Kenny
- Re: [Cfrg] EC - next steps to get draft-irtf-cfrg… Tony Arcieri
- Re: [Cfrg] EC - next steps to get draft-irtf-cfrg… Andrey Jivsov
- Re: [Cfrg] EC - next steps to get draft-irtf-cfrg… Tony Arcieri
- Re: [Cfrg] EC - next steps to get draft-irtf-cfrg… Tony Arcieri
- Re: [Cfrg] EC - next steps to get draft-irtf-cfrg… Andrey Jivsov
- Re: [Cfrg] EC - next steps to get draft-irtf-cfrg… Andrey Jivsov