IETF Logo Mail Archive

Re: [Cfrg] On the differences of Ed25519/448 and how it affects a vote on twoshakes-d

Simon Josefsson <simon@josefsson.org> Sun, 13 December 2015 22:12 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0769D1A8833 for <cfrg@ietfa.amsl.com>; Sun, 13 Dec 2015 14:12:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BGZMzy0jGzdx for <cfrg@ietfa.amsl.com>; Sun, 13 Dec 2015 14:12:29 -0800 (PST)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C63E41A882D for <cfrg@irtf.org>; Sun, 13 Dec 2015 14:12:28 -0800 (PST)
Received: from latte.josefsson.org ([155.4.17.2]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id tBDMCOg5004582 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Sun, 13 Dec 2015 23:12:25 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
References: <CAA4PzX18bcS_awPg-YDAoo90537Ot=s_nf7k_Vt75OVSdvtDrQ@mail.gmail.com> <87fuzcng51.fsf@latte.josefsson.org> <20151209125944.GA26766@LK-Perkele-V2.elisa-laajakaista.fi> <566AEB08.9070302@st.com> <566BDBE9.4000808@gmail.com> <20151212111448.GB6039@LK-Perkele-V2.elisa-laajakaista.fi> <C79B46AA-62EA-4D93-A850-62D85422B9B6@gmail.com> <20151212151721.GC6039@LK-Perkele-V2.elisa-laajakaista.fi>
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
X-Hashcash: 1:22:151213:ilariliusvaara@welho.com::oraQ5f58Kvob414A:3WYU
X-Hashcash: 1:22:151213:cfrg@irtf.org::KC+ZySCbiAdsYwmi:4aDJ
X-Hashcash: 1:22:151213:brynosaurus@gmail.com::tTQu7U647DNvUI1l:00Mqr
Date: Sun, 13 Dec 2015 23:12:22 +0100
In-Reply-To: <20151212151721.GC6039@LK-Perkele-V2.elisa-laajakaista.fi> (Ilari Liusvaara's message of "Sat, 12 Dec 2015 17:17:21 +0200")
Message-ID: <87mvtej8vt.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/p8OtVtkuv8vD-KsIv0-dHzVpiTs>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] On the differences of Ed25519/448 and how it affects a vote on twoshakes-d
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Dec 2015 22:12:30 -0000

Ilari Liusvaara <ilariliusvaara@welho.com> writes:

> On Sat, Dec 12, 2015 at 01:14:00PM +0100, Bryan Ford wrote:
>> On Dec 12, 2015, at 12:14 PM, Ilari Liusvaara
>> <ilariliusvaara@welho.com> wrote:
>> > This brings to mind the following (bit crazy):
>> > 
>> > - Leave Ed25519 as is.
>> > - Drop Ed25519ph
>> > - Add Ed25519dom, with context and hash-signing capabilities.
>> > - Drop Ed448ph
>> > - Rename Ed448 to Ed448dom, with context and hash-signing capabilties.
>> 
>> This seems like a potentially pretty reasonable "sweet spot"
>> compromise between the semi-conflicting goals of (a) domain
>> separation, (b) alignment between Ed448 and Ed25519, and (c)
>> backward compatibility with current Ed25529 uses without prehashing
>> or domain separation.
>> 
>> The one downside I see is that "pure" Ed25519 wouldn't be domain-
>> separated from ed25519dom, i.e., signatures generated with the former
>> could in principle get misinterpreted as the latter and vice versa.
>> But this is probably a small risk we can live with for backward-
>> compatibility reasons. 
>
> Those two would be separated at key level (like Ed25519 and Ed25519ph
> are currently).

Right.

One concern is that approaches like Ed25519ph are already deployed,
compared how Ed25519 is used in OpenPGP.

So a proposal for moving forward could be:

* Leave Ed25519 and Ed25519ph as is and publish now

* Specify Ed448 with twoshakes-d ("Ed448dom") and have it in draft form
  until some implementation experience with it develops

I think we are seeing effects of different level of interest between
Ed25519 and Ed448 coming to a closure here: the Ed25519(ph) effort is
about documenting something that is already out there, while Ed448(dom)
is about describing something new that is not deployed.  While it is
nice to have these in the same document, I feel more and more that this
is problematic.  But we'll have to see what the outcome of the current
poll is first.

/Simon

v2.23.0 | Report a Bug | By Email