Re: [Cfrg] Message Digest Algorithm Choice for CMS with Ed448

Taylor R Campbell <> Mon, 14 November 2016 23:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 293CE129532 for <>; Mon, 14 Nov 2016 15:31:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.397
X-Spam-Status: No, score=-3.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kO78OoQLQPbk for <>; Mon, 14 Nov 2016 15:31:55 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id DD1EE129528 for <>; Mon, 14 Nov 2016 15:31:55 -0800 (PST)
Received: by (Postfix, from userid 1014) id 7FD31603CA; Mon, 14 Nov 2016 23:31:44 +0000 (UTC)
From: Taylor R Campbell <>
To: Jim Schaad <>
In-reply-to: <06d301d23ecc$402eb8e0$c08c2aa0$> (
Date: Mon, 14 Nov 2016 23:31:54 +0000
Sender: Taylor R Campbell <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
Archived-At: <>
Cc: IRTF CFRG <>, Russ Housley <>, "Scott Fluhrer (sfluhrer)" <>
Subject: Re: [Cfrg] Message Digest Algorithm Choice for CMS with Ed448
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Nov 2016 23:31:57 -0000

   Date: Tue, 15 Nov 2016 08:10:08 +0900
   From: Jim Schaad <>

   Please note that the following is how CMS works

   Sign( list of attributes )
   List of attributes contains a hash of the message along with other items
   such as a time, which signature algorithm, which hash algorithm, potentially
   which certificate(s) to use for verification.

   For this exercise, we are looking what to use for the hash of message, the
   sign operation is using EdDSA pure.

If you are limited to choosing a single fixed public hash function H
so that the message m figures into the rest of the system only via
H(m), then it is essential to choose H so that it has collision
resistance at the desired security level, e.g. SHAKE256-512 for a
256-bit security level.

(SHA3-512 does too but is excessively slow for that security level.
The CFRG's EdDSA draft uses SHAKE256 rather than SHA3-512 for this