Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final proposal for domain separation (context labels) for ed25519

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 20 April 2016 14:30 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A470E12D9CC; Wed, 20 Apr 2016 07:30:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.896
X-Spam-Level:
X-Spam-Status: No, score=-2.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.996] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o_viQEA2BRj7; Wed, 20 Apr 2016 07:29:58 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) by ietfa.amsl.com (Postfix) with ESMTP id A010212D991; Wed, 20 Apr 2016 07:29:58 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id EFE1B4F8B; Wed, 20 Apr 2016 17:29:56 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id BWwH54jAJMNf; Wed, 20 Apr 2016 17:29:56 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-143-35.bb.dnainternet.fi [87.100.143.35]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id A82D52310; Wed, 20 Apr 2016 17:29:56 +0300 (EEST)
Date: Wed, 20 Apr 2016 17:29:53 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Message-ID: <20160420142953.GA23528@LK-Perkele-V2.elisa-laajakaista.fi>
References: <87bn543id1.fsf@alice.fifthhorseman.net> <D33CFF00.6A70D%kenny.paterson@rhul.ac.uk> <11c960b5f1fa42aaaf4cd0a6961332ec@usma1ex-dag1mb1.msg.corp.akamai.com> <87ziso1m0l.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <87ziso1m0l.fsf@alice.fifthhorseman.net>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/r5ACeilaql26QCVji1t9qe0hKdk>
Cc: Robert Edmonds <edmonds@debian.org>, "draft-irtf-cfrg-eddsa.all@ietf.org" <draft-irtf-cfrg-eddsa.all@ietf.org>, "cfrg@ietf.org" <cfrg@ietf.org>, Ondřej Surý <ondrej@sury.org>, "Kaduk, Ben" <bkaduk@akamai.com>, Martin Thomson <martin.thomson@gmail.com>
Subject: Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final proposal for domain separation (context labels) for ed25519
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2016 14:30:01 -0000

On Wed, Apr 20, 2016 at 08:51:22AM -0400, Daniel Kahn Gillmor wrote:
> On Wed 2016-04-20 07:27:00 -0400, Salz, Rich wrote:
> > This is okay with me, except for one pedantic clarification.  "Empty
> > string" has a specific meaning in C, it's a single NUL byte.  Since
> > our other uses of context including the NUL terminator, to avoid
> > prefix attacks, then I think the wording needs some editing.

Eh, I thought the other uses had length prefixing to avoid prefix attacks?
 
> the "empty string" message in my message was not part of the proposed
> wording change to the draft, but i can see how it might be confusing if
> it were to make it into an edit.
> 
> If we need additional clarification in the draft to avoid confusion, i
> propose:
> 
>   If no context label is supplied, it is treated as an octet string of
>   zero length; that is, (context || x) is the same as x.

Also, anyone up to some quick analysis to show that doesn't interact
harmfully with Ed25519 when using the same keys?

Also, that wouldn't solve the troublesome interaction between Ed25519
and Ed25519ph...


-Ilari