Re: [Cfrg] Finishing Ed448 definition
Gilles Van Assche <gilles.vanassche@st.com> Wed, 25 November 2015 16:56 UTC
Return-Path: <gilles.vanassche@st.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BFA21A21AE for <cfrg@ietfa.amsl.com>; Wed, 25 Nov 2015 08:56:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.196
X-Spam-Level:
X-Spam-Status: No, score=-0.196 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, KHOP_DYNAMIC=1.004, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LGTdtEHVGWLX for <cfrg@ietfa.amsl.com>; Wed, 25 Nov 2015 08:56:45 -0800 (PST)
Received: from mx07-00178001.pphosted.com (mx07-00178001.pphosted.com [62.209.51.94]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0050A1A21AB for <cfrg@irtf.org>; Wed, 25 Nov 2015 08:56:44 -0800 (PST)
Received: from pps.filterd (m0046668.ppops.net [127.0.0.1]) by mx07-00178001.pphosted.com (8.14.5/8.14.5) with SMTP id tAPGqpcm010878; Wed, 25 Nov 2015 17:56:42 +0100
Received: from beta.dmz-eu.st.com (beta.dmz-eu.st.com [164.129.1.35]) by mx07-00178001.pphosted.com with ESMTP id 1ycpmrqf2g-1 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 25 Nov 2015 17:56:42 +0100
Received: from zeta.dmz-eu.st.com (zeta.dmz-eu.st.com [164.129.230.9]) by beta.dmz-eu.st.com (STMicroelectronics) with ESMTP id 67C3031; Wed, 25 Nov 2015 16:56:07 +0000 (GMT)
Received: from Webmail-eu.st.com (safex1hubcas6.st.com [10.75.90.73]) by zeta.dmz-eu.st.com (STMicroelectronics) with ESMTP id 8022055A2; Wed, 25 Nov 2015 16:56:39 +0000 (GMT)
Received: from [10.137.3.249] (10.137.3.249) by webmail-eu.st.com (10.75.90.73) with Microsoft SMTP Server id 8.3.389.2; Wed, 25 Nov 2015 17:56:39 +0100
References: <56508C20.7090009@isode.com> <565109E4.7000904@gmail.com>
From: Gilles Van Assche <gilles.vanassche@st.com>
To: Bryan A Ford <brynosaurus@gmail.com>
Message-ID: <5655E8F3.8050404@st.com>
Date: Wed, 25 Nov 2015 17:59:31 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <565109E4.7000904@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.15.21, 1.0.33, 0.0.0000 definitions=2015-11-25_11:2015-11-24,2015-11-25,1970-01-01 signatures=0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/u9lM3NGDYfW9cJj1g48krw_ETjs>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Finishing Ed448 definition
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2015 16:56:47 -0000
Hi Bryan,
I have a preference for your second proposal "twoshakes-d", for its
domain separation between PureEdDSA and HashEdDSA. This would have the
practical advantage of allowing a single key to be used for both options
(if certified as such), without input clashes at the internal hash level.
Kind regards,
Gilles
On 11/22/2015 01:18 AM, Bryan A Ford wrote:
> Here are two closely-related proposals for the pre-hashing and internal
> hashing scheme. For discussion purposes let's call them "twoshakes-s"
> and "twoshakes-d". Both are defined in clearly-demarked sections below.
>
> ---
> #1: twoshakes-s ("s" is for "simple"):
>
> This scheme uses the SHAKE256 extensible-output functions (XOFs) to
> implement both the internal hash and prehash. The internal hash uses the
> first 912 bits (114 octets) of the output produced by SHAKE256, whereas
> the prehash uses the first 512 bits (64 octets) of SHAKE256-produced
> output.
>
> In PureEdDSA, the prehash PH(M) is the identity function, PH(M)=M. In
> HashEdDSA, the prehash PH(M) is computed as SHAKE256(M, 512), where M is
> the message to be hashed and the second parameter determines the number
> of bits of output the SHAKE256 XOR produces. Note that this notation is
> consistent with the two-parameter definition of SHAKE256 in section 6.3
> of FIPS 202.
>
> The internal hash H(M) is similarly computed as SHAKE256(M, 912),
> yielding a 912-bit output. (Note that the M here merely names the
> internal hash's input parameter, not the message ultimately input to the
> EdDSA scheme. In its usage by EdDSA this M will be substituted with
> 'Prefix || M' or 'R || A || M' in the signing process.)
>
> Design justification:
>
> The overall justification for using SHAKE256 for both internal hash and
> prehash, as discussed already on this list, is: (a) implementations need
> only a single symmetric crypto primitive (Keccak) for both; and (b)
> SHAKE256 operates the underlying Keccak sponge function with a rate and
> capacity designed to be appropriate for a 256-bit security level, and
> not at an overly-conservative rate as she SHA3-* hashes do. This latter
> performance consideration is important mainly for the prehash, since the
> prehash can be used to operate on long messages making its hashing
> throughput potentially significant (and not necessarily always dominated
> by the cost of the public-key operations).
>
> This scheme has the advantage of simplicity and consistency with how the
> Ed25519 signature scheme works, only dropping in SHAKE256 with
> appropriate output-size parameters in place of SHA-512. I do not
> perceive any real security problem with using the same SHAKE256 XOF
> (with different output-size parameters) for the two hashes, because in
> practice part of the input M will always be different for the XOF's
> different uses, yielding implicit domain-separation. In particular:
>
> - The secret per-message 'r' value gets computed using the internal hash
> as SHAKE256(prefix || M, 912), which depends on the secret and
> cryptographically unique 'prefix'.
>
> - The Schnorr challenge gets computed using the internal hash (again) as
> SHAKE256(R || A || M, 912), where R depends on r and in turn on the
> secret prefix, and hence should be cryptographically unique and
> unpredictable to anyone not holding the private signing key.
>
> Argued another way, if there was a real problem with using SHAKE256 for
> both the internal hash and prehash in Ed448, it seems the same problem
> would probably exist with using SHA-512 for both the internal hash and
> prehash in Ed25519.
>
> Still, in case we would like to make the design a bit more conservative
> with explicit domain separation, I suggest the following alternative
> scheme.
>
> ---
> #2: twoshakes-d ("d" is for "domain-separated"):
>
> This scheme again uses the SHAKE256 extensible-output functions (XOFs)
> to implement both hashes, with the inputs prefixed as specified below
> for explicit domain separation purposes.
>
> The scheme accepts two optional, application-defined parameters for
> customization, but applications simply needing a generic signature
> scheme (and APIs offering no convenient way to specify optional
> parameters) can simply use the defaults as specified below:
>
> - Prehash: 1-bit flag, default True
> - Context: octet string of length 0..255, default empty (0-octet)
>
> In PureEdDSA, the prehash PH(M) is the identity function, PH(M)=M.
> In HashEdDSA, the prehash PH(M) is computed as SHAKE256(dom||M, 512),
> where dom is a domain separation prefix defined below with the Flags
> octet set to 0x02. The 512 parameter means use the first 512 bits of
> SHAKE256 output as the hash prehash output.
>
> The internal hash H(M) is computed as SHAKE256(dom||M, 912), where dom
> is defined below, with the Flags octet it contains set to 0x00 for
> PureEdDSA or to 0x01 for HashEdDSA. The 912 again means use the first
> 912 bits of SHAKE256 output as the internal hash output.
>
> The domain separation prefix 'dom' in each case above consists of:
> - 8 octets: the ASCII characters "SigEd448"
> - 1 octet: Flags, as defined below
> - 1 octet: length of optional Context string, 0-255 (0 meaning empty)
> - 0-255 octets: Context string
>
> The Flags octet is defined as follows:
> - Bit 0: Prehash parameter: 0 for PureEdDSA or 1 for HashEdDSA.
> - Bit 1: 0 for the internal hash, 1 for the prehash
> - Bits 2-7: reserved, MUST be zero
>
> Justification for this design:
>
> The 8-octet 'SigEd448' prefix provides (weak) explicit domain separation
> of EdDSA+Goldilocks's use of SHAKE256 from other independent uses of
> SHAKE256. It is not by any means essential to the scheme's security but
> is included merely as a low-cost conservative precaution.
>
> The optional Context parameter enables applications to distinguish
> signatures intended for use in one context from signatures intended for
> another. In particular, if a signature S is generated with one context
> C1, i.e., S = Sign_C1(M), then any attempt to verify S in a different
> context C2 != C1 will fail, i.e., Verify_C2(M) = False. A Context could
> simply be a well-known application- or protocol-defined name, or a hash
> or random number to allow more fine-grained context separation. The
> document defining how EdDSA is to be used in a given application or
> protocol is expected to specify how the Context parameter is to be
> determined.
>
> The Flags octet provides explicit domain separation between the three
> uses of SHAKE256 in EdDSA+Goldilocks: namely the prehash (flags=0x02),
> the PureEdDSA internal hash (flags=0x00), or the HashEdDSA internal hash
> (flags=0x01).
>
> Any or all of these domain separation provisions could of course be
> dropped without affecting the resulting signature scheme's security in
> any one use-case considered independently, but are included as a
> conservative security precaution that costs little in terms of either
> performance or implementation complexity. As such, I feel these
> domain-separation provisions are useful but am also fine with dropping
> any of them if the balance of the WG feels they are not worth the
> trouble. (Or just go with twoshakes-s above.)
>
> ---
>
> Cheers
> Bryan
>
> On 11/21/15 7:22 AM, Alexey Melnikov wrote:
>> Dear CFRG participants,
>> Chairs would like to get Ed448 finished and send
>> draft-irtf-cfrg-eddsa to RFC Editor.
>>
>> In order to do that, we need to pick 1) pre-hashing algorithm and 2)
>> 912-bit internal hash function.
>>
>> Chairs would like to ask participants to submit their detailed
>> implementable proposals within 1 week (till November 29th). After that
>> we will have a Quaker poll to settle on one choice for each of the above
>> (alternatively chairs can just pick something and ask for objections).
>>
>> Best Regards,
>> Kenny and Alexey
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>>
- [Cfrg] Finishing Ed448 definition Alexey Melnikov
- Re: [Cfrg] Finishing Ed448 definition Bryan A Ford
- Re: [Cfrg] Finishing Ed448 definition Gilles Van Assche
- Re: [Cfrg] Finishing Ed448 definition Mike Hamburg
- Re: [Cfrg] Finishing Ed448 definition Simon Josefsson
- Re: [Cfrg] Finishing Ed448 definition Simon Josefsson
- Re: [Cfrg] Finishing Ed448 definition Bryan Ford
- Re: [Cfrg] Finishing Ed448 definition Ilari Liusvaara
- Re: [Cfrg] Finishing Ed448 definition Ilari Liusvaara