Re: [Cfrg] Finishing Ed448 definition
Mike Hamburg <mike@shiftleft.org> Wed, 25 November 2015 18:14 UTC
Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0017E1A87F0 for <cfrg@ietfa.amsl.com>; Wed, 25 Nov 2015 10:14:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.555
X-Spam-Level: *
X-Spam-Status: No, score=1.555 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kAOI1AvpF5A7 for <cfrg@ietfa.amsl.com>; Wed, 25 Nov 2015 10:14:49 -0800 (PST)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D02441A87C0 for <cfrg@irtf.org>; Wed, 25 Nov 2015 10:14:49 -0800 (PST)
Received: from [192.168.1.102] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 022D63AA71; Wed, 25 Nov 2015 10:12:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1448475127; bh=FhgD+S0lZ3EVJ79ed11wT0DD2a4B4ffFZFnAJcwjUQM=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=cZUfFCrCX3+y0HSpfkCByy/ty2AqlSQQj4/EFEEsy/Vgoq4VVmBzUmlhyI5gZgV+Z /tY68FwXY1JAuKNmTo0wpATpYNw/m9Gk2DYRI8u+oey310saj6MPpEdy96alLMttjw Op6FFvwDA0v8hvZKsI6dKvC8QSenvoCa4sgsJGuM=
To: Gilles Van Assche <gilles.vanassche@st.com>, Bryan A Ford <brynosaurus@gmail.com>
References: <56508C20.7090009@isode.com> <565109E4.7000904@gmail.com> <5655E8F3.8050404@st.com>
From: Mike Hamburg <mike@shiftleft.org>
Message-ID: <5655FA97.1000809@shiftleft.org>
Date: Wed, 25 Nov 2015 10:14:47 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <5655E8F3.8050404@st.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/wLMvN2lKfk4WIhVDfpeNECs1Cnw>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Finishing Ed448 definition
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2015 18:14:52 -0000
+1 On 11/25/2015 08:59 AM, Gilles Van Assche wrote: > Hi Bryan, > > I have a preference for your second proposal "twoshakes-d", for its > domain separation between PureEdDSA and HashEdDSA. This would have the > practical advantage of allowing a single key to be used for both options > (if certified as such), without input clashes at the internal hash level. > > Kind regards, > Gilles > > On 11/22/2015 01:18 AM, Bryan A Ford wrote: >> Here are two closely-related proposals for the pre-hashing and internal >> hashing scheme. For discussion purposes let's call them "twoshakes-s" >> and "twoshakes-d". Both are defined in clearly-demarked sections below. >> >> --- >> #1: twoshakes-s ("s" is for "simple"): >> >> This scheme uses the SHAKE256 extensible-output functions (XOFs) to >> implement both the internal hash and prehash. The internal hash uses the >> first 912 bits (114 octets) of the output produced by SHAKE256, whereas >> the prehash uses the first 512 bits (64 octets) of SHAKE256-produced >> output. >> >> In PureEdDSA, the prehash PH(M) is the identity function, PH(M)=M. In >> HashEdDSA, the prehash PH(M) is computed as SHAKE256(M, 512), where M is >> the message to be hashed and the second parameter determines the number >> of bits of output the SHAKE256 XOR produces. Note that this notation is >> consistent with the two-parameter definition of SHAKE256 in section 6.3 >> of FIPS 202. >> >> The internal hash H(M) is similarly computed as SHAKE256(M, 912), >> yielding a 912-bit output. (Note that the M here merely names the >> internal hash's input parameter, not the message ultimately input to the >> EdDSA scheme. In its usage by EdDSA this M will be substituted with >> 'Prefix || M' or 'R || A || M' in the signing process.) >> >> Design justification: >> >> The overall justification for using SHAKE256 for both internal hash and >> prehash, as discussed already on this list, is: (a) implementations need >> only a single symmetric crypto primitive (Keccak) for both; and (b) >> SHAKE256 operates the underlying Keccak sponge function with a rate and >> capacity designed to be appropriate for a 256-bit security level, and >> not at an overly-conservative rate as she SHA3-* hashes do. This latter >> performance consideration is important mainly for the prehash, since the >> prehash can be used to operate on long messages making its hashing >> throughput potentially significant (and not necessarily always dominated >> by the cost of the public-key operations). >> >> This scheme has the advantage of simplicity and consistency with how the >> Ed25519 signature scheme works, only dropping in SHAKE256 with >> appropriate output-size parameters in place of SHA-512. I do not >> perceive any real security problem with using the same SHAKE256 XOF >> (with different output-size parameters) for the two hashes, because in >> practice part of the input M will always be different for the XOF's >> different uses, yielding implicit domain-separation. In particular: >> >> - The secret per-message 'r' value gets computed using the internal hash >> as SHAKE256(prefix || M, 912), which depends on the secret and >> cryptographically unique 'prefix'. >> >> - The Schnorr challenge gets computed using the internal hash (again) as >> SHAKE256(R || A || M, 912), where R depends on r and in turn on the >> secret prefix, and hence should be cryptographically unique and >> unpredictable to anyone not holding the private signing key. >> >> Argued another way, if there was a real problem with using SHAKE256 for >> both the internal hash and prehash in Ed448, it seems the same problem >> would probably exist with using SHA-512 for both the internal hash and >> prehash in Ed25519. >> >> Still, in case we would like to make the design a bit more conservative >> with explicit domain separation, I suggest the following alternative >> scheme. >> >> --- >> #2: twoshakes-d ("d" is for "domain-separated"): >> >> This scheme again uses the SHAKE256 extensible-output functions (XOFs) >> to implement both hashes, with the inputs prefixed as specified below >> for explicit domain separation purposes. >> >> The scheme accepts two optional, application-defined parameters for >> customization, but applications simply needing a generic signature >> scheme (and APIs offering no convenient way to specify optional >> parameters) can simply use the defaults as specified below: >> >> - Prehash: 1-bit flag, default True >> - Context: octet string of length 0..255, default empty (0-octet) >> >> In PureEdDSA, the prehash PH(M) is the identity function, PH(M)=M. >> In HashEdDSA, the prehash PH(M) is computed as SHAKE256(dom||M, 512), >> where dom is a domain separation prefix defined below with the Flags >> octet set to 0x02. The 512 parameter means use the first 512 bits of >> SHAKE256 output as the hash prehash output. >> >> The internal hash H(M) is computed as SHAKE256(dom||M, 912), where dom >> is defined below, with the Flags octet it contains set to 0x00 for >> PureEdDSA or to 0x01 for HashEdDSA. The 912 again means use the first >> 912 bits of SHAKE256 output as the internal hash output. >> >> The domain separation prefix 'dom' in each case above consists of: >> - 8 octets: the ASCII characters "SigEd448" >> - 1 octet: Flags, as defined below >> - 1 octet: length of optional Context string, 0-255 (0 meaning empty) >> - 0-255 octets: Context string >> >> The Flags octet is defined as follows: >> - Bit 0: Prehash parameter: 0 for PureEdDSA or 1 for HashEdDSA. >> - Bit 1: 0 for the internal hash, 1 for the prehash >> - Bits 2-7: reserved, MUST be zero >> >> Justification for this design: >> >> The 8-octet 'SigEd448' prefix provides (weak) explicit domain separation >> of EdDSA+Goldilocks's use of SHAKE256 from other independent uses of >> SHAKE256. It is not by any means essential to the scheme's security but >> is included merely as a low-cost conservative precaution. >> >> The optional Context parameter enables applications to distinguish >> signatures intended for use in one context from signatures intended for >> another. In particular, if a signature S is generated with one context >> C1, i.e., S = Sign_C1(M), then any attempt to verify S in a different >> context C2 != C1 will fail, i.e., Verify_C2(M) = False. A Context could >> simply be a well-known application- or protocol-defined name, or a hash >> or random number to allow more fine-grained context separation. The >> document defining how EdDSA is to be used in a given application or >> protocol is expected to specify how the Context parameter is to be >> determined. >> >> The Flags octet provides explicit domain separation between the three >> uses of SHAKE256 in EdDSA+Goldilocks: namely the prehash (flags=0x02), >> the PureEdDSA internal hash (flags=0x00), or the HashEdDSA internal hash >> (flags=0x01). >> >> Any or all of these domain separation provisions could of course be >> dropped without affecting the resulting signature scheme's security in >> any one use-case considered independently, but are included as a >> conservative security precaution that costs little in terms of either >> performance or implementation complexity. As such, I feel these >> domain-separation provisions are useful but am also fine with dropping >> any of them if the balance of the WG feels they are not worth the >> trouble. (Or just go with twoshakes-s above.) >> >> --- >> >> Cheers >> Bryan >> >> On 11/21/15 7:22 AM, Alexey Melnikov wrote: >>> Dear CFRG participants, >>> Chairs would like to get Ed448 finished and send >>> draft-irtf-cfrg-eddsa to RFC Editor. >>> >>> In order to do that, we need to pick 1) pre-hashing algorithm and 2) >>> 912-bit internal hash function. >>> >>> Chairs would like to ask participants to submit their detailed >>> implementable proposals within 1 week (till November 29th). After that >>> we will have a Quaker poll to settle on one choice for each of the above >>> (alternatively chairs can just pick something and ask for objections). >>> >>> Best Regards, >>> Kenny and Alexey >>> >>> _______________________________________________ >>> Cfrg mailing list >>> Cfrg@irtf.org >>> https://www.irtf.org/mailman/listinfo/cfrg >>> > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Finishing Ed448 definition Alexey Melnikov
- Re: [Cfrg] Finishing Ed448 definition Bryan A Ford
- Re: [Cfrg] Finishing Ed448 definition Gilles Van Assche
- Re: [Cfrg] Finishing Ed448 definition Mike Hamburg
- Re: [Cfrg] Finishing Ed448 definition Simon Josefsson
- Re: [Cfrg] Finishing Ed448 definition Simon Josefsson
- Re: [Cfrg] Finishing Ed448 definition Bryan Ford
- Re: [Cfrg] Finishing Ed448 definition Ilari Liusvaara
- Re: [Cfrg] Finishing Ed448 definition Ilari Liusvaara