Re: [Cfrg] Finishing Ed448 definition
Mike Hamburg <mike@shiftleft.org> Wed, 25 November 2015 18:14 UTC
Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0017E1A87F0 for <cfrg@ietfa.amsl.com>; Wed, 25 Nov 2015 10:14:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.555
X-Spam-Level: *
X-Spam-Status: No, score=1.555 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kAOI1AvpF5A7 for <cfrg@ietfa.amsl.com>; Wed, 25 Nov 2015 10:14:49 -0800 (PST)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D02441A87C0 for <cfrg@irtf.org>; Wed, 25 Nov 2015 10:14:49 -0800 (PST)
Received: from [192.168.1.102] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 022D63AA71; Wed, 25 Nov 2015 10:12:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1448475127; bh=FhgD+S0lZ3EVJ79ed11wT0DD2a4B4ffFZFnAJcwjUQM=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=cZUfFCrCX3+y0HSpfkCByy/ty2AqlSQQj4/EFEEsy/Vgoq4VVmBzUmlhyI5gZgV+Z /tY68FwXY1JAuKNmTo0wpATpYNw/m9Gk2DYRI8u+oey310saj6MPpEdy96alLMttjw Op6FFvwDA0v8hvZKsI6dKvC8QSenvoCa4sgsJGuM=
To: Gilles Van Assche <gilles.vanassche@st.com>, Bryan A Ford <brynosaurus@gmail.com>
References: <56508C20.7090009@isode.com> <565109E4.7000904@gmail.com> <5655E8F3.8050404@st.com>
From: Mike Hamburg <mike@shiftleft.org>
Message-ID: <5655FA97.1000809@shiftleft.org>
Date: Wed, 25 Nov 2015 10:14:47 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <5655E8F3.8050404@st.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/wLMvN2lKfk4WIhVDfpeNECs1Cnw>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Finishing Ed448 definition
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2015 18:14:52 -0000
+1
On 11/25/2015 08:59 AM, Gilles Van Assche wrote:
> Hi Bryan,
>
> I have a preference for your second proposal "twoshakes-d", for its
> domain separation between PureEdDSA and HashEdDSA. This would have the
> practical advantage of allowing a single key to be used for both options
> (if certified as such), without input clashes at the internal hash level.
>
> Kind regards,
> Gilles
>
> On 11/22/2015 01:18 AM, Bryan A Ford wrote:
>> Here are two closely-related proposals for the pre-hashing and internal
>> hashing scheme. For discussion purposes let's call them "twoshakes-s"
>> and "twoshakes-d". Both are defined in clearly-demarked sections below.
>>
>> ---
>> #1: twoshakes-s ("s" is for "simple"):
>>
>> This scheme uses the SHAKE256 extensible-output functions (XOFs) to
>> implement both the internal hash and prehash. The internal hash uses the
>> first 912 bits (114 octets) of the output produced by SHAKE256, whereas
>> the prehash uses the first 512 bits (64 octets) of SHAKE256-produced
>> output.
>>
>> In PureEdDSA, the prehash PH(M) is the identity function, PH(M)=M. In
>> HashEdDSA, the prehash PH(M) is computed as SHAKE256(M, 512), where M is
>> the message to be hashed and the second parameter determines the number
>> of bits of output the SHAKE256 XOR produces. Note that this notation is
>> consistent with the two-parameter definition of SHAKE256 in section 6.3
>> of FIPS 202.
>>
>> The internal hash H(M) is similarly computed as SHAKE256(M, 912),
>> yielding a 912-bit output. (Note that the M here merely names the
>> internal hash's input parameter, not the message ultimately input to the
>> EdDSA scheme. In its usage by EdDSA this M will be substituted with
>> 'Prefix || M' or 'R || A || M' in the signing process.)
>>
>> Design justification:
>>
>> The overall justification for using SHAKE256 for both internal hash and
>> prehash, as discussed already on this list, is: (a) implementations need
>> only a single symmetric crypto primitive (Keccak) for both; and (b)
>> SHAKE256 operates the underlying Keccak sponge function with a rate and
>> capacity designed to be appropriate for a 256-bit security level, and
>> not at an overly-conservative rate as she SHA3-* hashes do. This latter
>> performance consideration is important mainly for the prehash, since the
>> prehash can be used to operate on long messages making its hashing
>> throughput potentially significant (and not necessarily always dominated
>> by the cost of the public-key operations).
>>
>> This scheme has the advantage of simplicity and consistency with how the
>> Ed25519 signature scheme works, only dropping in SHAKE256 with
>> appropriate output-size parameters in place of SHA-512. I do not
>> perceive any real security problem with using the same SHAKE256 XOF
>> (with different output-size parameters) for the two hashes, because in
>> practice part of the input M will always be different for the XOF's
>> different uses, yielding implicit domain-separation. In particular:
>>
>> - The secret per-message 'r' value gets computed using the internal hash
>> as SHAKE256(prefix || M, 912), which depends on the secret and
>> cryptographically unique 'prefix'.
>>
>> - The Schnorr challenge gets computed using the internal hash (again) as
>> SHAKE256(R || A || M, 912), where R depends on r and in turn on the
>> secret prefix, and hence should be cryptographically unique and
>> unpredictable to anyone not holding the private signing key.
>>
>> Argued another way, if there was a real problem with using SHAKE256 for
>> both the internal hash and prehash in Ed448, it seems the same problem
>> would probably exist with using SHA-512 for both the internal hash and
>> prehash in Ed25519.
>>
>> Still, in case we would like to make the design a bit more conservative
>> with explicit domain separation, I suggest the following alternative
>> scheme.
>>
>> ---
>> #2: twoshakes-d ("d" is for "domain-separated"):
>>
>> This scheme again uses the SHAKE256 extensible-output functions (XOFs)
>> to implement both hashes, with the inputs prefixed as specified below
>> for explicit domain separation purposes.
>>
>> The scheme accepts two optional, application-defined parameters for
>> customization, but applications simply needing a generic signature
>> scheme (and APIs offering no convenient way to specify optional
>> parameters) can simply use the defaults as specified below:
>>
>> - Prehash: 1-bit flag, default True
>> - Context: octet string of length 0..255, default empty (0-octet)
>>
>> In PureEdDSA, the prehash PH(M) is the identity function, PH(M)=M.
>> In HashEdDSA, the prehash PH(M) is computed as SHAKE256(dom||M, 512),
>> where dom is a domain separation prefix defined below with the Flags
>> octet set to 0x02. The 512 parameter means use the first 512 bits of
>> SHAKE256 output as the hash prehash output.
>>
>> The internal hash H(M) is computed as SHAKE256(dom||M, 912), where dom
>> is defined below, with the Flags octet it contains set to 0x00 for
>> PureEdDSA or to 0x01 for HashEdDSA. The 912 again means use the first
>> 912 bits of SHAKE256 output as the internal hash output.
>>
>> The domain separation prefix 'dom' in each case above consists of:
>> - 8 octets: the ASCII characters "SigEd448"
>> - 1 octet: Flags, as defined below
>> - 1 octet: length of optional Context string, 0-255 (0 meaning empty)
>> - 0-255 octets: Context string
>>
>> The Flags octet is defined as follows:
>> - Bit 0: Prehash parameter: 0 for PureEdDSA or 1 for HashEdDSA.
>> - Bit 1: 0 for the internal hash, 1 for the prehash
>> - Bits 2-7: reserved, MUST be zero
>>
>> Justification for this design:
>>
>> The 8-octet 'SigEd448' prefix provides (weak) explicit domain separation
>> of EdDSA+Goldilocks's use of SHAKE256 from other independent uses of
>> SHAKE256. It is not by any means essential to the scheme's security but
>> is included merely as a low-cost conservative precaution.
>>
>> The optional Context parameter enables applications to distinguish
>> signatures intended for use in one context from signatures intended for
>> another. In particular, if a signature S is generated with one context
>> C1, i.e., S = Sign_C1(M), then any attempt to verify S in a different
>> context C2 != C1 will fail, i.e., Verify_C2(M) = False. A Context could
>> simply be a well-known application- or protocol-defined name, or a hash
>> or random number to allow more fine-grained context separation. The
>> document defining how EdDSA is to be used in a given application or
>> protocol is expected to specify how the Context parameter is to be
>> determined.
>>
>> The Flags octet provides explicit domain separation between the three
>> uses of SHAKE256 in EdDSA+Goldilocks: namely the prehash (flags=0x02),
>> the PureEdDSA internal hash (flags=0x00), or the HashEdDSA internal hash
>> (flags=0x01).
>>
>> Any or all of these domain separation provisions could of course be
>> dropped without affecting the resulting signature scheme's security in
>> any one use-case considered independently, but are included as a
>> conservative security precaution that costs little in terms of either
>> performance or implementation complexity. As such, I feel these
>> domain-separation provisions are useful but am also fine with dropping
>> any of them if the balance of the WG feels they are not worth the
>> trouble. (Or just go with twoshakes-s above.)
>>
>> ---
>>
>> Cheers
>> Bryan
>>
>> On 11/21/15 7:22 AM, Alexey Melnikov wrote:
>>> Dear CFRG participants,
>>> Chairs would like to get Ed448 finished and send
>>> draft-irtf-cfrg-eddsa to RFC Editor.
>>>
>>> In order to do that, we need to pick 1) pre-hashing algorithm and 2)
>>> 912-bit internal hash function.
>>>
>>> Chairs would like to ask participants to submit their detailed
>>> implementable proposals within 1 week (till November 29th). After that
>>> we will have a Quaker poll to settle on one choice for each of the above
>>> (alternatively chairs can just pick something and ask for objections).
>>>
>>> Best Regards,
>>> Kenny and Alexey
>>>
>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org
>>> https://www.irtf.org/mailman/listinfo/cfrg
>>>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Finishing Ed448 definition Alexey Melnikov
- Re: [Cfrg] Finishing Ed448 definition Bryan A Ford
- Re: [Cfrg] Finishing Ed448 definition Gilles Van Assche
- Re: [Cfrg] Finishing Ed448 definition Mike Hamburg
- Re: [Cfrg] Finishing Ed448 definition Simon Josefsson
- Re: [Cfrg] Finishing Ed448 definition Simon Josefsson
- Re: [Cfrg] Finishing Ed448 definition Bryan Ford
- Re: [Cfrg] Finishing Ed448 definition Ilari Liusvaara
- Re: [Cfrg] Finishing Ed448 definition Ilari Liusvaara