Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final proposal for domain separation (context labels) for ed25519

Martin Thomson <> Mon, 09 May 2016 00:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D73E912D0F3; Sun, 8 May 2016 17:23:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id C7yZvoytjstO; Sun, 8 May 2016 17:23:32 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4B90812D0EC; Sun, 8 May 2016 17:23:32 -0700 (PDT)
Received: by with SMTP id m9so80260071ige.1; Sun, 08 May 2016 17:23:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=ZBISGrfzHA7AV099u8a+TLmyXf5Q0l+TjwBRrE9/IhE=; b=Bd8EixREZ5o4gE7etE+Ju0cuZykqQWaWzIDcAGwsxfXyOmqgC1SS1EtI/vodu51beg JKZ5cWmVJK/nF/Sbm27DxlFqF88KNk0xL5LzSk1bWT0hZz77xpuM+kZOMxnplXYF5TNz sbDiNIlizD3mJl4auH0w5zsDS17P5MsAX9uvac5fe5x8u2USwV5sdC3MZ44rpCfK0ubk N7LIKybLN9b4oSIJf5ef2ED+UWVpCmR8iHDgiq4VeJK6tO2TwUtX3LzonXIRJfSsGaEQ dPhg/+EhWv5Gq48PB2cyBFGL07e46Qf9VpU1BD2/sqfhoLSL3H+nBR5hRIin4igDxK0I ThwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=ZBISGrfzHA7AV099u8a+TLmyXf5Q0l+TjwBRrE9/IhE=; b=ETaW/eBXr392Xu533+Ygneu2CuEJrSg4Jlj8x6H+EJ7BYFD1fVcyXSt44LHqh8gDAe Ab81F3yodsXQwUC3sdOTiZ/ArOb265ZaVhwc03FbZaSNxeKrDFZZcwmOf1TTO4JN5HCc BsBlqQsO6iifweQB2oBDz6nLH7VSMoAWgxgooJPkHF5mcxXQn21Pcd6wZDC/V72jWBdR Ca/3GJSltBBx3xlBezb2nToyzMKMYtUrHGO16tqKdsEQe72QATXBT4StV5eBX1YZZznd rklg2YCD+MuMCUFrs49QpvQzv5/gmIqJ8+AzI0kIMTBsTwl4bdoPmfD+EsHedvy8xiPl 0JzA==
X-Gm-Message-State: AOPr4FX6BhjCtcB5kMGqwHAlENh4NeAu0vyiHhf07vAZsARN3KSGQXlUbqacWB9iEkifooeyDJ1lRhXdCanXdg==
MIME-Version: 1.0
X-Received: by with SMTP id p17mr8479353igi.58.1462753411702; Sun, 08 May 2016 17:23:31 -0700 (PDT)
Received: by with HTTP; Sun, 8 May 2016 17:23:31 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <>
Date: Mon, 9 May 2016 10:23:31 +1000
Message-ID: <>
From: Martin Thomson <>
To: Ilari Liusvaara <>
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
Resent-From: <>
Cc: Simon Josefsson <>,,
Subject: Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final proposal for domain separation (context labels) for ed25519
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 09 May 2016 00:23:34 -0000

On 6 May 2016 at 20:17, Ilari Liusvaara <> wrote:
> So yeah, just use separate keys. Don't cause problems for everybody
> by using contexts.

As an author of a document that defines the use of contexts, how do
you reconcile this view with what the document says?

I agree with the idea that there is a moral superiority in using
different keys.  That's an inarguable statement from a position of
great integrity.

djb's one-bit protocol examples highlight that there is an inherent
futility in attempting domain isolation at any layer of a protocol
stack that might conceivably be used in support of some high-layer

But I see those examples as illustrative of an insufficient degree of
redundancy.  For, if ever there were fans of redundancy, it would be
the military.  While conceivably you could build a protocol that
defers all self-identification and context to the crypto that supports
it, in the cases illustrated, it shows itself as unwise in the extreme
in light of the propensity of people to do bad things.

We find that reuse of signature keys for different purposes is rife in
the real world.  A firm requirement of TLS 1.3 is that existing keys
can be used with the new protocol.  It would not deploy otherwise, and
yet we endorse that which we all agree to be a sin and do what we can
to avoid problems.

When signature keys are used to identify, I predict that they will
definitely be misused in this fashion.  I've seen it many times
already, and don't imagine that any edict from the CFRG will change

I disagree with the notion of there being "serious" or "fundamental"
usability problems.  You are correct in that these are not perfect
bijective mappings from one domain to another, particularly when there
are existing users of the signature scheme.  However, you are
perfectly reasonable in noting that people are using Ed25519 and so
suggesting that they instead use some newly defined Ed25519ctx for
some marginal benefit (domain separation) is not in their interests.

Take the suggestion for what it is: a backstop for when good sense fails.