IETF Logo Mail Archive

Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final proposal for domain separation (context labels) for ed25519

Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 22 April 2016 11:28 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5068412E5F4 for <cfrg@ietfa.amsl.com>; Fri, 22 Apr 2016 04:28:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.896
X-Spam-Level:
X-Spam-Status: No, score=-2.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.996] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SY72LEaQaUbP for <cfrg@ietfa.amsl.com>; Fri, 22 Apr 2016 04:28:48 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) by ietfa.amsl.com (Postfix) with ESMTP id D09FB12D702 for <cfrg@ietf.org>; Fri, 22 Apr 2016 04:28:47 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 9407A2D9D for <cfrg@ietf.org>; Fri, 22 Apr 2016 14:28:46 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id vOfq03RUNxb4 for <cfrg@ietf.org>; Fri, 22 Apr 2016 14:28:46 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-143-35.bb.dnainternet.fi [87.100.143.35]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 0C57421C for <cfrg@ietf.org>; Fri, 22 Apr 2016 14:28:46 +0300 (EEST)
Date: Fri, 22 Apr 2016 14:28:43 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "cfrg@ietf.org" <cfrg@ietf.org>
Message-ID: <20160422112842.GA28192@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20160420182617.GA23652@LK-Perkele-V2.elisa-laajakaista.fi> <87bn540xh3.fsf@alice.fifthhorseman.net> <20160421043947.GA24394@LK-Perkele-V2.elisa-laajakaista.fi> <alpine.GSO.1.10.1604211349530.26829@multics.mit.edu> <20160421195014.GA26169@LK-Perkele-V2.elisa-laajakaista.fi> <87zismzo9o.fsf@alice.fifthhorseman.net> <20160422062121.GA27448@LK-Perkele-V2.elisa-laajakaista.fi> <CABkgnnVd28WHT+wpMxVd+XczkiJmExkjTewG5B_a1uKgTMo7+A@mail.gmail.com> <20160422091618.GB27448@LK-Perkele-V2.elisa-laajakaista.fi> <CABkgnnUGSWYe+Z4t63GpNipLLUx4G43U+ARL+jYL825k6QraMw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABkgnnUGSWYe+Z4t63GpNipLLUx4G43U+ARL+jYL825k6QraMw@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/xf1k-6Sb-JI-iNLFCLs3bAmyVCA>
Subject: Re: [Cfrg] draft-irtf-cfrg-eddsa -- one final proposal for domain separation (context labels) for ed25519
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2016 11:28:50 -0000

On Fri, Apr 22, 2016 at 08:37:28PM +1000, Martin Thomson wrote:
> On 22 April 2016 at 19:16, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> > On Fri, Apr 22, 2016 at 05:26:37PM +1000, Martin Thomson wrote:
> >> On 22 April 2016 at 16:21, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> >> > H(x)=SHA512(context|x) does not cause behaviour like Ed25519(key,context|x)
> >> > when applied.It causes behaviour that can't be expressed using the base
> >> > Ed25519 primitive.
> >>
> >> I don't know why we got hung up on that concept.  PH(x) =
> >> SHA512(context || x) might be closer to what we've been thinking of.
> >
> > 1) That only 'works' with Ed25519ph. And even with that, you do not
> > want the context inside data hash.
> 
> I don't know what you want, but maybe you could tell me why I don't want that.

1) More vulernable to attacks there.
2) You need the context outside it anyway for non-prehashed version
   (if you do contexts).
 
> > 2) You definitely do not want that kind of context schemes on non-
> > context keys. Even the prepending the context in hash (without
> > separation) makes me VERY uneasy.
> 
> Well, it's how everyone is forced to do things if the primitive
> doesn't have native contexts.  I agree that it could be better, but
> I'm not going to lose sleep over it.

Or just split on key. May be bit painful (and sometimes not possible
at all, e.g. TLS versus CSR) but much better than dealing with the
API mess.

> I'm having a hard time understanding what you want out of this
> conversation.  Maybe you could try to explain whether you think that
> context is a good idea and maybe how you would prefer that we solve
> the problem.

It is not possible to retrofit contexts into Ed25519 in a way that
I would be even remotely comfortable with. This is because Ed25519
lacks any space to put any extensions to.

Just adding contexts to Ed25519 without splitting variant would
leave it open for trivial attacks (or cryptographic screwedness
I really do not want to see).

If you split variant, you can do whatever is desired, eg. fit
Ed448-style context and hash indicator (which would also solve
problems with Ed25519ph).


-Ilari

v2.23.0 | Report a Bug | By Email