Re: [Cfrg] Message Digest Algorithm Choice for CMS with Ed448

Taylor R Campbell <campbell+cfrg@mumble.net> Mon, 14 November 2016 18:53 UTC

Return-Path: <campbell@mumble.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CFD912997A for <cfrg@ietfa.amsl.com>; Mon, 14 Nov 2016 10:53:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.397
X-Spam-Level:
X-Spam-Status: No, score=-3.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a4sKuKkcv_be for <cfrg@ietfa.amsl.com>; Mon, 14 Nov 2016 10:53:48 -0800 (PST)
Received: from jupiter.mumble.net (jupiter.mumble.net [74.50.56.165]) by ietfa.amsl.com (Postfix) with ESMTP id 4213A129988 for <cfrg@irtf.org>; Mon, 14 Nov 2016 10:53:48 -0800 (PST)
Received: by jupiter.mumble.net (Postfix, from userid 1014) id 2CC3B6039C; Mon, 14 Nov 2016 18:53:37 +0000 (UTC)
From: Taylor R Campbell <campbell+cfrg@mumble.net>
To: "Salz, Rich" <rsalz@akamai.com>
In-reply-to: <1dddb08d223647379152df9213b08a02@usma1ex-dag1mb1.msg.corp.akamai.com> (rsalz@akamai.com)
Date: Mon, 14 Nov 2016 18:53:47 +0000
Sender: Taylor R Campbell <campbell@mumble.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <20161114185337.2CC3B6039C@jupiter.mumble.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/zFuAEz3PpYvgXlcIuiTal4E_ADs>
Cc: IRTF CFRG <cfrg@irtf.org>, Russ Housley <housley@vigilsec.com>
Subject: Re: [Cfrg] Message Digest Algorithm Choice for CMS with Ed448
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Nov 2016 18:53:49 -0000

   Date: Mon, 14 Nov 2016 18:30:38 +0000
   From: "Salz, Rich" <rsalz@akamai.com>

   > It seems that SHA3-512 would be a good choice to avoid having to implement
   > more that one message digest algorithm to generate the signature or
   > validate it.

   Let's rephrase:  Any argument *against* SHA3-512?

   (yes, jetlag stinks:)

SHA3-512 is slow in order to attain the meaninglessly high 512-bit
preimage resistance, whereas SHAKE256-512 provides `only' 256-bit
preimage resistance at much higher speed.  Both provide only 256-bit
collision resistance.

Note that draft-irtf-cfrg-eddsa doesn't use SHA3-512 at all, whereas
it does use SHAKE256 for several purposes.