Re: [COSE] SHA-512/256 and SHA-256/64
John Mattsson <john.mattsson@ericsson.com> Mon, 04 July 2022 08:10 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4195BC1527AF for <cose@ietfa.amsl.com>; Mon, 4 Jul 2022 01:10:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.853
X-Spam-Level:
X-Spam-Status: No, score=-2.853 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.745, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b30pxIi9sWrQ for <cose@ietfa.amsl.com>; Mon, 4 Jul 2022 01:10:49 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80089.outbound.protection.outlook.com [40.107.8.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF987C14F724 for <cose@ietf.org>; Mon, 4 Jul 2022 01:10:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GhhTK8pbabmJwPNeHWhJX9DLWTuRpqn4WZ1z87r6TjokezslFc+E1Pi7o+qGdl3tFw2ZFkX7HhYuScHqAlrUv6PJFjb2dyliQ2H3YOR9QuhgEVxX2xLIyzoRwQiUIR5RKZ7ZBv1nhe0+TqvTk/biDuGLU2P2vSAtdDnetLBeSf9pmBpIvc030ZzIt+loBjK6L0ZEPcH0nRn+thXEJLLEdGLdKeirVVCqczCFcFaU7P2bD8mOAIFQZPDxsDtkH/de4SKCM1Zs2BOqJW7zVe2O7S9jJqnFuG7e+PgWP7j2dpVmCbdRF5WtkzpIU1MbjiNigXy5vKAksgU+RRhI5ggkAw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ujJuw9LgwsQYoX2WjMS7YvGFArYJTLUDPHX1hBIU2Mc=; b=JyBv+x8lDFNzvP1F85+QKP84BMDXR77JAh8tk3I3XOKzZSHgrM1PrK0lkPnQlPsyxj6Q4dC4Xd5+p4Zj60PXq394TN8vOhohEkLcA3f9JF9cXvX5bMo5UZxSbK5s6gmVrYbBt0IhB79Frb0/iXF5GWKnsIZPohimyyuADwsfP1k7AYaZ278Gg06XpdGQxOg7rVnk3mXfUIo79UNQgHUfNj3I0oWKbjMKe6QW3zv6zMW4cnpsE84PfN1uYV+lOzr7M58FDSJc/yDxNPElQ59Ed9lLYtJWak+6Q6n2mgN7WfM5yeWQawg6f3L2BeY/NzYcRaRJyCh9e2l9OWADqcGSjQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ujJuw9LgwsQYoX2WjMS7YvGFArYJTLUDPHX1hBIU2Mc=; b=RBF0Kvh5UtZuj9j2BC3OOwnF9ZN02rxhYsQQGIdvX/2RYcs0uYBg30xBfnhAAE6M9RhKbUK8bCqZpePDL5s/YT73YYhFhqHraM5B1gdLLvNNxghw5snM+ecujpfjMCyYukb6AqMmLQ4qlrYavqr99rteaLFLhhEDR+2YIASaJI4=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by DB6PR0701MB2152.eurprd07.prod.outlook.com (2603:10a6:4:49::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5417.13; Mon, 4 Jul 2022 08:10:41 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::c9a5:b970:1fd7:5cdb]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::c9a5:b970:1fd7:5cdb%5]) with mapi id 15.20.5417.013; Mon, 4 Jul 2022 08:10:41 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Carsten Bormann <cabo@tzi.org>
CC: "cose@ietf.org" <cose@ietf.org>
Thread-Topic: [COSE] SHA-512/256 and SHA-256/64
Thread-Index: AQHYjRrWzeAtG3BZXUiI8RXmSyvxPa1pI4KAgAS7OA8=
Date: Mon, 04 Jul 2022 08:10:41 +0000
Message-ID: <HE1PR0701MB30507F971F6F22B50EBD03CD89BE9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <HE1PR0701MB3050613BD954FEB66217926489BD9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <DEE6DF2B-1829-4B66-936A-2FB5F7EA3645@tzi.org>
In-Reply-To: <DEE6DF2B-1829-4B66-936A-2FB5F7EA3645@tzi.org>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 53de5881-53c0-4ecc-ffd9-08da5d94b01e
x-ms-traffictypediagnostic: DB6PR0701MB2152:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: nSt+tcL+FytX4ufAiOCQmsOL5GpbzUm23XWWH9CZ9lD/aCMkkFTW9PBh96gK8WKfC6iXpmWWWut9NB8K2vnHMjZcin6pYFG30nHbi7/GtcnV4YgOvyGxBGmAR3R5CE+/ALxbPYuRDMQ/Ib8ChA95gcUaGj9mltYgUyyn5XLqgUfoba6rUaV36EIQFUWY1NgZhXaAuB/Px5h0qe8KO+V21M5MLtCkqggtDHV3dqJ9329IEpWPOxH5pqPCocMYmTMoikqRPsuv9zfG65AsM5gCZPlKoBgFl1DkQYv7py2/upDJJRU4z240rltVBEvvhw1Kn/IiNSA6y7JRGYAisU6H1Ki00T1SXKncfhwcwN+VBQhafXmt2kr8kdDpp20s9F+6RDfrkk9FHFRtJ6Z9ivKaJc50gDxJyvKJX5pPlCBaurYT6KKGeyzsWnIDcYaNsn3A62foPn8ki4z3QgzM95mMOD6X/NLaVntDH3xmH64pGTDPPYr/rdlus9aETswmr2I6QOflLxcJUpSopkwuB/XZCHB5lsmBPPUC+UNYk8GwbdWAVOW+qPDiMJDxYPTZNxYZTwPT3SfGT7+mvfOTYbsnUWxLIFXvYrZoPEcgsh630mJnM9NXbWxlG5qvWFc39P0kCLW6UoYw0PM6bOUwcUsdfSx6jKHvz32qO6EKkqmQrLIH2iaUxnVM3A/LY5MeGC1Tdw7YB8Hgb+HopWEStBn9wGfUgMmDL7eXlM1efAdejOG3cGcOmrdqub/sW3ZyoaXTQcz5umARsm8bheprha5uYqEb1p5HdGpqOfzcAcjwpWEk6mN+jqCWjeOcrPK1KmDn
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(136003)(39860400002)(396003)(376002)(366004)(346002)(83380400001)(52536014)(7696005)(41300700001)(86362001)(6506007)(8936002)(186003)(5660300002)(2906002)(44832011)(91956017)(76116006)(66556008)(122000001)(55016003)(38070700005)(478600001)(33656002)(38100700002)(64756008)(66446008)(66946007)(8676002)(66476007)(4326008)(9686003)(26005)(53546011)(316002)(82960400001)(71200400001)(6916009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: hP53Z1tI5M26UtxBlkGu/vpFjFuzg80+tQM6ZMrx9YyqZPkavaagZXwWXR43c/88EdSxj2zhZ2Nwv3G3MFS8oxznhk6n49qL/25wVgLsC13p/J38dTlg2xafDwt9QzB6LLN0b5oBaoNNuEeITC9bSQI/qyosxLvYiUjOE6iLhwqXbOlrebTcEzrEOAYiQ5+uN1ETVznAkjxvOoeQWh61nuh0cPuxVHcZB7dlv+uFUqdKCHrlwP0Ra3d/eQpGY7nI0Q/UimrjYH3DJQ+57qTNIfmmyDfzxPpyrH7llqxup3dsxbhNCPLp9BnJSnyTJgIOOgow2rvTE9qji7UKIk0Yg5UIcs2/IhAaR86gIQvlY2G7bV9RuUQog3VBqkXaE+zBWDlJf4RPFFaaOExXMTYEN4iifBANGsbU7wlWdy+jFZwQtB9mWb2j6lcfcAf8hrvcZd/Ij0FSSWi8ePwSsOsXEo4OhrnqsuyFDN8cCt44sCFf/sOWjURQrtj8j+x4+KHbux5M12F9mpfedlWZzUB49mNkRjf5k/FtaHy6uwBHxq81La0vzeCDc7SgjCBR6yscd/KetbS2qdaKkXI5JXeU5nu4QpYzLwndJprJRDYrekzrPi/2anQzTgTR8TVv2WIIZMkRFTSODSlamBTvA0oDHjMFDoUXmOHgU7D59JVSfqutYXSjWsJpn2FTVLCT0BVI0OK0POEMq6Wq9Et95WuVsDH0aBaAw/QXEOrUcyL8rOXLpRcjH+ijXG2i1IS0qQIksI2SlE3CCI5AlYQ0TsOXOLkmeFyM+RPpVFrz9tN8fitZqI/arCj3Pzc8ZpdqYk1j8tjCFfS3108G8i9DlFnhUFwGler6Xdwfm5ROxdKwygXkBhJbjPhYK10k4QJYRyU1uRNeMm5l3AIp6pTlm7t/QWNvt9FvArNW0dVdwdrdYAty0MEkQgtvCubMH42rLt+Nhwv577iMfmj37wTeh6JQm6gV3Voz3HMHSbL+nVzXu3jXBfG4QE1ZXrfQYaBsK1Nm3U6giFvPRfp3dGbkxHYrz0qUCNpOp9jAfVMijeZghiASMdp4fcneRv2gp0FOrHakXBtTJn/O26qb8WDqe6DdXCELqoYKzbi6BjQ7JGkdJRnkPXEzTlU/tMJYW1xQ8fvltH5PQT1ux3MI0waxUTFp9wmzYkRxVJ/TFFykPJHRDlHgzLBqoIRKckFaRPCZR9ocUNJcV+KNR0i1pKos/bXPaWe4cUuR5v4Y2TRTdHhpo4CeyER2WAy8iWNgKMmml0mLp0dO4sJhDUZ9HxW4UO4EcfhyIyqTLrG8QNPP777/GCefgkz0f2DCsWE8vcpJWPyJD85X1b8dkGBirj2Q9/zZdErLrDIFm/WK/yOcCytyjJqUAZyQ/ORBK27sz4Zi8NmKNUKFumDp/hksMnkq1ttvr1yg9WbYNRjSRIP7OFGdMuGMRL8SSi2fCspPYJjadorc4gL+gLtazQyMzlwd/1itxY9GMuG3p8zcwPjCvNhNXu2ClALHDmwIwAlc0xJ8tHEPKh4ZXMj5+wiQYGXcGp8SDZUfdzDWeIUTPEsObA6vJG3c2p4WKRPbkocSzYFgJlEWoNanJRJuOQ/v9c8KcpcO8XSxm2seOWu8JYKZIIB9XPs=
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB30507F971F6F22B50EBD03CD89BE9HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 53de5881-53c0-4ecc-ffd9-08da5d94b01e
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Jul 2022 08:10:41.7398 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: X76uRk8fXg8r2lP5bX3xaUS80rU0WLm0UUNp56z5jjxhMCKnYr+EzDiF9vvyK32ElLbcO6P0Pm5amrXVSa+AWrfPBqVY+5mbz/iDaoQDVp8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0701MB2152
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/cbEZL66ohe3gWPbJ-epGW1A2Krw>
Subject: Re: [COSE] SHA-512/256 and SHA-256/64
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jul 2022 08:10:53 -0000
I just saw that NIST is themselves using the /t notation for SHA-256 in SP 800-208 even if that notation is not defined for SHA-256 in SP 180-4. NISTs use of the /t notation in SP 180-4 and SP 800-208 is a bit confusing. The current situation is that /t as way to create variable-length digests means three different things for SHA-256, SHA-512, and SHAKE256. For SHA-256, /t just means simple truncation, which is weak, for SHA-512, /t means choosing function t in the set SHA-512/t of 510 fixed-length hash functions, and for SHAKE256, /t means setting d=t in SHAKE256(M,d). As NIST alrady is using SHA-256/192 in SP 800-208 to mean just truncation it is maybe not a problem if IETF does the same... Cheers, John From: Carsten Bormann <cabo@tzi.org> Date: Friday, 1 July 2022 at 09:48 To: John Mattsson <john.mattsson@ericsson.com> Cc: cose@ietf.org <cose@ietf.org> Subject: Re: [COSE] SHA-512/256 and SHA-256/64 On 2022-07-01, at 09:32, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote: > > Hi, > > - The IANA COSE Algorithms Registry lists draft-ietf-cose-rfc8152bis-algs-12 as a reference for SHA-512/256 and SHA-256/64. This seems incorrect. draft-ietf-cose-rfc8152bis-algs does not mention SHA-512/256 or SHA-256/64. Right, hash algorithms are defined in draft-ietf-cose-hash-algs. Section 3.2 defines a "SHA-256/64”, which is indeed confusingly named. It is labeled as “filter only” (i.e., not cryprographically secure), for use e.g. as a keyid (i.e., where the relationship between the truncated hash and the actual data is verified in some other way, such as the presence of the latter in a list of authorized keys). > - NIST SP 180-4 assigns a very specific meaning to the notation SHA-512/t as the name for a t-bit hash function _based_ on SHA-512 whose output is truncated to t bits. The initial hash value is a _function_ of t. Indeed, we should not be calling the independently constructed "SHA-256 truncated to 64 bits" “SHA-256/64”. > SHA-512/256 is defined in NIST SP 180-4. As the initial hash value is a function of t it is infeasible to find any relation between a SHA-512 hash and a SHA-512/256 hash. > > SHA-256/64 is not defined in NIST SP 180-4. draft-ietf-cose-hash-algs introduces a new meaning to the /t notation. In SHA-256/64 the initial hash value is the same as in SHA-256, i.e., it is not a function of t. This means that SHA-256/64 has different security properties than SHA-512/256. There is a trivial relation between a SHA-256 hash and a SHA-256/64 hash. Correct. > I think this difference needs to be made clearer in draft-ietf-cose-hash-algs. The security properties of the SHA-256/64 might come as a surprise to a user expecting the same properties as SHA-512/512. There is also a risk for incompatible implementations as people might implement SHA-256/64 in a similar way as SHA-512/256. > > I think that the name SHA-256/64 should be changes as the “/64” in SHA-256/64 has different meaning than the “/256” in SHA-512/256. +1. SHA-256-t64 comes to mind, but maybe someone has a better idea. > I do not think that the initial hash value in SHA-256/64 should be changed as that would make it incompatible with any current implementation ofSHA-256. I don’t think there is anything wrong with the truncated form for the application “filter only”. Grüße, Carsten
- [COSE] SHA-512/256 and SHA-256/64 John Mattsson
- Re: [COSE] SHA-512/256 and SHA-256/64 Carsten Bormann
- Re: [COSE] SHA-512/256 and SHA-256/64 John Mattsson
- Re: [COSE] SHA-512/256 and SHA-256/64 Carsten Bormann
- Re: [COSE] SHA-512/256 and SHA-256/64 Benjamin Kaduk