IETF Logo Mail Archive

[Dcrup] Re: [standards] [Editorial Errata Reported] RFC8463 (7930)

Alessandro Vesely <vesely@tana.it> Mon, 13 May 2024 14:15 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DD4CC19ECB3 for <dcrup@ietfa.amsl.com>; Mon, 13 May 2024 07:15:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JBHk2458yWF3 for <dcrup@ietfa.amsl.com>; Mon, 13 May 2024 07:15:19 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [94.198.96.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0504C1D4A86 for <dcrup@ietf.org>; Mon, 13 May 2024 07:15:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1715609710; bh=CRpUlsyPQttNCzn//VB8PiyzZQBuly395T9FVxxKiuo=; h=Date:Subject:To:References:From:In-Reply-To; b=BwW82FXQmaES2kh1XrZ8l2fjXZa0I2vsenZvDU3Kv//lud7qvLWwGknm3PJja0D8A VDiUSnrXmVbiZObFJy+NkWHwEFjnFBFDTnmC4l12OfXWRY4N6KyY49UU7/W45/JCRA EjNGqYv9ED+uIiqffstNAHodD5kirYD1vMWt35yyYijZgbQQAQa1kTuj9trNn
Original-Subject: Re: [Dcrup] Re: [standards] [Editorial Errata Reported] RFC8463 (7930)
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.120] (pcale.tana [::ffff:172.25.197.120]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3,128bits,ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC0FF.000000006642206E.000037C1; Mon, 13 May 2024 16:15:10 +0200
Message-ID: <51ebb823-f2d7-4229-a187-e2a72ce35373@tana.it>
Date: Mon, 13 May 2024 16:15:09 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: dcrup@ietf.org
References: <20240511201039.lf46znlR@steffen%sdaoden.eu> <20240511201754.H_LMdv5z@steffen%sdaoden.eu> <20240511223227.IW5-DSdi@steffen%sdaoden.eu> <5a7773ad-e54d-a88c-99f6-064a3d4c4e90@taugh.com> <d2780795-8772-4578-96dc-0d351451e475@tana.it> <ZkIHCNGIFC3jXdDf@chardros.imrryr.org>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
Content-Language: en-US, it-IT
In-Reply-To: <ZkIHCNGIFC3jXdDf@chardros.imrryr.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: XVPMT4YZYEQ6VZN4EMRHCREDKEQLQ7KP
X-Message-ID-Hash: XVPMT4YZYEQ6VZN4EMRHCREDKEQLQ7KP
X-MailFrom: vesely@tana.it
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dcrup.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Dcrup] Re: [standards] [Editorial Errata Reported] RFC8463 (7930)
List-Id: DKIM Crypto Update <dcrup.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/qcvmvpq3dcSD9cgyTPmd9xBP750>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Owner: <mailto:dcrup-owner@ietf.org>
List-Post: <mailto:dcrup@ietf.org>
List-Subscribe: <mailto:dcrup-join@ietf.org>
List-Unsubscribe: <mailto:dcrup-leave@ietf.org>

On Mon 13/May/2024 14:26:48 +0200 Viktor Dukhovni wrote:
> On Mon, May 13, 2024 at 01:15:59PM +0200, Alessandro Vesely wrote:
> 
>> I'm not much into crypto, so I don't understand why Section 4 of RFC
>> 8032 says HashEdDSA would be less collision resistant (after SHA256)
>> than PureEdDSA. However, I understand single-pass interface for
>> creating signatures.
> 
> The construction of pure EdDSA makes it difficult to exploit collisions
> in the underlying hash function, because the message is prefixed with
> an octet-string that an attacker cannot predict, and depends on both
> the message and the signer's secret key (a deterministic variant of
> Schnorr signatures).
> 
> This is not the case with the Hash (ph) variants, which digest the
> input before signing.


Fine.  Yet, SHA256 should itself be collision resistant, so it doesn't seem 
there are practical ways to obtain collisions.


>> It seems to me we're using HashEdDSA, aren't we?
> 
> No, because of "domain separation", HashDSA(m) != PureDSA(hash(m)), even
> if the chosen hash is SHA512, but in any case HashDSA always uses
> SHA512, whereas with DKIM, SHA256 is the more likely choice.


Would it be called HashEdDSA-SHA256?  The eleventh parameter of EdDSA is 
described as:

    11.  A "prehash" function PH.  PureEdDSA means EdDSA where PH is the
         identity function, i.e., PH(M) = M.  HashEdDSA means EdDSA where
         PH generates a short output, no matter how long the message is;
         for example, PH(M) = SHA-512(M).

It says /for example/, which can be understood to mean that one could use 
another hash function.  Albeit it later says "For Ed25519ph, phflag=1 and PH is 
SHA512 instead", /Ed25519ph/ is not HashEdDSA.

However, in practice, we neither pass the whole message nor the hash function. 
It looks like we pass the hash as if it were the message.  Isn't this pre-hashing?


Best
Ale
--

v2.29.0 | Report a Bug | By Email | System Status