Re: [openpgp] SHA3 algorithm ids.

Andrey Jivsov <openpgp@brainhub.org> Wed, 19 August 2015 08:28 UTC

Return-Path: <openpgp@brainhub.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C66681AD0CF for <openpgp@ietfa.amsl.com>; Wed, 19 Aug 2015 01:28:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Qffj3yBrIa7 for <openpgp@ietfa.amsl.com>; Wed, 19 Aug 2015 01:28:06 -0700 (PDT)
Received: from resqmta-po-04v.sys.comcast.net (resqmta-po-04v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:163]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBD891AD17F for <openpgp@ietf.org>; Wed, 19 Aug 2015 01:28:00 -0700 (PDT)
Received: from resomta-po-20v.sys.comcast.net ([96.114.154.244]) by resqmta-po-04v.sys.comcast.net with comcast id 6YTt1r0035Geu2801YU0BD; Wed, 19 Aug 2015 08:28:00 +0000
Received: from [192.168.1.2] ([73.170.34.26]) by resomta-po-20v.sys.comcast.net with comcast id 6YTz1r0020ZpzqZ01YTziv; Wed, 19 Aug 2015 08:28:00 +0000
Message-ID: <55D43E0F.6080201@brainhub.org>
Date: Wed, 19 Aug 2015 01:27:59 -0700
From: Andrey Jivsov <openpgp@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: openpgp@ietf.org
References: <87y4hmi19i.fsf@vigenere.g10code.de>
In-Reply-To: <87y4hmi19i.fsf@vigenere.g10code.de>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1439972880; bh=B0bOYe1ZXiFSL51aGWgq72mFkkMRedROV5PS5m7UubE=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=VSSo1aB9MvCLm/WqjsbSDi2pNs2DCtk9p9T4MvmipsUOjIfgRbH61Av89ub0dmlN0 lLJViJ5pV9yMNpUZxIqNfbuWHsOgqkRBCKtkSWiXTSJmj6n3ASaTQmM1Z3CxtMMKwk ifyaprGlw4uy6ikDl6OqDdDWH/0Y0zRCVpnUriTjgoJiKZov5jjKVjaa23ESAtvCOe SfrIlH2zmOhbGA37qvXOLb0SffTf3hp/RmTSNgKqgo7Quy9zlFGn4tkDvjez2ToqS+ 8oYMzgNYhjrAqlwsiLwZYrim9zE8DWnqJbnuN3pSldsRddVug0lG/ABd4UNFaaHf0o ZaN7QgRNrKGWg==
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/RmwG6cG9KRLMTvYIOxLbH__3sS4>
Subject: Re: [openpgp] SHA3 algorithm ids.
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Aug 2015 08:28:09 -0000

On 08/08/2015 02:21 AM, Werner Koch wrote:
> Hi!
>
> Now that an official SHA3 specs has been published I would like to see
> algorithm ids assigned.  Although it is some time until we can publish
> rfc-4880bis, it would be useful to agree on the algorithm ids now.
> This would be helpful for experimental implementations.  Thus what about
> this new table with the SHA2 drop in replacements:
>
>        ID           Algorithm                             Text Name
>        --           ---------                             ---------
>        1          - MD5 [HAC]                             "MD5"
>        2          - SHA-1 [FIPS180]                       "SHA1"
>        3          - RIPE-MD/160 [HAC]                     "RIPEMD160"
>        4          - Reserved
>        5          - Reserved
>        6          - Reserved
>        7          - Reserved
>        8          - SHA256 [FIPS180]                      "SHA256"
>        9          - SHA384 [FIPS180]                      "SHA384"
>        10         - SHA512 [FIPS180]                      "SHA512"
>        11         - SHA224 [FIPS180]                      "SHA224"
>        12         - SHA3-224 [FIPS202]                    "SHA3-224"
>        13         - SHA3-256 [FIPS202]                    "SHA3-256"
>        14         - SHA3-384 [FIPS202]                    "SHA3-384"
>        15         - SHA3-512 [FIPS202]                    "SHA3-512"
>        100 to 110 - Private/Experimental algorithm
>
> Note that I ordered SHA3-224 first; when we did SHA2 we forgot about 224
> and thus it ended up out of order.
>
> I am not sure about the text name.  Is a dash okay (cf. armor header)?
>
> The OIDS are:
>
>     The hexadecimal representations for the
>     currently defined hash algorithms are as follows:
>
>       [...]
>
>       - SHA3-224:   0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x07
>       - SHA3-256:   0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x08
>       - SHA3-384:   0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x09
>       - SHA3-512:   0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0a
>
>     The ASN.1 Object Identifiers (OIDs) are as follows:
>
>       [...]
>
>       - SHA3-224:   2.16.840.1.101.3.4.2.7
>       - SHA3-256:   2.16.840.1.101.3.4.2.8
>       - SHA3-384:   2.16.840.1.101.3.4.2.9
>       - SHA3-512:   2.16.840.1.101.3.4.2.10
>
>     The full hash prefixes for these are as follows:
>
>         [...]
>
>         SHA3-224:   0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
>                     0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x07, 0x05,
>                     0x00, 0x04, 0x40
>
>         SHA3-256:   0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
>                     0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x07, 0x05,
>                     0x00, 0x04, 0x40
>
>         SHA3-384:   0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
>                     0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x07, 0x05,
>                     0x00, 0x04, 0x40
>
>         SHA3-512:   0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
>                     0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x07, 0x05,
>                     0x00, 0x04, 0x40
>

Dear OpenPGP list members.

NIST has finally produced the SHA-3 spec, FIPS 202 
http://dx.doi.org/10.6028/NIST.FIPS.202. It is difficult to believe that 
the last discussion on SHA3 ID that I recall was in 2012 in 
https://lists.gnupg.org/pipermail/gnupg-devel/2012-December/027173.html .

I have updated and posted the ID with details that were discussed so far 
in the thread, here:

>
> A new version of I-D, draft-jivsov-openpgp-sha3-00.txt
> has been successfully submitted by Andrey Jivsov and posted to the
> IETF repository.
>
> Name:		draft-jivsov-openpgp-sha3
> Revision:	00
> Title:		The use of Secure Hash Algorithm 3 in OpenPGP
> Document date:	2015-08-19
> Group:		Individual Submission
> Pages:		7
> URL:            https://www.ietf.org/internet-drafts/draft-jivsov-openpgp-sha3-00.txt
> Status:         https://datatracker.ietf.org/doc/draft-jivsov-openpgp-sha3/
> Htmlized:       https://tools.ietf.org/html/draft-jivsov-openpgp-sha3-00
>
>
> Abstract:
>    This document presents the necessary information to implement the
>    SHA-3 hash algorithm with the OpenPGP format.

Your comments are very welcome.

The idea of the spec is to keep technical details written down, such as 
IDs, ASN.1 DER prefixes, and the exact set/subset of SHA3 algorithms. I 
also think that a few words on interoperability concerns will be helpful.

Second,  and this took the most time, I wrote a single-file C code SHA3 
implementation that should assist with the implementation of SHA3 in 
OpenPGP applications, testing, troubleshooting, and interoperability. 
One feature of this sample is that it follows Init/Update/Finalize (IUF) 
API, which is how OpenPGP uses the message digest. The project is called 
SHA3IUF.

The code is here:

    https://github.com/brainhub/SHA3IUF

To run the sample code:

    $ wget https://raw.githubusercontent.com/brainhub/SHA3IUF/master/sha3.c
    $ gcc -Wall sha3.c -o _ && ./_
    SHA3-256, SHA3-384, SHA3-512 tests passed OK

I hope that a spec and the SHA3IUF sample code will help avoid mistakes, 
such as the one in the above quoted message. All DER prefixes except for 
the SHA3-512 are incorrect. Please use the DER prefixes from the spec.

SHA3 is not the same as Keccak, and the two produce different hash 
values. SHA3IUF helps with other issues, such as how to define the IUF 
state, and how difficult is it to add each SHA3-X algorithm.

Presently the spec excludes SHA3-224, as seems to be a consensus on this 
list.

Please note that presently DSA or ECDSA truncate hashes. A digital 
signature with a DSA key with FIPS 186-3 L=2048 N=224 and a SHA3-256 
hash algorithm has security properties similar to the case when SHA3-224 
hash was used instead. In other words, an application already has a tool 
to use a 224-bit hash via an appropriate DSA/ECDSA key.

RSA signatures have plenty of "free" space for the hash, therefore, it's 
not clear why SHA3-224 would be needed.

Thank you.