[openpgp] Ed25519 and digest choices (issue 31)

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 21 May 2021 17:49 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77CBE3A1947 for <openpgp@ietfa.amsl.com>; Fri, 21 May 2021 10:49:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.306
X-Spam-Level:
X-Spam-Status: No, score=-1.306 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=7YGjypmX; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=buY9DYlq
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IcSS99FHxpF3 for <openpgp@ietfa.amsl.com>; Fri, 21 May 2021 10:49:01 -0700 (PDT)
Received: from che.mayfirst.org (unknown [162.247.75.117]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B89AC3A1945 for <openpgp@ietf.org>; Fri, 21 May 2021 10:49:01 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1621619339; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=0MULJmObabGRlQCZmC3oJkvPX1OnrYsgzTaFnma/2+c=; b=7YGjypmX/sLzcgs6Sxp2WlbiDUtH/m08biCQ+7yHvwbbT6oryejiWq8w5YuUGplINawB5 c+YED4Nk0CuGi6zDg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1621619339; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=0MULJmObabGRlQCZmC3oJkvPX1OnrYsgzTaFnma/2+c=; b=buY9DYlq2HJZ2qVPBrP63qRL3HCPk8XxuaPC9XLAQReeIug39Z5zs0n5w4lEK/sTpGYRk LRbaf0d8w+xA70tDbV3k3agSfevAMC8nZDNLbwjaBdMkQNe0rHY3trmycMymi/+g3NpKRe+ F+Ix8kQP2j0kJ2/JqW8XtNH3e2CWk6l/LnnQATc2+Hjpni6E2QUlikUkbXMQglJbmqGmj/l f6Wed4CWMWNZg2Pz2KS1sVOanfkvoKgjMrwqDoD2kM1nNEO4dI6nEs5hH4/EIWbMvfSVIJH Uygg1mKGSTRMNlM1YDr1UCuaEHPHS34f61Wjd1pV0wfOTcI/q+CEgQbIc48Q==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id C3358F9A5 for <openpgp@ietf.org>; Fri, 21 May 2021 13:48:59 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 779C82040E; Fri, 21 May 2021 13:48:57 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp@ietf.org
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Fri, 21 May 2021 13:48:56 -0400
Message-ID: <878s48dlkn.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/YBCZLnSdDBoa4L6JUE_cXKObVcg>
Subject: [openpgp] Ed25519 and digest choices (issue 31)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 May 2021 17:49:07 -0000

Over on https://gitlab.com/openpgp-wg/rfc4880bis/-/issues/31, jethrogb
writes:

> Appendix A contains an example for EdDSA. The example states that the
> hash function used is SHA2-256. The example also states that the curve
> used is 2b06010401da470f01, which is defined as “Ed25519” elsewhere in
> the draft. However, RFC 8032 specifies Ed25519 as an instantiation of
> EdDSA with specific parameters, one of which is that H is SHA2-512 and
> PH (in the ph case) is SHA2-512. Is it the intention that OpenPGP
> implements not Ed25519 but some other form of EdDSA? If yes, this
> should be called out explicitly in the text and it shouldn't be called
> Ed25519. If no, the example needs to be updated and it would probably
> be good to explicitly call out Ed25519ph in section 14.8.

How does the WG think this should be resolved?

I intend to sign this message with an EdDSA signature from a Curve25519
key, but it will likely use SHA2-256 as the OpenPGP digest choice (in
the EdDSA RFC 8032 framing, that would be the pre-hash "PH" parameter to
EdDSA).  This would mean that we are *not* using Ed25519ph, since
OpenPGP permits variance of the PH parameter.

One approach would be to clarify that OpenPGP signatures made with
Ed25519 SHOULD use SHA2-512 as the OpenPGP digest, which I believe would
align it with Ed25519ph.  But there would still be existing signatures
out there (like the one signing this message) which would use SHA2-256,
and it's hard to say that signature verifiers should reject those
signatures.

Alternately, maybe we should instead reframe OpenPGP's use of Ed25519 as
a "PureEdDSA" scheme that signs only the OpenPGP digest (not the signed
data directly).  That bypasses the "PH" parameter, but it also means
that any cryptanalsis that is applied to EdDSA isn't necessarily
applicable to OpenPGP, because we have this additional step involved.

Either way, it seems that we need to clarify the standard.

       --dkg