Re: [TLS] Strawman on EdDSA/Ed25519 in TLS

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Mon, 29 June 2015 08:42 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E89841A1ABC for <tls@ietfa.amsl.com>; Mon, 29 Jun 2015 01:42:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2xgrpWatVze4 for <tls@ietfa.amsl.com>; Mon, 29 Jun 2015 01:42:15 -0700 (PDT)
Received: from emh02.mail.saunalahti.fi (emh02.mail.saunalahti.fi [62.142.5.108]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 742681A1AA9 for <tls@ietf.org>; Mon, 29 Jun 2015 01:42:15 -0700 (PDT)
Received: from LK-Perkele-VII (a91-155-194-207.elisa-laajakaista.fi [91.155.194.207]) by emh02.mail.saunalahti.fi (Postfix) with ESMTP id 9DB4D8183C; Mon, 29 Jun 2015 11:42:12 +0300 (EEST)
Date: Mon, 29 Jun 2015 11:42:12 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Simon Josefsson <simon@josefsson.org>
Message-ID: <20150629084212.GA13762@LK-Perkele-VII>
References: <544B0DD62A64C1448B2DA253C011414615B1DD55AC@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <87zj3lauyl.fsf@latte.josefsson.org> <20150627181305.GA27513@LK-Perkele-VII> <87oajzaqg7.fsf@latte.josefsson.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <87oajzaqg7.fsf@latte.josefsson.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/P6u42ejR3gs1MNQBfc5s5FT4pzU>
Cc: "tls@ietf.org" <tls@ietf.org>, Rick Andrews <Rick_Andrews@symantec.com>
Subject: Re: [TLS] Strawman on EdDSA/Ed25519 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2015 08:42:18 -0000

On Mon, Jun 29, 2015 at 10:06:48AM +0200, Simon Josefsson wrote:
> Ilari Liusvaara <ilari.liusvaara@elisanet.fi> writes:
> 
> > On Sat, Jun 27, 2015 at 08:04:50PM +0200, Simon Josefsson wrote:
> >> 
> >> 1.3.101.1     EdDSA Ed25519 PKIX public keys
> >> 1.3.101.2     EdDSA Ed25519 PKIX signatures
> >> 1.3.101.3     EdDSA Ed448 PKIX public keys
> >> 1.3.101.4     EdDSA Ed448 PKIX signatures
> >> 1.3.101.5     EdDSA Curve41417 PKIX public keys
> >> 1.3.101.6     EdDSA Curve41417 PKIX signatures
> >> 1.3.101.7-16  <<Reserved for EdDSA with other TBD curves>>
> >
> > AFAIK, Ed448 and Curve41417 do not meet defintion of curve by EdDSA.
> >
> > And what hash would those use (I presume Ed25519 would use SHA-512)?
> 
> I believe details for EdDSA with other curves will be available shortly,
> and allocating an OID now will save us some time.

Well, I think that defining serialization of points + basepoints[1] for
Curve41417 and Ed448 together with with hash used[2] would be enough for
interop[3].

However, that will not be the CFRG signature scheme, whatever it is.


[1] The basepoint is clear for Curve41417. However, for Ed448, there
are two different basepoints:

1) The original basepoint from Ed448-Goldilocks:

x=0x297ea0ea2692ff1b4faff46098453a6a26adf733245f065c3c59d0709cecfa96147eaaf3932d94c63d96c170033f4ba0c7f0de840aed939f
y=0x13

2) Inverted (not dual) isogeny point to Curve448 basepoint:

x=0xB0E68F399412F212DDE2EA59DD40C92561EB9A8FB8F0E89815921CDA5C2C5B9BED51E508D5499AEEBCC47F1E74FF6C71D9D957D438F33FA1
y=0x693F46716EB6BC248876203756C9C7624BEA73736CA3984087789C1E05A0C2D73AD3FF1CE67C39C4FDBD132C4ED7C8AD9808795BF230FA14

This point B' has the property that (y/x)^2 of nth scalar multiple is
the nth scalar multiple of Curve448 basepoint (u=5). Which would
be handy if also working on Curve448, as fixed-base multiplier with
that point as base could be used to accelerate Curve448 key generation.

(One can see that (y/x)^2 of point given is 5).


[2] AFAICT:

- Near-PoT order -> At least 64 bits more than order.
- Otherwise -> maximum of 5/4 of order bits or 64 more.

All three curves have near-pot orders, so limits by that rule
would be:

Curve25519: >=317 bits (>=40 bytes)
Curve41417: >=475 bits (>=60 bytes)
Curve448: >=510 bits (>=64 bytes)

All three limits are less than 512, so 512-bit hash like SHA-512 would
work.


[3] Where interop means defining what verifier accepts, but not specifics
of signing.



-Ilari