Re: [TLS] draft-ietf-tls-batch-signing
Benson Muite <benson_muite@emailplus.org> Sun, 13 November 2022 18:31 UTC
Return-Path: <benson_muite@emailplus.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6A16C14CF09 for <tls@ietfa.amsl.com>; Sun, 13 Nov 2022 10:31:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=emailplus.org header.b=VpLmkfnJ; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=b75xjkd8
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KgmPOBxf-Ajn for <tls@ietfa.amsl.com>; Sun, 13 Nov 2022 10:31:40 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE0C2C14F74E for <tls@ietf.org>; Sun, 13 Nov 2022 10:31:40 -0800 (PST)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 8A06A5C0046 for <tls@ietf.org>; Sun, 13 Nov 2022 13:31:39 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Sun, 13 Nov 2022 13:31:39 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=emailplus.org; h=cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; t=1668364299; x= 1668450699; bh=AZEKuzbNuEjxvrLlTzSHMLXAJfPzK580xXTBD7+rsZs=; b=V pLmkfnJLumOrLIpU97dxe41XAOnsS163MElPk4pQYvtQECCPxUYP4bGSwnvKobAm n2Vw4yQvA+rEwBZc58fjXyUA24YvynI2+qUQqbQ76VnTcmG02pxt0Zu3usE1sIg1 sWcHyiWFGVSpWOVg3bNxg3v2TIXqZ3FTOK2OXIbTUvitrLksyQriuDz2qc91eRcW TUM1LaGQc2OLwJBop7bMBUPa2tKcmdxaxCNvkc8ZT4GL39GeBzzvxKBbjsfGLYVe eNtK3aw7lCOaarV8ibT9eUk1NPFxf0TtXxWCPloC43dJ7cJDmhNxlx+czCTeCeUp rHnLX3HOa4HduOLLIa4HA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:date:feedback-id:feedback-id:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; t=1668364299; x=1668450699; bh=A ZEKuzbNuEjxvrLlTzSHMLXAJfPzK580xXTBD7+rsZs=; b=b75xjkd89DlVJWSJX XTINw/fZ2PlG4G41p2CNq4clqxAhvOpw27Kcd+RFPP0rL2HQQf5GzdYN46CjUbLe jrmA947H3gtBLsztjHaaYbtuiczsIgyGsVCYmHNSAS66una9YWn0LZwK+JRPeyfQ A+4byWYDgX0Q9/dn1Ijs1TyHywNSqgA5i8Kxti25SLoTQ88QG88N9QtsCPqrb3YP Rpry9IWgdjLoB8XaHQNwA95YyyRZ7cG+wV8iEMAlj91xZZlDMoSx5Js0BUvWnDO+ bm+8EUEZMyIU5L2r9tLGlhkptp1fK3JE0lO2udUWW5cCs8+at5N4IZybbJp6HGAJ pe7Ww==
X-ME-Sender: <xms:CzhxY9tb42nM18_Iq43Hg0nYULTyXF8ouTXbQknho1NOmrqtJtY1aA> <xme:CzhxY2f6LjqPiH-EKf9X8urLpQA8CpEDCZhi4WdsjvEcjw9nulMK0NmG9nDafDkEz OGFwS_Qg8WKFCtd>
X-ME-Received: <xmr:CzhxYwyATRtM2sxE7fwfmMr-cn5-dd7a-GtiYUj6E301qmodVC_7j0Dzujoc_EFLILI>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvgedrgedtgdduudehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefkffggfgfvfhfhufgjtgfgsehtje ertddtfeejnecuhfhrohhmpeeuvghnshhonhcuofhuihhtvgcuoegsvghnshhonhgpmhhu ihhtvgesvghmrghilhhplhhushdrohhrgheqnecuggftrfgrthhtvghrnhepudfhgfefff dvkeehgeehteeuiedvheevveevvdetgefhvedutdekgedtffethfefnecuffhomhgrihhn pehirggtrhdrohhrghdpihgvthhfrdhorhhgpdhrfhgtqdgvughithhorhdrohhrghenuc evlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegsvghnshho nhgpmhhuihhtvgesvghmrghilhhplhhushdrohhrgh
X-ME-Proxy: <xmx:CzhxY0O5_fgfGinyHJNWfypTrLItrYaXM-uvcYoMiBBd0nxzmD_91Q> <xmx:CzhxY9_XgRhFzwAUZG4X2jVfShsdxL8PorX39o5tVre4OKHp6GwIeA> <xmx:CzhxY0XgtftY8tvkx60FsgPfR5A54MSNsVi5Pl9vwoER3-sEZbN9Rw> <xmx:CzhxYyJzO0caAhHu_9eNOB2vk-VIThRPCohwlHPoOKcrZ7X0bkKSRg>
Feedback-ID: ic1e8415a:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for <tls@ietf.org>; Sun, 13 Nov 2022 13:31:38 -0500 (EST)
Message-ID: <61565490-4f86-e140-f37d-a217152729fa@emailplus.org>
Date: Sun, 13 Nov 2022 21:31:35 +0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.1
Content-Language: en-US
To: tls@ietf.org
References: <cde980b6-79c0-4da2-292e-90dd561e3c59@emailplus.org> <Y20S+oYC5GL/afIU@LK-Perkele-VII2.locald>
From: Benson Muite <benson_muite@emailplus.org>
In-Reply-To: <Y20S+oYC5GL/afIU@LK-Perkele-VII2.locald>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Sg8YAintmEJGE41c4E3jZil3ZIg>
Subject: Re: [TLS] draft-ietf-tls-batch-signing
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Nov 2022 18:31:45 -0000
On 11/10/22 18:04, Ilari Liusvaara wrote: > On Thu, Nov 10, 2022 at 02:29:38PM +0300, Benson Muite wrote: >> The above draft has expired. However, if there is still interest in >> it, the EdDSA specification will need to be updated based on findings >> in [1] and [2]. An erratum to [3] has been filed [4]. Libsodium seems >> to offer best checks for batch verification. Currently testing other >> libraries that offer support for EdDSA. >> >> 1) Chalkias, Garillot, and Nikolaenko "Taming the many EdDSAs" >> https://eprint.iacr.org/2020/1244 >> >> 2) Brendel, Cremers, Jackson, and Zhao "The Provable Security of >> Ed25519: Theory and Practice" https://eprint.iacr.org/2020/823 >> >> 3) https://datatracker.ietf.org/doc/html/rfc8032 >> >> 4) https://www.rfc-editor.org/errata_search.php?rfc=8032&rec_status=0 > > Note that the mention of "batch" in [1] is about batch verification, > which is unrelated to TLS batch signing. And as far as I know, the > problems with implementations only concern beyond-standard-model > security of Ed25519, which TLS does not rely upon (since TLS works > with ECDSA, which is much worse). Ok. Thanks for clarifying. > > IIRC, the only check that RFC 8032 omits is checking that all of > X^2, Y^2 and X^2+Y^2 for both R and A are nonzero (for Ed448, > X^2+Y^2 is always nonzero). Adoption of Ed25519 seems to be growing, with most applications using a small set of libraries. Maybe it is helpful to have this check, or allow for a legacy and strict mode as done in Dalek? > > > However, there is unrelated security problem with the way the TLS batch > signing draft uses Ed25519 (and Ed448): There is leaf salt, but it does > not salt the innermost hash, degrading security. > > > > -Ilari > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] draft-ietf-tls-batch-signing Benson Muite
- Re: [TLS] draft-ietf-tls-batch-signing Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-batch-signing Benson Muite
- Re: [TLS] draft-ietf-tls-batch-signing Sean Turner