IETF Logo Mail Archive

Re: [TLS] Early code point assignments for 25519/448 curves

Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 23 November 2015 22:08 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1CB51B3B04 for <tls@ietfa.amsl.com>; Mon, 23 Nov 2015 14:08:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Md170xHzfSQa for <tls@ietfa.amsl.com>; Mon, 23 Nov 2015 14:08:12 -0800 (PST)
Received: from filtteri5.pp.htv.fi (filtteri5.pp.htv.fi [213.243.153.188]) by ietfa.amsl.com (Postfix) with ESMTP id 5E2051B3B02 for <tls@ietf.org>; Mon, 23 Nov 2015 14:08:12 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by filtteri5.pp.htv.fi (Postfix) with ESMTP id 1A6CB5A6535; Tue, 24 Nov 2015 00:07:54 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from smtp5.welho.com ([213.243.153.39]) by localhost (filtteri5.pp.htv.fi [213.243.153.188]) (amavisd-new, port 10024) with ESMTP id c6yED6g7XYWt; Tue, 24 Nov 2015 00:07:53 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-35-116.bb.dnainternet.fi [87.92.35.116]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp5.welho.com (Postfix) with ESMTPSA id 6AE4B5BC003; Tue, 24 Nov 2015 00:08:11 +0200 (EET)
Date: Tue, 24 Nov 2015 00:08:10 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Martin Thomson <martin.thomson@gmail.com>
Message-ID: <20151123220810.GA15073@LK-Perkele-V2.elisa-laajakaista.fi>
References: <385E6AFF-52C3-4E40-A69F-178602A449A7@sn3rd.com> <45D7CFCA-1ABE-4123-9E27-4DB5B8B6D9DA@gmail.com> <CABkgnnX15PcEByT2-Q9eS2d5o1C_WfQ2VUJ30iGN_N1BX1WuXQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CABkgnnX15PcEByT2-Q9eS2d5o1C_WfQ2VUJ30iGN_N1BX1WuXQ@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Vacd4lBsoqLldTNbIKPbPYKIaUk>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Early code point assignments for 25519/448 curves
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2015 22:08:15 -0000

On Mon, Nov 23, 2015 at 01:16:35PM -0800, Martin Thomson wrote:
> On 23 November 2015 at 12:56, Yoav Nir <ynir.ietf@gmail.com> wrote:
> > It’s been suggested that as long as the CFRG signature curves
> > document is not finalized, we should wait with the eddsa_* ones.
> > I don’t believe so. Anything in any draft is subject to change up
> > to the time it’s published [...]
> 
> In your opinion, do you see the semantics of the codepoints changing
> in any meaningful way?  It's one thing to say "accept the risks", but
> if anyone thinks that there are necessary changes forthcoming, that
> would give me pause.  If everyone says that it's highly unlikely, I'm
> supportive of the notion that we get a codepoint.

My personal view is (I haven't asked Simon about this) is that:
- Ed25519 is currently technically stable. There seems to be consensus
  not change it in any way that would break verification.
- Ed448 is unimplementable right now due to two missing functions.
- Once those two are missing (there is call for proposals this
  week) functions are decided, Ed448 should become technically
  stable.

> Are we happy that we will only be needing the PureEdDSA variants and
> that no-one will be asking for the HashEdDSA versions?  I ask because
> I've heard it suggested (I think Karthik mentioned this) that we might
> want to sign the transcript directly in TLS 1.3 rather than rely on
> collision-resistance of the selected hash function.  That would be
> harder without access to HashEdDSA.

I would say that using HashEdDSA is a bad idea in that case. HashEdDSA
has fixed "prehash" function and if that hash breaks, the HashEdDSA
scheme breaks (the same is not true w.r.t. hash function for PureEdDSA).

Also, the prehashes might not be the same for Ed25519ph and Ed448ph,
plus I consider interfaces that let one use this dangerous (IUF
signing is dangerous!).

If one wants to have the entiere transcript signed in reasonable way,
one would have to implement hash firewalling at TLS level and require
PureEdDSA.

If doing that, might also be good idea to throw a prefix that screws 
many formats ('1E 80 00 00' might be one, it should screw at least ASN.1,
JSON and CBOR).


Also, the absence of indication of PRF hash in the signed data[1] bugs
me, since I need to assume CCR (CR of both hashes does not imply CCR)
in order to show security.




[1] Heck, that indication was in my original proposal (I didn't
quite understand its significance back then).




-Ilari

v2.23.0 | Report a Bug | By Email