IETF Logo Mail Archive

Re: [Cfrg] Finishing Ed448 definition

Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 11 December 2015 20:22 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B63101A6F53 for <cfrg@ietfa.amsl.com>; Fri, 11 Dec 2015 12:22:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MCz3qWaSaXlU for <cfrg@ietfa.amsl.com>; Fri, 11 Dec 2015 12:22:19 -0800 (PST)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) by ietfa.amsl.com (Postfix) with ESMTP id 3F4661A6F3E for <cfrg@irtf.org>; Fri, 11 Dec 2015 12:22:19 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 15F4840B; Fri, 11 Dec 2015 22:22:18 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id qQSQt0E-3Y6U; Fri, 11 Dec 2015 22:22:17 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-35-116.bb.dnainternet.fi [87.92.35.116]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 7BFA2103; Fri, 11 Dec 2015 22:22:17 +0200 (EET)
Date: Fri, 11 Dec 2015 22:22:14 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Bryan Ford <brynosaurus@gmail.com>
Message-ID: <20151211202214.GA5522@LK-Perkele-V2.elisa-laajakaista.fi>
References: <56508C20.7090009@isode.com> <565109E4.7000904@gmail.com> <5655E8F3.8050404@st.com> <87io4pxhkn.fsf@latte.josefsson.org> <32FEDB05-C70E-47EE-A6C3-7FFA982F9BF6@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <32FEDB05-C70E-47EE-A6C3-7FFA982F9BF6@gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/KE9-hlfA7Ikyo-ItdMK_zveE-OU>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Finishing Ed448 definition
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2015 20:22:21 -0000

On Thu, Nov 26, 2015 at 10:32:38AM +0100, Bryan Ford wrote:
> > On Nov 26, 2015, at 9:58 AM, Simon Josefsson <simon@josefsson.org> wrote:
> > 
> > Gilles Van Assche <gilles.vanassche@st.com> writes:
> > 
> >> Hi Bryan,
> >> 
> >> I have a preference for your second proposal "twoshakes-d", for its
> >> domain separation between PureEdDSA and HashEdDSA. This would have the
> >> practical advantage of allowing a single key to be used for both options
> >> (if certified as such), without input clashes at the internal hash level.
> > 
> > That would be nice -- but having Ed25519 and Ed448 differ this
> > significantly would appear like a strange design choice to me.
> 
> I suggest we treat the possibility of "back-porting" domain
> separation to Ed25519 as a separate discussion issue that's
> (mostly) orthogonal to what to do for Ed448 - but with that in
> mind, here are three possible back-porting approaches I considered:
> 
> 1. Direct back-port: just change the Ed25519-based spec to add the
> same 'dom' prefixes to the hash inputs in exactly the same way as
> for Ed448, with the 'SigEd448' changed appropriately to (eg)
> 'SigEd255' or 'SigEd25519'.  Advantage: domain separation features
> completely consistent across the two curves. Disadvantage: breaks
> binary signature compatibility with existing "classic" Ed25519
> signatures. 

I see breaking of backwards compatiblity as a _major_ disadvantage.
There's plenty of high-quality Ed25519 implementations out there
(unlike say for ECDSA) and one would have to modify fair amount of
things.

> 2. Back-port with silent compatibility exception: define the
> Ed25519 sig scheme to do domain separation in the same way as
> Ed448, *except* in the one special case of PureEd25529 with an
> empty context string, in which case the dom prefix becomes empty
> (no domain separation) for backward compatibility with classic
> Ed25519. Advantage: mostly consistent across curves, and backward
> compatible. Disadvantage: hokey special case, and the slight
> security risk that a use of PureEd25519 with empty context string
> being confused with a domain-separated use of Ed25519. 

That would at least allow using existing implementations. However,
there would still be practical obstacles to using the contexts.

Not that contexts would be easy to use even with primitive
designed for those from the start.

> 3. Back-port directly as in #1, so both PureEd* and HashEd*
> are always domain separsted and incompatible with classic Ed25519,
> but define an additional eg 'BareEd25519' scheme variant just for
> backward compatibility with non-domain-separsted classic Ed25519.
> Encourage all new applications/protocols to use PureEd* or BareEd*
> while defining BareEd25519 as being available for legacy
> compatibility. 

Pretty much suffers the same problems as #2.


-Ilari

v2.23.0 | Report a Bug | By Email