On 11/10/22 18:04, Ilari Liusvaara wrote:
On Thu, Nov 10, 2022 at 02:29:38PM +0300, Benson Muite wrote:
The above draft has expired. However, if there is still interest in
it, the EdDSA specification will need to be updated based on findings
in [1] and [2]. An erratum to [3] has been filed [4]. Libsodium seems
to offer best checks for batch verification. Currently testing other
libraries that offer support for EdDSA.
1) Chalkias, Garillot, and Nikolaenko "Taming the many EdDSAs"
https://eprint.iacr.org/2020/1244
2) Brendel, Cremers, Jackson, and Zhao "The Provable Security of
Ed25519: Theory and Practice" https://eprint.iacr.org/2020/823
3) https://datatracker.ietf.org/doc/html/rfc8032
4) https://www.rfc-editor.org/errata_search.php?rfc=8032&rec_status=0
Note that the mention of "batch" in [1] is about batch verification,
which is unrelated to TLS batch signing. And as far as I know, the
problems with implementations only concern beyond-standard-model
security of Ed25519, which TLS does not rely upon (since TLS works
with ECDSA, which is much worse).
Ok. Thanks for clarifying.
IIRC, the only check that RFC 8032 omits is checking that all of
X^2, Y^2 and X^2+Y^2 for both R and A are nonzero (for Ed448,
X^2+Y^2 is always nonzero).
Adoption of Ed25519 seems to be growing, with most applications using a
small set of libraries. Maybe it is helpful to have this check, or allow
for a legacy and strict mode as done in Dalek?
However, there is unrelated security problem with the way the TLS batch
signing draft uses Ed25519 (and Ed448): There is leaf salt, but it does
not salt the innermost hash, degrading security.
-Ilari
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
