As you might know, CFRG has been working on new curves (the document has been sent to IRSG) and is working on signatures (main issues seem to be selecting prehash for prehashed version of 448-bit signatures and KDF for 448-bit signatures).
I have been thinking how to integrate this work into TLS. Diffie-Hellman: --------------- There is already a WG draft about this. The one remaining technical issue seems to be wheither to share the curves with signatures or dedicate those for DH. I propose dedicating the codepoints (like draft currently does). The complexity of implementing signatures is significantly above complexity of implementing ECDH. This is magnified by the differences between the signature primitive (one is based on SHA-512, the other on some still-TBD KDF). It is not like there is imminent shortage of curve codepoint space, as we have >64,000 codepoints free. There's also editorial issue of tracking the renaming of the DHFs in CFRG-CURVES (Curve25519->X25519 and similarly for Curve448). Signatures: ----------- The base algorithm for signatures work is EdDSA. It looks like Ed25519 is standardized as-is (at least compatible enough for existing verifiers to be used). Then there is version that first does SHA-512. For 448-bit versions, the KDF and prehash to be done first (for version that does prehashing) is TBD. So, there are four primitives: Ed25519, Ed25519ph, Ed448 and Ed448ph. And keys MUST NOT be mixed between those. I propose the following: - EdDSA uses one SignatureAlgorithm value (5?[1]). - There will be new curves for EdDSA, one for Ed25519/Ed25519ph and another for Ed448/Ed448ph - If there is ever EdDSA instantiation with Edwards448 curve (the same one Ed448 uses) with another KDF, it gets a new curve distinct from Ed448/Ed448ph. - The HashAlgorithm is always 0, or the HashAlgorithm is always 0 or value matching the prehash (but the prehash is always done once[2]). [TBD: resolve this] - To be useful, one needs PKIX SPKI representation for the keys. There is a draft about that, to be progressed via other channels (Security area presumably, as PKIX WG is no more). [1] TLS 1.3 introduces one new value for RSA-PSS (which is IIRC marked as 4 in the spec). [2] Technically Ed25519 and Ed448 do have prehash function PH, it just is the identity function. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
