On Mon, Nov 23, 2015 at 01:16:35PM -0800, Martin Thomson wrote: > > Are we happy that we will only be needing the PureEdDSA variants and > that no-one will be asking for the HashEdDSA versions? I ask because > I've heard it suggested (I think Karthik mentioned this) that we might > want to sign the transcript directly in TLS 1.3 rather than rely on > collision-resistance of the selected hash function. That would be > harder without access to HashEdDSA.
Also, one problem with signing the transcript directly is that because of the context prefixes, one would either have to buffer all messages or compute multiple hashes. It is made worse by the fact that some hashes and signatures don't mix very well. For example, trying to use SHA-512 with ECDSA is not a good idea[1] (and nobody knows yet what the heck X448ph will use[2]). Also, does the present 1-RTT construct in fact rely on collision- resistance of the prf-hash? [1] Well, it would be a good idea with ECDSA/P-521, but who uses that? [2] Proposals so far have included: - SHA-512 - SHA3-512 (whee, SLOW) - Shake256@512b (not a hash, but cryptographically looks OK). - Sakee256@512b with some prefixing. (That's just including the ones in more formal proposing, not the earlier more handwavy proposals). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
