Closed emanjon closed 6 months ago
cjpatton
commented
6 months ago I think it would be reasonable for the draft to spell out each variant, but this would come at some editorial cost. I think I would tackle this by trying to understand where the advice comes from:
- Put whatever is least likely to be attacker-predictable first.
This sounds sensible in general, but why does it apply here?
emanjon
commented
6 months ago As discussed in the meeting, putting Z before random prefix was done to not have any collisions between variants. Unclear if this is needed but it is a design principle in RFC 8032 so we will try to follow that.
Seems to be agreement in the CFRG session at IETF 119 to focus on side-channel attacks and only have one variant.
https://mailarchive.ietf.org/arch/msg/cfrg/GRigAYvZ8-Z8qmxJ1jOiKR8eLyQ/
Also, two useful rules of thumb regarding input concatenations (for motivating attacks see, e.g., Crypto 1995 Preneel--van Oorschot): 1. Never put a variable-length input anywhere but last. Previous positions can have fixed-length hashes of other variable-length inputs. 2. Put whatever is least likely to be attacker-predictable first. Both Z and "prefix" are less likely to be attacker-predictable than C; scenarios where RNG failures are the top threat should put "prefix" first, while scenarios where side channels are the top threat (which seems to be the scenario under discussion) should put Z first.
---D. J. Bernstein