Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE
John Mattsson <john.mattsson@ericsson.com> Thu, 27 September 2018 06:44 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D93F130E04 for <cfrg@ietfa.amsl.com>; Wed, 26 Sep 2018 23:44:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.756
X-Spam-Level:
X-Spam-Status: No, score=-4.756 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.456, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=RcOtG6qe; dkim=pass (1024-bit key) header.d=ericsson.com header.b=Vd4LefQt
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Irx_gTWs0frC for <cfrg@ietfa.amsl.com>; Wed, 26 Sep 2018 23:44:37 -0700 (PDT)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 220F8130E02 for <cfrg@irtf.org>; Wed, 26 Sep 2018 23:44:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1538030675; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=aZEca7XNxz7YShn7SLwOQS2qgosvHIQyCphMQVX+1ls=; b=RcOtG6qeC+fVgMWpFOfFiYRPyIEh9K8WG65rIOckUFhvwerb+pQoBz49DjhsZsIS om3cwFQXXTSwcSC8xc6dPBTW3GNUNw9GnJ+7iSNtlSK8tnfWq4Yysq9+BkMXIaiV EJCcXLAbmcKGLlKCfIh2bnpPiFw1RrPDGUgJXsGVNIo=;
X-AuditID: c1b4fb25-cd2929c0000013ad-40-5bac7c535b56
Received: from ESESSMB501.ericsson.se (Unknown_Domain [153.88.183.119]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id 4D.1F.05037.35C7CAB5; Thu, 27 Sep 2018 08:44:35 +0200 (CEST)
Received: from ESESBMB502.ericsson.se (153.88.183.169) by ESESSMB501.ericsson.se (153.88.183.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Thu, 27 Sep 2018 08:44:33 +0200
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB502.ericsson.se (153.88.183.169) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Thu, 27 Sep 2018 08:44:32 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aZEca7XNxz7YShn7SLwOQS2qgosvHIQyCphMQVX+1ls=; b=Vd4LefQtG/qP6ZVgi0NGmbvQw8t/ijJJeNkhBWjnhdJoJWKD9uxFvjsKOUSR6OqOuBmjNmtdP1X9PWluLjs+qbGfOwGayTUff+bKMWoP6ShdjlcJUoy1qb1GV7qQGEKq5LoF80+gQsEZ/CGhhtrtIdTfWNyslFJeJ7DsAdh5vbs=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.166.22) by HE1PR07MB4332.eurprd07.prod.outlook.com (20.176.167.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1164.16; Thu, 27 Sep 2018 06:44:31 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::89a8:7fde:25b0:fb1d]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::89a8:7fde:25b0:fb1d%3]) with mapi id 15.20.1185.019; Thu, 27 Sep 2018 06:44:31 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>, "Saqib A. Kakvi" <saqib.kakvi@uni-paderborn.de>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] A new MGF for RSA-PSS based on SHAKE
Thread-Index: AQHUTskQCsT2iUUkSEqB7bcREYE6+6T3xbpkgAAgAQCAAAqeAIAKW0oAgACw9gCAAAlvAIAA2QIA
Date: Thu, 27 Sep 2018 06:44:31 +0000
Message-ID: <C9168BF9-6514-4F94-961D-AB1328095B91@ericsson.com>
References: <3B4BE320-418B-4FC1-8427-0EF2F58A0F01@vigilsec.com> <6FD96340-0D8D-44C0-9374-9D7A3F36F967@gmail.com> <27af097a-6769-fcc4-7b28-12c1ea77055a@uni-paderborn.de> <000d01d45041$a8930250$f9b906f0$@augustcellars.com> <a21a5c72-f9e5-2eb7-4144-bdded4c8321d@uni-paderborn.de> <E7059316-430B-4DE0-A0C7-09A0B6783C0F@ericsson.com> <1537989175802.46714@cs.auckland.ac.nz> <70974fb0b88e48aabbc5c647603c3446@XCH-RTP-006.cisco.com>
In-Reply-To: <70974fb0b88e48aabbc5c647603c3446@XCH-RTP-006.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.11.0.180909
x-originating-ip: [95.192.155.224]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR07MB4332; 6:2QblG9oysz9r99kjAWSj5UImTtHS3hhkuIQkW19gBnXrRlfb7XEFEqe38fuWi77ZRKbFl2DKb50erELubpQhVUG8ZceSc7CVrxsQtjnVPVnRJtWklvmG6uXQyD0sW075hqNZdGlhxjr0PzkmTStXExm2DmuIpmyLsfaxhylYLTUorcu1CgpKkHjefd9l91T73jZq+SPywxEFr9kgnNjBYHZxKPsejsd7o51r0z9s7FI7h/Hebw/zXbarss+rJopUL85hGDqm1vdmXJohTyhJjcICDWNiJVPg2N3jTbjX9VuKrodk6zPkNtMLAHcQQqtVNZ+NgAdHNk9UnbOv0pNkBSF7Qp+NpzozNVVycy9o/G/bnwFO0UktRmQHGXVS/cJGyDnDeKXnGmM6VhJ63A4qsalNg1ncrrj421sYbjqmJXZS+2VMm0KJtfIPhxS5sKz6cWSDnrj/j2iKuON5QVPo8A==; 5:nbYXxOy+1cyx+jhcY5JnQWxtKlmYkIqYZaGbTzSTAIG8pQmK5uhudHuhAHw6QVJkgMZiUpkpNGzDipCBgTwGCR5eBMtfySww8dl3XplfIGiTgFPIq6v5OTHBStw9kHnzo9MwZOeAiXg22lC+Bu8wHbqyXNpabMwJbdwcBbE7VdU=; 7:wQPbICWON5wi6IroqPyw9hauKnhvxLPCUmCteanSkvppLiBOEilZpYHhtRHqh64ndTgS9TTgb/jyuACgcxznBb6sn/e3/i13vBAUXyyrHEFxgMpBCwqR7HH2+VeUfw5zFDtdlbj7OsOuveDVJMYCXZ4mDetPlavqs6Dz/A6hUbkGt9En+E6bK3h297M8AFGrT6zfjos7XKe6IROHw2zD6qbcHfKH2IayQH/BuAVO7Hc5tbAfQzekk5aSZStlcx6O
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: bcd1197d-40d1-4e7b-0c1a-08d62444add9
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534165)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:HE1PR07MB4332;
x-ms-traffictypediagnostic: HE1PR07MB4332:
x-microsoft-antispam-prvs: <HE1PR07MB43327E9E63349E7C91CE7A8089140@HE1PR07MB4332.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(95692535739014)(248295561703944)(37575265505322);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3231355)(944501410)(52105095)(3002001)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123558120)(20161123564045)(201708071742011)(7699051)(76991041); SRVR:HE1PR07MB4332; BCL:0; PCL:0; RULEID:; SRVR:HE1PR07MB4332;
x-forefront-prvs: 0808323E97
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(979002)(376002)(346002)(39860400002)(366004)(396003)(136003)(199004)(189003)(13464003)(36756003)(486006)(82746002)(5250100002)(316002)(6512007)(476003)(26005)(5660300001)(53936002)(14454004)(256004)(14444005)(81156014)(6506007)(81166006)(97736004)(99286004)(7736002)(76176011)(33656002)(229853002)(86362001)(6436002)(966005)(25786009)(305945005)(71190400001)(71200400001)(34290500001)(186003)(2501003)(83716004)(44832011)(8936002)(2900100001)(2906002)(478600001)(93886005)(6486002)(6346003)(2616005)(102836004)(68736007)(446003)(6116002)(3846002)(66066001)(6306002)(110136005)(106356001)(53546011)(11346002)(58126008)(6246003)(105586002)(8676002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4332; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-microsoft-antispam-message-info: JvuZhh+ULwyUYeDN5UyIRqaC73b0otKVxZhXAYkKiWzs4V+FgSP2i9GP+Ct08CP2bxrfVuHsoBkGhQnvEJ3WZ2EOwwfJf4zQ70UBPLylpeeaQ7UHp5hHKVH32TFGGhijF6uAnMYlxRQT8Hdt6GbhgEBGaOt89nkDQZovp+DhVrvSWklhATnea0lMFiQ3tnw+qs/4EBBfDmMYw58A5J9X4jTDA8jqw06banEMFjgYo3rsydhyehy8HsMMQ9qtFGP5fE92SLN0/rgH56g2wd+wn/SE7rtQCJ1hG9GPz+YIX4EC4F+0dgpTPD/mbWkqk8+oePvHxOWiTTiJxTlRIWj2GBR6oW17qh1sW0cGB45lnaw=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <67B644E61363F049AAE08CBDB6100F18@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: bcd1197d-40d1-4e7b-0c1a-08d62444add9
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Sep 2018 06:44:31.1312 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4332
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Sa0iTYRTHe/a+215Xg6ep7aApOZJQ8JIlLYhKK1gflCCLULFmvqk5p23m ZfZhAwPZFBZqpKIztsJrXstrecNrl2UKZZa1kmRQw0TMNKS9exf07XfO//8/5+HwUITIzPWh 0pU5tEopV0h4ArLyUndeyPlbzQnhm3d9pIaNYY7U7ljmSrXmGVJaURR7kpSVb7VzZTO6IY6s rH2UJyvr60LnyHjBsRRakZ5Lq8KOXxGkzbVY+Nkr4vz16ec8LaoT6xFFAT4M/SsaPRJQIjyG oPtTB9IjD2exjuDnVhLLFg68cJxmTCQ2EtBp/kGwiTIOWGuLOWzxBcGdtgk+E+HhcKgZ0PIY wQt3OUdVWwhG8MRSGLX28xj2wkehaG0BsRwPY+vLLiZxIGgfrboGCfEJGJ+3ujd0E+CwbroE D3wGntrauAwjvAd+TTdzGCawGN4vmVwMGINlwEqw7A32r9suvzcOA9PnYi7bl0CnfZbPsh+8 MRkQswzwMz4smg3uQSGwUlFBsBeLge7eA6xnAoHOVO0OB8OSsRexnAGmJ308lhVQ+7DEzf7Q WGoj2fAgAeNDC4QRRVT99/Aq5w4CB0FrXxiLMmh6G8s6AqDcYONXue6yG6Yql8g6xG1E3mpa nZyZGnEolFalX1Wrs5ShSjqnAzm/znDXVmAPmv0eNYIwhSS7hPqM5gQRV56rLsgcQUAREi9h ZoCzJUyRF2hoVdZl1U0FrR5BvhQpEQttRzrjRThVnkNn0HQ2rfqncigPHy3yz5jV5REvb68N UjsX993/GG1NGvPTFZrf1QwvvKJo+nFssbIwMXq1sKFkLnLy4o260FOBJb6lyRueuZn7W0yj 2+f+GHT+D/Idr3ti6zVdUw1Z9t+pe8nqbz2tG/ONcdeMoUE7Esc+1MRwouI2a5oir9crk/KU /WfX7l2YnIua10hIdZr8YDChUsv/Aspusf02AwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/-dbBOcCgeX4kdMQLAHfha6TTbxU>
Subject: Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2018 06:44:41 -0000
Thanks for summarizing the paper Scott. Going to RSA-6144 or RSA-8096 is not attractive at all. It creates much larger signatures and increases processing. Also, there are implementations that do not support anything more than RSA-3072. /John On 2018-09-26, 21:48, "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> wrote: However, there are two practical issues with what the paper actually proves: - It proves that PKCS v1.5 signature with a 2n bit modulus is (at least as) hard to break as n bit RSA. Hence, to get (say) 128 bit security, we would need (say) RSA-6144, rather than the conventional wisdom of RSA-3072. - Even that that, the proof doesn't apply to v1.5 as used in practice, as it requires quite long hash outputs To quote the paper: Concretely, for signatures instantiated with an 2048-bit RSA modulus N, we can prove security under the 1024-bit RSA assumption, with 1024-bit padding and 1024-bit hash function.... Thus, ... our proofs do not immediately apply to PKCS#1 v1.5 when instantiated with standard hash functions, such as SHA-512... Yes, v1.5 is nicer in practice, and it's good to have a proof of something, but lets not oversell what we have. > -----Original Message----- > From: Cfrg <cfrg-bounces@irtf.org> On Behalf Of Peter Gutmann > Sent: Wednesday, September 26, 2018 3:14 PM > To: John Mattsson <john.mattsson@ericsson.com>; Saqib A. Kakvi > <saqib.kakvi@uni-paderborn.de>; cfrg@irtf.org > Subject: Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE > > John Mattsson <john.mattsson@ericsson.com> writes: > > >If FDH gives better security it should be discussed, but based on your > >comments it is only as secure as PSS. > > Also, given recent results, neither are more secure than good old v1.5: > > https://eprint.iacr.org/2018/855 > > Given that PSS and FDH are much, much more complex to implement than > v1.5 (i.e. more things to go wrong), and require a source of random numbers > that > v1.5 doesn't, is there any advantage to using PSS or FDH over just staying > with v1.5? > > Peter. > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] A new MGF for RSA-PSS based on SHAKE Russ Housley
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Saqib A. Kakvi
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Jim Schaad
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Saqib A. Kakvi
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE John Mattsson
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Jim Schaad
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Peter Gutmann
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Scott Fluhrer (sfluhrer)
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Jim Schaad
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Peter Gutmann
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Andy Lutomirski
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE John Mattsson
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE John Mattsson
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE A. Huelsing
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Tibor Jager
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Natanael
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Dang, Quynh (Fed)
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Panos Kampanakis (pkampana)