Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE
"Saqib A. Kakvi" <saqib.kakvi@uni-paderborn.de> Wed, 19 September 2018 18:31 UTC
Return-Path: <saqib.kakvi@uni-paderborn.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E5E1130EED for <cfrg@ietfa.amsl.com>; Wed, 19 Sep 2018 11:31:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.288
X-Spam-Level:
X-Spam-Status: No, score=-4.288 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=uni-paderborn.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hOR5g_79B0Eb for <cfrg@ietfa.amsl.com>; Wed, 19 Sep 2018 11:31:23 -0700 (PDT)
Received: from mail.uni-paderborn.de (mail.uni-paderborn.de [131.234.142.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F750130E6D for <cfrg@irtf.org>; Wed, 19 Sep 2018 11:31:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=uni-paderborn.de; s=20170601; h=Content-Type:In-Reply-To:MIME-Version:Date: Message-ID:From:References:To:Subject:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=A6RO+fGb/hIuY9K5N24yH5FgINPU78cb7XXVc8opoCs=; b=D4kNYkRF1QHRH161xZ74NWTcW /937zh3gPjrQEDNJ5/WUK+pysjv1PiBcwht+rDPeVsMHytCdM/KpEfxWIauUq/SU1WMPIdtqlfcKU eH1O7VW6Uk4QNLxXUpxQnCkaCkj4NEYs3PUFYRvrb8LTANhwO9gcS/wq2GlVUEH/1skc0=;
To: cfrg@irtf.org
References: <3B4BE320-418B-4FC1-8427-0EF2F58A0F01@vigilsec.com> <6FD96340-0D8D-44C0-9374-9D7A3F36F967@gmail.com> <27af097a-6769-fcc4-7b28-12c1ea77055a@uni-paderborn.de> <000d01d45041$a8930250$f9b906f0$@augustcellars.com>
From: "Saqib A. Kakvi" <saqib.kakvi@uni-paderborn.de>
Message-ID: <a21a5c72-f9e5-2eb7-4144-bdded4c8321d@uni-paderborn.de>
Date: Wed, 19 Sep 2018 20:31:20 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <000d01d45041$a8930250$f9b906f0$@augustcellars.com>
Content-Type: multipart/alternative; boundary="------------BC1A4BC05E236F5D293DA12D"
Content-Language: en-GB
X-IMT-Spam-Score: 0.0 ()
X-PMX-Version: 6.4.5.2775670, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2018.9.19.182115, AntiVirus-Engine: 5.52.0, AntiVirus-Data: 2018.8.23.5520000
X-IMT-Authenticated-Sender: uid=skakvi,ou=People,o=upb,c=de
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/2NqYsYxkn2j4dDPu9wILlBq4jcc>
Subject: Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Sep 2018 18:31:26 -0000
Hello Jim, PSS was more secure than FDH in 1996, but that has since changed. Jean-Sebastian Coron showed an optimal proof (with proof of optimality) in 2001 (ia.cr/2001/062<https://ia.cr/2001/062>) and in 2012, Eike Kiltz and myself showed that one can get a better proof for FDH for small exponents. (http://www5.rz.rub.de:8032/mam/foc/content/publ/rsa-fdh_fullversion.pdf) In this case FDH is as secure as PSS. Best, Saqib On 19/09/2018 19:53, Jim Schaad wrote: > > I have to admit that I was thinking about using a Full Domain Hash for > the signature, esp. because you could probably XOR in the ASN.1 hash > algorithm identifier and get back the hash substitution attack. > However when I look at > http://web.cs.ucdavis.edu/~rogaway/papers/exact.pdf > <http://web.cs.ucdavis.edu/%7Erogaway/papers/exact.pdf> I see that > they claim that PSS is more secure that Full Domain. I have not done > any sort of search to see if things are tighter now than they were > back in ’96. > > Jim > > *From:*Cfrg <cfrg-bounces@irtf.org> *On Behalf Of *Saqib A. Kakvi > *Sent:* Wednesday, September 19, 2018 8:58 AM > *To:* cfrg@irtf.org > *Subject:* Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE > > Hello Russ, > > Replacing MGF1 with SHAKE should not present any problems that I can > see. The Mask Generation Function was used to overcome the fact that > hash functions have fixed length outputs. The fact that SHAKE is an > eXtensible Output Function (XOF) means that one no longer needs to use > an MGF. > > On the other hand, since we do have an XOFs, I'm not sure that RSA-PSS > should still be the algorithm of choice, but rather one might consider > switching to the simpler RSA-Full Domain Hash or PKCS#1 v1.5 signature > schemes. > Tibor Jager, Alexander May and myself have recently found a security > proof for PKCS#1 v1.5 signatures, with the caveats that one must > double their modulus length and use an XOF/MGF. I will be presenting > this result will at CCS 18 next month, and would be glad to discuss it > with anybody there. Additionally version should be appear in the IACR > ePrint archive in the near future. I am also happy to send a copy of > the paper to anybody who would like to have one. > > Best > Saqib > > > > *From: *Russ Housley <housley@vigilsec.com > <mailto:housley@vigilsec.com>> > > *Subject: [Cfrg] A new MGF for RSA-PSS based on SHAKE* > > *Date: *17 September 2018 at 22:57:10 CEST > > *To: *IRTF CFRG <cfrg@irtf.org <mailto:cfrg@irtf.org>> > > Dear CFRG: > > The IETF LAMPS WG is specifying the use of SHAKE with RSA-PSS for > use with certificates and CMS signed objects. The current drafts are: > > draft-ietf-lamps-cms-shakes-01.txt > draft-ietf-lamps-pkix-shake-02.txt > > In discussion of these drafts, it was suggested that instead of > replacing SHA-1 in the RSA-PSS default mask generation function > (MGF), one could replace the entire MGF with SHAKE. While it does > look like a simple substitution, I do not think the IETF LAMPS WG > is the right group to make the assessment. CFRG may have people > with the right skills, so I would greatly appreciate you thoughts > on this idea. > > Russ > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org <mailto:Cfrg@irtf.org> > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] A new MGF for RSA-PSS based on SHAKE Russ Housley
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Saqib A. Kakvi
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Jim Schaad
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Saqib A. Kakvi
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE John Mattsson
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Jim Schaad
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Peter Gutmann
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Scott Fluhrer (sfluhrer)
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Jim Schaad
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Peter Gutmann
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Andy Lutomirski
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE John Mattsson
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE John Mattsson
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE A. Huelsing
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Tibor Jager
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Natanael
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Dang, Quynh (Fed)
- Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE Panos Kampanakis (pkampana)