IETF Logo Mail Archive

Re: [CFRG] I-D Action: draft-irtf-cfrg-rsa-blind-signatures-06.txt

Martin Thomson <mt@lowentropy.net> Thu, 24 November 2022 01:13 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 791C3C14CEED for <cfrg@ietfa.amsl.com>; Wed, 23 Nov 2022 17:13:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=m6iytVL/; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Jpe0JxSV
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0nFMIQETzBmg for <cfrg@ietfa.amsl.com>; Wed, 23 Nov 2022 17:13:25 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96198C14F74F for <cfrg@irtf.org>; Wed, 23 Nov 2022 17:13:25 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 0FC415C0100 for <cfrg@irtf.org>; Wed, 23 Nov 2022 20:13:23 -0500 (EST)
Received: from imap41 ([10.202.2.91]) by compute3.internal (MEProxy); Wed, 23 Nov 2022 20:13:23 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm2; t=1669252403; x=1669338803; bh=RUzTgOQS87 Yz8I65yuqgOTQRp9TjAO3t42zWrAw5Zpc=; b=m6iytVL/5+5SNNDMSJsU/OVo3n /KhCOqamwIzTbmnOwdGqs9y+SZbHbObP9KPKFyRDRYoWJWfQuac2F7KBRhIymyg+ r00rCZr+Ys6mtxKZGy57LXhgysajv3GBxkEkddl5Hzw3unXltQZp3/UqJo6IQeOW TeY4HNhLUESXQ0uohjYYNVOa7ps/PEqCcnOtz+dapKSJqfFzhgYK9qDRUJPnMIDt a94mH1CdYmS/xVN/WqWZZ7JgeK+xson/xz2Up9z0VAbnubWplqN6oCb4bGSd2LRJ qYYrJmOOQYxtDKpyqZJtR4iLp/u7QBJ20jqmdzU81uSGfb6g5lJmAmhD8pYw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1669252403; x=1669338803; bh=RUzTgOQS87Yz8I65yuqgOTQRp9Tj AO3t42zWrAw5Zpc=; b=Jpe0JxSVM77tD6wIg4mGTtZoyfEB5ncA5ru1HgFPbjE0 qZcy2XyAPGUjhY86ivuG5O22N1iZsRp0DwhjVxZDLholAkW5E+6fBm/VCunohWnx zdRBOgx0O+QD3nIU+utEfi9iCg7+Hw1Jj9mRA/aIL2dCkAakRaRCJwvcykQtc3aH MZLDhNrZi+zIJ2FYQUGUssdmN4hR5U8LOnDB3MBtLh+GlTX1jdrrdpBnLhj8yDHs tD/GpcPRN+FcEu1yTd9EmR6YXyNO3Nm3shYmA4Jj5qglWYBW0nG76ONZ87BizS2s T8HPi775MMnNErbdGL2Wq+weRtVijR1BJRsQ0WhvVg==
X-ME-Sender: <xms:MsV-YxjungxK2h1C1PX7ZtCSfVXMQqlO0812lPMOqoQ2W7-2VF2PfA> <xme:MsV-Y2AMq7_Lgiz4YJvS7FcUwmwI6_EWMFx-Aj556cEYw1fHp-x9XnL1lxx2mqpuW g3LN8MYXoq3UcweLes>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvgedriedvgddvlecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohif vghnthhrohhphidrnhgvtheqnecuggftrfgrthhtvghrnhepuedvfefhhedtffffgedtie efledvfeelledtkeeihffhfeegjeeuhfehuddvffetnecuffhomhgrihhnpehgihhthhhu sgdrtghomhdpihgvthhfrdhorhhgpdhirhhtfhdrohhrghenucevlhhushhtvghrufhiii gvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhn vght
X-ME-Proxy: <xmx:MsV-YxHd0uhfg5ANMeZSYzpKDfSDGm9NPL1CltbtRN3LKcB4BfiOMg> <xmx:MsV-Y2TS9GI-Wgfl9rshSZp1RpvMkMJUnRP9GC5ic_lRX440Ef4S8A> <xmx:MsV-Y-wwt_9V6t5wrmlFxDjZwMbub5grIxpWm1QDhtu68biKy3lQFQ> <xmx:M8V-Y98DJjQ2rTmJTlJgqkVfKyX6uwAtri2JPmFlQz733xMMVzR01Q>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 94F38234007B; Wed, 23 Nov 2022 20:13:22 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-1115-g8b801eadce-fm-20221102.001-g8b801ead
Mime-Version: 1.0
Message-Id: <437fb464-dc79-43e4-b448-75ee7bc16abe@betaapp.fastmail.com>
In-Reply-To: <CAL02cgTHR4HLe2iOu3D3LxsB02DLG7w+pM550moax2=4VuYOFA@mail.gmail.com>
References: <166906886082.62494.8820552099363522855@ietfa.amsl.com> <CAL02cgTHR4HLe2iOu3D3LxsB02DLG7w+pM550moax2=4VuYOFA@mail.gmail.com>
Date: Thu, 24 Nov 2022 12:13:03 +1100
From: Martin Thomson <mt@lowentropy.net>
To: cfrg@irtf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/4uJBF8aRuLIB_JCIVaaBTzfsBKk>
Subject: Re: [CFRG] I-D Action: draft-irtf-cfrg-rsa-blind-signatures-06.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 01:13:30 -0000

Chris asked me to look at this document.

Overall, this looks good.  I had a few editorial issues, which I've opened issues or pull requests for.  However, I found an editorial issue that is worth raising here:
  https://github.com/cfrg/draft-irtf-cfrg-blind-signatures/issues/148

Sections 5 and 6 introduce message randomness requirements that don't seem to be very well contextualized.  I think that this stems from some unstated assumptions about the application domain.  Being a little more deliberate about how this scheme might be applied could go some way to making this sudden addition of a random suffix on messages understandable.

One consequence of this is that you might think, from reading up to Section 4, that you could send a message with an RSASSA-PSS label attached to it and the recipient doesn't need to care that it was generated using this process.  However, it is not clear to me now whether that would be a sensible thing to do, due to the entropy requirements imposed by the attacks referenced in Section 8.3.  Of course, adding 32 bytes of randomness to messages - the recommended approach - means that the recipient really does need to know that this has happened, or it might question what those 32 bytes mean.

On Wed, Nov 23, 2022, at 14:10, Richard Barnes wrote:
> Thanks, authors.  I reviewed this version, and it addresses my RGLC comments. 
>
> On Mon, Nov 21, 2022 at 17:15 <internet-drafts@ietf.org> wrote:
>> 
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> This draft is a work item of the Crypto Forum RG of the IRTF.
>> 
>>         Title           : RSA Blind Signatures
>>         Authors         : Frank Denis
>>                           Frederic Jacobs
>>                           Christopher A. Wood
>>   Filename        : draft-irtf-cfrg-rsa-blind-signatures-06.txt
>>   Pages           : 31
>>   Date            : 2022-11-21
>> 
>> Abstract:
>>    This document specifies an RSA-based blind signature protocol.  RSA
>>    blind signatures were first introduced by Chaum for untraceable
>>    payments [Chaum83].  It extends RSA-PSS encoding specified in
>>    [RFC8017] to enable blind signature support.
>> 
>> Discussion Venues
>> 
>>    This note is to be removed before publishing as an RFC.
>> 
>>    Source for this draft and an issue tracker can be found at
>>    https://github.com/chris-wood/draft-wood-cfrg-blind-signatures.
>> 
>> 
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-irtf-cfrg-rsa-blind-signatures/
>> 
>> There is also an HTML version available at:
>> https://www.ietf.org/archive/id/draft-irtf-cfrg-rsa-blind-signatures-06.html
>> 
>> A diff from the previous version is available at:
>> https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-rsa-blind-signatures-06
>> 
>> 
>> Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts
>> 
>> 
>> _______________________________________________
>> CFRG mailing list
>> CFRG@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.46.0 | Report a Bug | By Email | System Status