[Cfrg] Review of draft-mcgrew-hash-sigs-08

"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Sun, 12 November 2017 03:56 UTC

Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 46FAD1270AE for <cfrg@ietfa.amsl.com>; Sat, 11 Nov 2017 19:56:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id u1uJHLDeFwZO for <cfrg@ietfa.amsl.com>; Sat, 11 Nov 2017 19:56:02 -0800 (PST)
Received: from mail-qt0-x236.google.com (mail-qt0-x236.google.com [IPv6:2607:f8b0:400d:c0d::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69BA31201FA for <cfrg@irtf.org>; Sat, 11 Nov 2017 19:56:02 -0800 (PST)
Received: by mail-qt0-x236.google.com with SMTP id j58so16134538qtj.0 for <cfrg@irtf.org>; Sat, 11 Nov 2017 19:56:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=j3/Zcq8nt/7plJ21DTxUlhpZbH1nfNxC6mTXOAHBm8s=; b=OfjW6UGrvl3gOFUatKs3WWPZzmIXkJ6JDbecjAdM4tZy8fsP9cJAGw5U2d/KTtA/ma 0sU074M80XHPAUlkjlYVplwxR9Zbl5U1Zfb1ZhJwjZ3Su2DCGxTs57jtS4h3zwGn8wPU xMnbx6vrskLCb4Zqvx79haQ8pRyifgC6YvK5nUfiFK3bQFOKf0/UdD4JK4+hx4brCxjx JmozOwA+yyWvyJjEFn0wlK0T7k8XS3+tgfX8SpUCSSjFA07kd2DT/Z6MXsFYLi+tsXDt WWuqMkwZ8MWcrxKeAigJzGrlmhgg4D7n913kHEAAeMEgLaEbLfpL6e+BV9ri6ZbQRQqO eVGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=j3/Zcq8nt/7plJ21DTxUlhpZbH1nfNxC6mTXOAHBm8s=; b=Y0k0lnTJNn4d7/Zhx6suafC0lh5gint9f5aHtfshFXgNIMFPsDSlQS509jyXD74Hti Ln7bX/DvkwcUa3OhBAsMDjl3pfIP75qKiGI6q05ql8PcErSFpi+AyGJbJRuLWN757OYs 2hONpSO6cYcHNLONum6vfS98w4eBoyW6yPxW+aiYtjYKR8Sws4AxGZ5WX4wlbcrLxlTA 3qLqKiaH++CthGidBwN8LjmmZ5iV+o0EBsoAGvZCzgBv2LHzVl83hqqQqBv64NprKgDx b9bdDbdF+lRaAhMaDEeczZEgE5X1a4LM3EzxoNmoXWichz1+Kv+GO8+wM1RPSk8Ltc6J N49g==
X-Gm-Message-State: AJaThX4OZI6aWgI+rLvhvxSycOb5shxTtN/W6mGJCCtHCKjwY6ocIWVs nRxQupuv51sJttypj96wdpUN/pRfcMgVhJ5NjJo=
X-Google-Smtp-Source: AGs4zMbSMebYNIa9XmVswFPXiI1no0C90/Wor/C66syCDAxnKXB40+aBu/NenT3eZ6ZD4oQIsFvK8H9A67k6F3k1Pow=
X-Received: by with SMTP id l37mr8020244qtl.73.1510458961368; Sat, 11 Nov 2017 19:56:01 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Sat, 11 Nov 2017 19:56:00 -0800 (PST)
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Sun, 12 Nov 2017 06:56:00 +0300
Message-ID: <CAMr0u6k5j36f4d9m3h8t987kw34Ww=0cLwbkYGD-AQXSTkQXsw@mail.gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>, "David McGrew (mcgrew)" <mcgrew@cisco.com>
Content-Type: multipart/alternative; boundary="001a113ff480d71afc055dc121eb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/6ngCNs_CuiHSjemOJBfLi0pfiAM>
Subject: [Cfrg] Review of draft-mcgrew-hash-sigs-08
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Nov 2017 03:56:05 -0000

Document: draft-mcgrew-hash-sigs-08
Reviewer: Stanislav Smyshlyaev
Review Date: 2017-11-11
Summary: Minor revision needed

The hash-based signature scheme described in the I-D provides message
authentication algorithms that remain secure after introduction of
effective full-scale quantum computers. This scheme is based on the Merkle
tree scheme and employs specific variant of Winternitz one-time signature.
The scheme requires a small set of fixed domain parameters and can be
easily adopted for the use with national-specific cryptographic primitives.
A particularly important feature of the scheme is the fact that each
invocation of a fixed hash function H outputs a unique byte string (except
a negligible of identifiers collision).

The proposed scheme was proven to be existentially unforgeable under
adaptive chosen message attack (GMR-secure) in random oracle model when
using second preimage resistant hash function ([F17]). It seems also not to
be vulnerable against so called duplicate signature key selection attack
(which is out of GMR-security definition and was firstly introduced in
[BM99] since an attacker who wants to create his own key pair which can be
used for successful verification of a target signature has to find a second
preimage of a used hash function. The current version of the document
lacks, however, comments on the post-quantum security. It would be great if
such a comment appears.

Since the proposed signature scheme is stateful, it is extremely important
to manage its states in a secure way. The I-D proposes helpful technical
implementation notes that cover synchronization issues when storing key in
non-volatile memory.

The document is very important, well-written and fully defines the proposed
algorithms. I particularly like that there are very helpful sections that
give an overview of the design rationale.

There is a number of concerns, that should be addressed before the
publication. Once the comments are resolved, I think that the document can
be published.

Formulae and algorithms to be checked for correctness:
The second paragraph of Section 4.2 states that length of LM-OTS signature
equals np, while it seems to be equal to 4 + n(p+1)
The description of the algorithm 6 lacks parsing of parameter otstype
The description of the algorithm 6b supposes that otssigtype is set
directly after q, while the informal description in Section 5.4 states that
otssigtype follows after the OTS value

Other comments:

Throughout the text: consider replacing 'signature system' with a commonly
used 'signature scheme'

Chapter 1:

"moderatley" -> "moderately"

Chapter 2:

"A message/signature pair are valid"  -> "... is valid"

"the signature and message pair are not valid" -> "... is not valid"

Section 3.1:

"a four byte string S " -> "a four-byte string S"

Section 3.1.1:

The i^th element in an array A is denoted as A[i] -> the i-th element...

The same change should be done throughout the text to avoid confusion with
powers of i.

Section 3.2:

"I - a 16 byte identi­fier" -> "I - a 16-byte identifier"

"i = a value between 0 and 264" -> "i - a value between 0 and 264"

Function H is used in the definition of par­ameter i, but that function is
not yet defin­ed at that point.

"a two byte identifier "  -> "a two-byte identifier"

Chapter 4:

"a diversification parameter q (which is used as part of the security
string, as listed in Section 3.2" - ")" should be added

Section 4.1:

Definitions of n, w, p, ls and H: last three definifons end with ".", while
the first two do not.

The definition or re­ference should be gi­ven for the notion of Winte­rnitz
coefficient. Also the same should be done with the not­ions Winternitz
tree, Winternitz  chain and LMS tree.

Section 4.2:

"Here SHA256 denotes the NIST standard hash function [FIPS180]." - since
SHA-256 is defined together with SHA-1, SHA-384 etc., it seems better to
say something like "Here SHA256 denotes the SHA-256 hash function, defined
in NIST standard [FIPS180]."

Section 4.5:

"A checksum is used to ensure that any forgery attempt that manipulates the
elements of an existing signature will be detected." - the sentence is too
general and seem to not add any real information to the reader. In my
opinion, it would be better to say explicitly about the vulnerability that
appears if we do not use the checksum.

Section 4.7:

"Signature Typecode Type ," -> "Signature Typecode Type,"

Chapter 5:

There is "Leight­on Micali Signatures", but in the introduction this notion
was men­tioned as "Leighton-M­icali Signatures". Al­so, the abbreviation
LMS was already given in Section 1.

Section 5.1:

"h : the height (number of levels - 1) in the tree, and" - 1) "of" instead
of "in", 2) it seems that "and" should be omitted.

There are two sentences about possible usage of different hash functions -
I'd prefer to seem them combined in a one, they look quite confusing in the
current version.

Consider adding in the end of Section 5.1 a paragraph, which explicitly
defines the sizes of private key, public key and signature in terms of the
used parameters. It can be useful for a reader, who first opens the
document and wants to understand the overall properties of the scheme.

Section 5.4:

Line 3 “an LM-OTS signature, and” - it seems that “and” should be omitted.

Section 5.4.1:

It seems strange that the section for "LMS Signature Verification" has the
number "5.5" and the "LMS Signature Generation" has "5.4.1" - maybe use
"5.6" and "5.5" instead?

Section 5.5:

It seems more reasonable to use "Algorithm 6a" instead of "Algorithm 6"

Chapter 6:

In the first paragraph a general description is given for HSS with 2
levels, and in the I-D it is defined for up to 8 levels. It seems more
helpful to modify the first paragraph for the case of arbitrary number of
levels, not only for two.

Chapter 8:

"Other hash functions may be used in future specifications; all the ones
that we will be likely to support (SHA-512/256 and the various SHA-3
hashes) would work well with a 16 byte I value." - mentioning SHA-256 here
among "other hash functions" looks confusing, given the whole I-D defines
schemes for SHA-256.

Chapter 12:

"an attacker who does not know the private key associated with a public key
can find a message and signature that are valid with that public key" -
maybe "a new message" or "a message which is different from all previously
signed ones".

There is a very helpful text about formatted inputs of a hash - I'd
recommend to add a subtitle before it (use 12.1 before "The format of the
inputs to...").

"pseuddorandom" -> "pseudorandom"

"This can be shown (in [Fluhrer17]) ..." -> "This is shown (in [Fluhrer17])

Section 12.1

"It is essential for security that the application ensure" -> "ensures"

"until the data has been to the underlying hardware" - maybe add "stored"
or "written" after "has been"?

In your IETF 97 slides there was a slide with "Anti-Copying Token in
Private Key Files" (slide 19 in https://datatracker.ietf.org/
update-and-batch-message-signing/) - won't it be helpful to add those
recommendation in Chapter 12 also?

Chapter 12:
"where HSS need only perform one" -> "needs only to perform one"
"HSS is somewhat simpler" - this looks quite vague and uncertain - maybe it
would be better to get rid of this phrase?..


"Buchmann, J., Dahmen, E., and . Andreas Hulsing," - remove "." before

Appendix A:

"however any other cryptographical secure method of generating private keys
would also be safe." - formally, this is not true: if the previously
mentioned formula is used with, say, 254 instead of 255, it would be
generally "cryptographically secure", but won't be very good for the
considered case.
Maybe just get rid of this (quite vague) sentence at all?

"cryptographical secure method" -> " cryptographically secure method"

[BM99]: Blake-Wilson S., Menezes A., "Unknown key-share attacks on the
station-to-station (STS) protocol", Lect. Notes Comput. Sci., 1560, 1999,

[F17]: Fluhrer S., "Further analysis of a proposed hash-based signature
standard", EPrint IACR Archieve, http://eprint.iacr.org/2017/553.pdf.