IETF Logo Mail Archive

Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE

"Saqib A. Kakvi" <saqib.kakvi@uni-paderborn.de> Wed, 19 September 2018 15:58 UTC

Return-Path: <saqib.kakvi@uni-paderborn.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DE6B130E48 for <cfrg@ietfa.amsl.com>; Wed, 19 Sep 2018 08:58:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=uni-paderborn.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GoVxokiRgded for <cfrg@ietfa.amsl.com>; Wed, 19 Sep 2018 08:58:17 -0700 (PDT)
Received: from mail.uni-paderborn.de (mail.uni-paderborn.de [131.234.142.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32ACE130E04 for <cfrg@irtf.org>; Wed, 19 Sep 2018 08:58:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=uni-paderborn.de; s=20170601; h=Content-Type:In-Reply-To:MIME-Version:Date: Message-ID:References:To:Subject:From:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=V1fHmwRWKFcQ2+UCtLd86tHvAyM68MnmqCH7JTVQIFw=; b=I2UvNoWSA+DdvkIQ9+XbDOiJo AlNjmuP7saVjCHbcACoQiBhaN9E0acU2A+HHQ8G0fG11/dMvIa+sQV/PgHcS9JaotqBztnzLKPVG3 +GSt/RlgdJoNv6gk2AoPNG0nvwtPC9itxTW6QLXffGPO61aef20bLNxs/poDXYgjoNXzk=;
From: "Saqib A. Kakvi" <saqib.kakvi@uni-paderborn.de>
To: cfrg@irtf.org
References: <3B4BE320-418B-4FC1-8427-0EF2F58A0F01@vigilsec.com> <6FD96340-0D8D-44C0-9374-9D7A3F36F967@gmail.com>
Message-ID: <27af097a-6769-fcc4-7b28-12c1ea77055a@uni-paderborn.de>
Date: Wed, 19 Sep 2018 17:58:14 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <6FD96340-0D8D-44C0-9374-9D7A3F36F967@gmail.com>
Content-Type: multipart/alternative; boundary="------------191F0CBEEDED21E459C0FEB7"
Content-Language: en-GB
X-IMT-Spam-Score: 0.0 ()
X-PMX-Version: 6.4.5.2775670, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2018.9.19.154816, AntiVirus-Engine: 5.52.0, AntiVirus-Data: 2018.8.23.5520000
X-IMT-Authenticated-Sender: uid=skakvi,ou=People,o=upb,c=de
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/8x7fa78ZdsC2ewfzIJwPBKMJr08>
Subject: Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Sep 2018 15:58:19 -0000

Hello Russ,

Replacing MGF1 with SHAKE should not present any problems that I can 
see. The Mask Generation Function was used to overcome the fact that 
hash functions have fixed length outputs. The fact that SHAKE is an 
eXtensible Output Function (XOF) means that one no longer needs to use 
an MGF.

On the other hand, since we do have an XOFs, I'm not sure that RSA-PSS 
should still be the algorithm of choice, but rather one might consider 
switching to the simpler RSA-Full Domain Hash or PKCS#1 v1.5 signature 
schemes.
Tibor Jager, Alexander May and myself have recently found a security 
proof for PKCS#1 v1.5 signatures, with the caveats that one must double 
their modulus length and use an XOF/MGF. I will be presenting this 
result will at CCS 18 next month, and would be glad to discuss it with 
anybody there. Additionally version should be appear in the IACR ePrint 
archive in the near future. I am also happy to send a copy of the paper 
to anybody who would like to have one.

Best
Saqib


>
> *From: *Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>>
> *Subject: **[Cfrg] A new MGF for RSA-PSS based on SHAKE*
> *Date: *17 September 2018 at 22:57:10 CEST
> *To: *IRTF CFRG <cfrg@irtf.org <mailto:cfrg@irtf.org>>
>
> Dear CFRG:
>
> The IETF LAMPS WG is specifying the use of SHAKE with RSA-PSS for use 
> with certificates and CMS signed objects.  The current drafts are:
>
> draft-ietf-lamps-cms-shakes-01.txt
> draft-ietf-lamps-pkix-shake-02.txt
>
> In discussion of these drafts, it was suggested that instead of 
> replacing SHA-1 in the RSA-PSS default mask generation function (MGF), 
> one could replace the entire MGF with SHAKE.  While it does look like 
> a simple substitution, I do not think the IETF LAMPS WG is the right 
> group to make the assessment.  CFRG may have people with the right 
> skills, so I would greatly appreciate you thoughts on this idea.
>
> Russ
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org <mailto:Cfrg@irtf.org>
> https://www.irtf.org/mailman/listinfo/cfrg

v2.29.0 | Report a Bug | By Email | System Status