IETF Logo Mail Archive

Re: [CFRG] Call for adoption for draft-dew-cfrg-signature-key-blinding

Ian Goldberg <iang@uwaterloo.ca> Sun, 05 June 2022 14:47 UTC

Return-Path: <iang@uwaterloo.ca>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D756AC14F721; Sun, 5 Jun 2022 07:47:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=uwaterloo.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HH4OtDsZ9R8P; Sun, 5 Jun 2022 07:47:50 -0700 (PDT)
Received: from orthrus.uwaterloo.ca (orthrus.uwaterloo.ca [129.97.128.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34ECAC14F72C; Sun, 5 Jun 2022 07:47:49 -0700 (PDT)
Received: from email.paip.net (thump.cs.uwaterloo.ca [198.96.155.10]) (authenticated bits=0) by orthrus.uwaterloo.ca (8.14.7/8.14.7) with ESMTP id 255ElcT4001013 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 5 Jun 2022 10:47:41 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 orthrus.uwaterloo.ca 255ElcT4001013
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uwaterloo.ca; s=default; t=1654440462; bh=EEnqwSBvOUgFYAell0f9AoixX7kqQr1oO1bYbX7ghSo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=EA05Pf+TCIzakCRzHXMrrxxAx9FCG/Us7eGEp5qvHxKkNztt1mUh2jk8QWx0EM1do WWpU9+URGjKlZTk0Td+kVvgJVwI9M4DV2JLKrimd7npBfyHaXJYHxgYElxGkJ1sXBE XaiUxQVwOvCXLXuTyzVhOFOuJM+wBkbYPqSaKDAw=
Received: from yoink (brandeis.paip.net [66.38.236.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.paip.net (Postfix) with ESMTPSA id 767F05FC01D1; Sun, 5 Jun 2022 10:47:38 -0400 (EDT)
Received: from iang by yoink with local (Exim 4.90_1) (envelope-from <iang@uwaterloo.ca>) id 1nxrXV-0002cX-M3; Sun, 05 Jun 2022 10:47:37 -0400
Date: Sun, 05 Jun 2022 10:47:37 -0400
From: Ian Goldberg <iang@uwaterloo.ca>
To: Christopher Patton <cpatton=40cloudflare.com@dmarc.ietf.org>
Cc: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>, CFRG <cfrg@irtf.org>, cfrg-chairs@ietf.org, draft-dew-cfrg-signature-key-blinding@ietf.org, Christopher Wood <caw@heapingbits.net>, Ted Eaton <eeaton@uwaterloo.ca>
Message-ID: <20220605144737.GL3694@yoink.cs.uwaterloo.ca>
References: <CAMr0u6k9cXb8wL4zr5=jw-knpvXkNO285nap3Ch1MKVJODd0sg@mail.gmail.com> <CAG2Zi20C-yaR8VRN=qMuYbU_FOsFcOnMKnW5P8E54rprX1cDGA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAG2Zi20C-yaR8VRN=qMuYbU_FOsFcOnMKnW5P8E54rprX1cDGA@mail.gmail.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-UUID: 0c7277b2-5509-4a4d-993d-6ec61e0ba598
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/8yHBnjnccVdM5wBI0dxmQvQ8tJI>
Subject: Re: [CFRG] Call for adoption for draft-dew-cfrg-signature-key-blinding
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Jun 2022 14:47:54 -0000

I support adoption.  My initial review follows.

Notes from 5 Jun 2022 on
https://chris-wood.github.io/draft-dew-cfrg-signature-key-blinding/draft-dew-cfrg-signature-key-blinding.html
version of 29 Apr 2022

In the abstract, the "core property" you give for key blinding (as well
as the "moreover" property) would also apply to "just generate a fresh
key".  It seems to me that the core property for key blinding should
distinguish itself from that scenario in some way.  You have maybe one
sentence more detail in Section 1 ("In some applications, it's useful
for a signer to produce digital signatures using the same long-term
private signing key", so you're insisting on the same long-term signing
key), but that still admits the trivial construction of skR = KDF(skS,
counter), pkR = skR*G, where skS is the long-term key.  It doesn't seem
like this construction would satisfy what you need.  So what property
distinguishes what you're looking for?  The clue appears to be in the
paragraph after: "producing a public verification key which is a
function of the long-term public verification key and same blinding
key".  So this property, that the public verification key needs to be
producible from the master public key and the blinding key, appears to
be vital, and should be highlighted up front, perhaps explicitly
distinguishing the two more trivial cases above?

As noted in Ted's talk the other day, UnblindPublicKey is actually
optional (some key blinding systems intentionally don't provide a way to
unblind), and indeed you cite Tor's onion services protocol as a
motivating example, which is one such.  It would be good to be explicit
about this, since this mode is actually useful (and used in practice
already).  Note that this is not the same as the question of whether the
blinding key remains secret.  For example, you can't unblind
pkS = H(bk, pkR, timestamp) * pkR whether or not you know bk, but that
still seems like a useful construction.

You cite [TORDIRECTORY] for "the Tor onion services protocol", but it
should be [TORONION]
https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt instead.

"two separate key signing keys": you don't have key signing keys;
presumably you meant "two independent signing keys", or something like
that?

At the start of 3, now you _insist_ that bk is secret: "Similar to the
signing key, the blinding key is also a private key that remains
secret."  But then what of the critical property above that
distinguishes key blinding from "generate a fresh key"?  If no one other
than the key holder can blind or unblind public keys on their own, so
that the key holder has to actually deliver the new public key each
time, then why _not_ use one of the two trivial constructions above?

Nit: "a random scalar in the P-256 group": in my mind, "the P-256 group"
is the group of elliptic curve points, not the scalar field.  But
hopefully no one will get confused by this wording.

It's a little jarring that the list of four new functionalities is
repeated in Section 3, just a page or so after it first appears in
Section 1.

Again in 3, the correctness condition requires the existence of
UnblindPublicKey, which may not exist.

Aren't you missing another correctness condition at the end of Section
3?  Namely, that public keys produced with BlindPublicKey will correctly
verify signatures produced with BlindKeySign (using the standard
signature verification function)?

In Section 4.1, "Interpret the lower 32 bytes buffer" isn't clear to me.
What is the "lower 32 bytes buffer" of a 64-byte buffer?  The first 32
bytes?  And you just throw away the last 32 bytes?  (You're using
SHA-512 here because it's already needed for Ed25519, right?)

Explicitly skipping the buffer pruning step: this could lead to
complications.  At least the last time I looked at the PyNaCl library,
for example, there was _no way_ to construct a PrivateKey object without
the library doing the buffer pruning.

In Section 4.2, in which of steps 1 and 2 do you or don't you do buffer
pruning?  It sounds like you do in step 1 but not in step 2?

In Section 4.2, step 3, again not all Ed25519 libraries expose scalar
multiplication like this, particularly unpruned.

In Section 5.2, it seems more explicit that step 1 and step 2 both *do*
do buffer pruning.  (Except that contradicts Section 5.1, which suggests
it does *not*?)  Is Ed448 intended to be different from Ed25519 here?

In Section 6.1, UnblindPublicKey should take an argument of pkR, not pk.

I did not check the test vectors.

-- 
Ian Goldberg 🏳️‍🌈
Canada Research Chair in Privacy Enhancing Technologies
Professor, Cheriton School of Computer Science
University of Waterloo

v2.23.0 | Report a Bug | By Email