IETF Logo Mail Archive

Re: [Cfrg] draft-mcgrew-hash-sigs implementation and findings

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Sun, 18 March 2018 19:21 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 291CD129C59 for <cfrg@ietfa.amsl.com>; Sun, 18 Mar 2018 12:21:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.911
X-Spam-Level:
X-Spam-Status: No, score=-2.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PrvlWGhm8QZP for <cfrg@ietfa.amsl.com>; Sun, 18 Mar 2018 12:21:23 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0051.outbound.protection.outlook.com [104.47.0.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE2C11270A0 for <cfrg@ietf.org>; Sun, 18 Mar 2018 12:21:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=whfJ1byH7JXTYjjLPJo/aflyEPmPz1lI31Wnphm9L3s=; b=hLdRfdqnJKwYelx1XcevFQ2WJz2Wnfet073EXbGJy5Tyg4Oi+hiS/qu2yH0tqcU6diqgF3OpSucgxG47bsj3TvszYgsLg8TJygtHPhN6nnODzwpVolJcN6U+idWsxueQW0IUgXeI/zuYvKTMgkp17CIhmWF00ayFmVMHo3FWuII=
Received: from AM4PR0301MB1906.eurprd03.prod.outlook.com (10.168.2.156) by AM4PR0301MB1937.eurprd03.prod.outlook.com (10.168.3.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.588.14; Sun, 18 Mar 2018 19:21:20 +0000
Received: from AM4PR0301MB1906.eurprd03.prod.outlook.com ([fe80::c5a2:a1b:708e:7a80]) by AM4PR0301MB1906.eurprd03.prod.outlook.com ([fe80::c5a2:a1b:708e:7a80%14]) with mapi id 15.20.0588.016; Sun, 18 Mar 2018 19:21:19 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Paul Selkirk <paul@psgd.org>, "cfrg@ietf.org" <cfrg@ietf.org>
CC: "David McGrew (mcgrew)" <mcgrew@cisco.com>, Scott Fluhrer <sfluhrer@cisco.com>
Thread-Topic: [Cfrg] draft-mcgrew-hash-sigs implementation and findings
Thread-Index: AQHTvtcvv8mHPysWc0+hbJgZXb3HCaPWXueA
Date: Sun, 18 Mar 2018 19:21:19 +0000
Message-ID: <4F37A5B0-A0F9-4F86-B780-E0E114AFB78D@rhul.ac.uk>
References: <5d590027-50d9-637e-8ef0-9b5a8ac22565@psgd.org>
In-Reply-To: <5d590027-50d9-637e-8ef0-9b5a8ac22565@psgd.org>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.28.0.171108
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk;
x-originating-ip: [88.109.217.106]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR0301MB1937; 6:/EJIBzC9XVt8NxB3y2ur764bTAVnuJrm0JqNgnDVxtyUZg3yz9swJbhIcV6Haoqu1nYE95XDRZgZttH6d+Dq1qcMz8VooyWgjpwQSyxUaAqsUtis5L3FPerr3QRB8iXnmtJwcbe9AEPXj53xQxrHOZorJl+YrQv0zEovYl0gtt5GKgUggtkpwg92KR/gNpIy9AnkEYj5IQLDwdxXzvdSW4tO5XfKTmYfk82CEmZNdLrAUerrgxq76J427gEt/RWfNZFwmecH6HKIAe7U/AzIavBbzdUWnCVDPQ1w+vNp4XIoPZAxRiYZrBEFNoAeCkbIUkeQ1jj2gG97MsMqsVsLfA0Vj6R3M0p0Zzdz5A8s+1+42ACEuO5NvimFUTWrEUxw; 5:zVHIoXJHLWGlb6DZg82dK/6wbwIk2cGO4izgFzyXOeaj9/DE0r8puRhcJnYB/vOLxBOVJG0O6+b2dA7wtppFJtsHEfZnzB3kdnnYAEhTDvRoghhZJPhtZ8WaVMaTHWBq/HbEImtu+LSximLjcGKTagZyvcec0kpAmkOeUb5vyFA=; 24:7H5wMRVWgXOoyYhtL4IpwxI40S4P2SGPY4XbguCoyXFxp6nFjK6huflz4/4BDE0zuHlgBPyGZ7LAlW7hYEoGGsm1cLZlKwQDa8CxMAwKRlQ=; 7:g6gM/eGVNnyr4/MEwQMUYBg/s63WHzBlcAh2vofDrtCDj08kAVEt8xqZ1L86q9C9nACJtqfLZFSZwQ3tBevDxbQskc4wLXIjJzbude0tfdPd0rbibbtyVT+5jdrEQjPFS4Twd3emzrZUNKh83PXhDtLoKDTc/CiR+KBA8BGgz/Z5W8iKOyalTDtS9PzoN9c3V3QDK2ub3mmjlBJWWDluwnNybLL8i7IbnfsrdOpfSakRCm6i66IMoOKyBlxIhbY2
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 9a9594ca-cf99-4ded-081f-08d58d056dd6
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(8989060)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(8990040)(2017052603328)(7153060)(7193020); SRVR:AM4PR0301MB1937;
x-ms-traffictypediagnostic: AM4PR0301MB1937:
x-microsoft-antispam-prvs: <AM4PR0301MB193782EF195EB94909BCA7BEBCD50@AM4PR0301MB1937.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(166708455590820);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3231221)(944501300)(52105095)(3002001)(6041310)(20161123558120)(20161123560045)(201703131423095)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123564045)(6072148)(201708071742011); SRVR:AM4PR0301MB1937; BCL:0; PCL:0; RULEID:; SRVR:AM4PR0301MB1937;
x-forefront-prvs: 06157D541C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39380400002)(396003)(366004)(346002)(39850400004)(376002)(189003)(199004)(13464003)(5250100002)(81166006)(14454004)(2950100002)(54906003)(2501003)(106356001)(81156014)(305945005)(7736002)(82746002)(72206003)(33656002)(2906002)(413944005)(6116002)(8936002)(83716003)(229853002)(74482002)(3846002)(478600001)(3660700001)(53936002)(966005)(97736004)(76176011)(2900100001)(6512007)(6506007)(53546011)(53376002)(66066001)(6246003)(99286004)(6486002)(5660300001)(8676002)(102836004)(105586002)(3280700002)(25786009)(186003)(26005)(68736007)(36756003)(58126008)(316002)(86362001)(4326008)(786003)(6306002)(6436002)(110136005)(59450400001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0301MB1937; H:AM4PR0301MB1906.eurprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts)
x-microsoft-antispam-message-info: JWocOsbu6CVrmkJWXwsk1TVGNazUl0FPeDH0OLGqrVUO6vH5QA/p9D4q5ZliUPS7H+Chpq/f/huwTz8GGpPh6Zbxjn90Wvx8h5qO8s44YZWL/bAIKuWCw6pT/JnWiisSwmCmrtgbyHsuDLyTiwmimmJqLSH5AjbSO290zvApHVPyEtsu53nRwJftqh4jUe0ozDN3QULqwnMnbV0AG14odxEuBKfwZyZOhgftffhIy8Wg1h3Nks1qUHxd5MsN/962jnzjvMv72wSI+J5gKXXJQVxyYXf2vDsqNC8lrzf4xAVg6PQJuBR9Snx71+ATmOOgPyovrIQIpenqyY+ZIYpyHg==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <E3AEB13B7E3CE4429DCF69F7BACAF6E4@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 9a9594ca-cf99-4ded-081f-08d58d056dd6
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2018 19:21:19.9108 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0301MB1937
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/9DHZlFbK5Eqg4YQQHtaIAA56Yko>
Subject: Re: [Cfrg] draft-mcgrew-hash-sigs implementation and findings
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Mar 2018 19:21:26 -0000

Dear Paul,

Many thanks for this report - it's excellent to have another implementation, but equally excellent that you shared your implementation experiences based on the draft.

Authors: it seems like there's quite a few things here that should be cleaned up.

Thanks,

Kenny 

-----Original Message-----
From: Cfrg <cfrg-bounces@irtf.org> on behalf of Paul Selkirk <paul@psgd.org>
Date: Sunday, 18 March 2018 at 16:35
To: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: [Cfrg] draft-mcgrew-hash-sigs implementation and findings

    I'm pleased to announce a clean-room implementation of
    draft-mcgrew-hash-sigs-10. There are actually two flavors: 1) a naive
    implementation that adheres as closely as possible to the text and
    pseudo-code of the draft (including storing keys in xdr format); and 2)
    a version that is targeted to the CrypTech prototype HSM, with AES
    keywrapping for the keys, and using our own hash implementation and
    hardware-based RNG.
    
    Code is available at:
    https://wiki.cryptech.is/browser/user/paul/hashsig-naive
    https://wiki.cryptech.is/browser/sw/libhal
    
    Most of my previous comments on draft-08 (email to group on 13 November
    2017) still stand, and have not been addressed in -09 or -10. Most of
    those comments are editorial in nature, and I won't belabor them here.
    
    What I will belabor is the pseudo-code (including lack of it), because
    that's essential for properly implementing the draft. The pseudo-code is
    generally complete and correct for LM-OTS, a little sloppier for LMS,
    and mostly missing for HSS.
    
    Section 4.4, Algorithm 1, step 2: n is not used here.
    
    Section 4.7, Algorithm 4a, missing step: set n p according to the
    pubtype and Table 1.
    
    Section 5.2, Algorithm 5, step 1: m is not used here.
    
    Section 5.2, Algorithm 5, missing step: generate I for this keypair.
    
    Section 5.2, Algorithm 5, missing step: return u32str(type) || u32str(q)
    || OTS_PRIV[0] || OTS_PRIV[1] || ... || OTS_PRIV[2^h - 1]
    
    Section 5.3, missing pseudo-code. I suggest something like the following:
    
      1. determine LMS type, LM-OTS type, and I from private key
    
      2. set h from the LMS type code and Table 2
    
      3. compute the hash value of each leaf node as follows:
         r = 2^(h+1) - 1
         while (r >= 2^h) {
           T[r] = H(I||u32str(r)||u16str(D_LEAF)||OTS_PUB[r-2^h])
           r = r - 1
         }
    
      4. compute the hash value of each inner node as follows:
         r = 2^h - 1
         while (r > 0) {
           T[r] = H(I||u32str(r)||u16str(D_INTR)||T[2*r]||T[2*r+1])
           r = r - 1
         }
    
      5. return u32str(type) || u32str(otstype) || I || T[1]
    
    Section 5.4.1, missing pseudo-code. I suggest something like the following:
    
      1. set type to the typecode of the LMS algorithm
    
      2. create the LM-OTS signature for the message:
         ots_signature = ots_sign(message, LMS_PRIV[q])
    
      3. compute the array path as follows:
         r = 2^h + q
         i = 0
         while (r > 1) {
           if (r is odd):
             path[i] = T[r-1]
           else
             path[i] = T[r+1]
           r = r/2
           i = i + 1
         }
    
      4. S = u32str(q) || ots_signature || u32str(type) || path[0] ||
    path[1] || ... || path[h-1]
    
      5. q = q + 1
    
      6. return S
    
    Section 5.4.2, Algorithm 6a, step 2e: "ots_signature = bytes 8 through 8
    + n * (p + 1) - 1 of signature". This is actually the remainder of
    ots_signature after otssigtype. The full ots_signature would be bytes 4
    through 8 + n * (p + 1) - 1.
    
    Section 6.1, missing pseudo-code. I suggest something like the following:
    
      1. generate L LMS key pairs, as specified in sections 5.2 and 5.3
    
      2. sign each child public key with the private key of its parent:
         i = 0
         while (i < L-1) {
           sig[i] = lms_sign(LMS_PUB[i+1], LMS_PRIV[i])
           i = i + 1
         }
    
      3. return u32str(L) || LMS_PUB[0]
    
    Section 6.2: missing pseudo-code. I suggest something like the following:
    
      1. If the message-signing key LMS_PRIV[L-1] is exhausted, regenerate
         that key pair, together with any parent key pairs that might be
         necessary. If the root key pair is exhausted, then the HSS key pair
         is exhausted, and it MUST NOT generate any more signatures.
    
         if (LMS_PRIV[L-1].q == 2^h) {
           d = L-1
           while (LMS_PRIV[d-1].q == 2^h) {
             if (d == 0)
               return FAILURE
             d = d - 1
           }
           while (d < L) {
             regenerate keypair LMS_PRIV[d], LMS_PUB[d]
             sig[d-1] = lms_sign(LMS_PUB[d], LMS_PRIV[d-1])	
           }
         }
    
      2. Sign the message
         sig[L-1] = lms_sign(msg, LMS_PRIV[L-1])
    
      3. Create the list of signed public keys
         i = 0
         while (i < L-1) {
           signed_pub_key[i] = sig[i] || LMS_PUB[i+1]
           i = i + 1
         }
    
      4. return u32str(L-1) || signed_pub_key[0] || ... ||
    signed_pub_key[L-2] || sig[L-1]
    
    Section 6.3: missing an Algorithm number and heading.
    
    Other things I noted while implementing:
    
    The python implementation at http://github.com/davidmcgrew/hash-sigs/ is
    badly out of date (draft-05), and either the code should be updated or
    the reference should be removed from the draft.
    
    The History for Version 05 (which really means changes from 05 to 06?)
    refers to SPHINCS, which also shows up as an Informative Reference, but
    the text mentioning SPHINCS was removed in -08.
    
    In the LMS signature, it's odd that q is first and lms_type is after the
    ots_sig. For consistency, I'd expect something more like
      u32str(lms_type) || ots_signature || u32str(q) || path[0] || ...
    
    However, that would be an incompatible change to the protocol, which I
    don't expect to happen at this late date. I just wanted to flag it as
    something unexpected.
    
    _______________________________________________
    Cfrg mailing list
    Cfrg@irtf.org
    https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email