Re: [Cfrg] draft-mcgrew-hash-sigs implementation and findings
"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Sun, 18 March 2018 19:21 UTC
Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 291CD129C59 for <cfrg@ietfa.amsl.com>; Sun, 18 Mar 2018 12:21:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.911
X-Spam-Level:
X-Spam-Status: No, score=-2.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PrvlWGhm8QZP for <cfrg@ietfa.amsl.com>; Sun, 18 Mar 2018 12:21:23 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0051.outbound.protection.outlook.com [104.47.0.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE2C11270A0 for <cfrg@ietf.org>; Sun, 18 Mar 2018 12:21:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=whfJ1byH7JXTYjjLPJo/aflyEPmPz1lI31Wnphm9L3s=; b=hLdRfdqnJKwYelx1XcevFQ2WJz2Wnfet073EXbGJy5Tyg4Oi+hiS/qu2yH0tqcU6diqgF3OpSucgxG47bsj3TvszYgsLg8TJygtHPhN6nnODzwpVolJcN6U+idWsxueQW0IUgXeI/zuYvKTMgkp17CIhmWF00ayFmVMHo3FWuII=
Received: from AM4PR0301MB1906.eurprd03.prod.outlook.com (10.168.2.156) by AM4PR0301MB1937.eurprd03.prod.outlook.com (10.168.3.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.588.14; Sun, 18 Mar 2018 19:21:20 +0000
Received: from AM4PR0301MB1906.eurprd03.prod.outlook.com ([fe80::c5a2:a1b:708e:7a80]) by AM4PR0301MB1906.eurprd03.prod.outlook.com ([fe80::c5a2:a1b:708e:7a80%14]) with mapi id 15.20.0588.016; Sun, 18 Mar 2018 19:21:19 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Paul Selkirk <paul@psgd.org>, "cfrg@ietf.org" <cfrg@ietf.org>
CC: "David McGrew (mcgrew)" <mcgrew@cisco.com>, Scott Fluhrer <sfluhrer@cisco.com>
Thread-Topic: [Cfrg] draft-mcgrew-hash-sigs implementation and findings
Thread-Index: AQHTvtcvv8mHPysWc0+hbJgZXb3HCaPWXueA
Date: Sun, 18 Mar 2018 19:21:19 +0000
Message-ID: <4F37A5B0-A0F9-4F86-B780-E0E114AFB78D@rhul.ac.uk>
References: <5d590027-50d9-637e-8ef0-9b5a8ac22565@psgd.org>
In-Reply-To: <5d590027-50d9-637e-8ef0-9b5a8ac22565@psgd.org>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.28.0.171108
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk;
x-originating-ip: [88.109.217.106]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR0301MB1937; 6:/EJIBzC9XVt8NxB3y2ur764bTAVnuJrm0JqNgnDVxtyUZg3yz9swJbhIcV6Haoqu1nYE95XDRZgZttH6d+Dq1qcMz8VooyWgjpwQSyxUaAqsUtis5L3FPerr3QRB8iXnmtJwcbe9AEPXj53xQxrHOZorJl+YrQv0zEovYl0gtt5GKgUggtkpwg92KR/gNpIy9AnkEYj5IQLDwdxXzvdSW4tO5XfKTmYfk82CEmZNdLrAUerrgxq76J427gEt/RWfNZFwmecH6HKIAe7U/AzIavBbzdUWnCVDPQ1w+vNp4XIoPZAxRiYZrBEFNoAeCkbIUkeQ1jj2gG97MsMqsVsLfA0Vj6R3M0p0Zzdz5A8s+1+42ACEuO5NvimFUTWrEUxw; 5:zVHIoXJHLWGlb6DZg82dK/6wbwIk2cGO4izgFzyXOeaj9/DE0r8puRhcJnYB/vOLxBOVJG0O6+b2dA7wtppFJtsHEfZnzB3kdnnYAEhTDvRoghhZJPhtZ8WaVMaTHWBq/HbEImtu+LSximLjcGKTagZyvcec0kpAmkOeUb5vyFA=; 24:7H5wMRVWgXOoyYhtL4IpwxI40S4P2SGPY4XbguCoyXFxp6nFjK6huflz4/4BDE0zuHlgBPyGZ7LAlW7hYEoGGsm1cLZlKwQDa8CxMAwKRlQ=; 7:g6gM/eGVNnyr4/MEwQMUYBg/s63WHzBlcAh2vofDrtCDj08kAVEt8xqZ1L86q9C9nACJtqfLZFSZwQ3tBevDxbQskc4wLXIjJzbude0tfdPd0rbibbtyVT+5jdrEQjPFS4Twd3emzrZUNKh83PXhDtLoKDTc/CiR+KBA8BGgz/Z5W8iKOyalTDtS9PzoN9c3V3QDK2ub3mmjlBJWWDluwnNybLL8i7IbnfsrdOpfSakRCm6i66IMoOKyBlxIhbY2
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 9a9594ca-cf99-4ded-081f-08d58d056dd6
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(8989060)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(8990040)(2017052603328)(7153060)(7193020); SRVR:AM4PR0301MB1937;
x-ms-traffictypediagnostic: AM4PR0301MB1937:
x-microsoft-antispam-prvs: <AM4PR0301MB193782EF195EB94909BCA7BEBCD50@AM4PR0301MB1937.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(166708455590820);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3231221)(944501300)(52105095)(3002001)(6041310)(20161123558120)(20161123560045)(201703131423095)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123564045)(6072148)(201708071742011); SRVR:AM4PR0301MB1937; BCL:0; PCL:0; RULEID:; SRVR:AM4PR0301MB1937;
x-forefront-prvs: 06157D541C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39380400002)(396003)(366004)(346002)(39850400004)(376002)(189003)(199004)(13464003)(5250100002)(81166006)(14454004)(2950100002)(54906003)(2501003)(106356001)(81156014)(305945005)(7736002)(82746002)(72206003)(33656002)(2906002)(413944005)(6116002)(8936002)(83716003)(229853002)(74482002)(3846002)(478600001)(3660700001)(53936002)(966005)(97736004)(76176011)(2900100001)(6512007)(6506007)(53546011)(53376002)(66066001)(6246003)(99286004)(6486002)(5660300001)(8676002)(102836004)(105586002)(3280700002)(25786009)(186003)(26005)(68736007)(36756003)(58126008)(316002)(86362001)(4326008)(786003)(6306002)(6436002)(110136005)(59450400001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0301MB1937; H:AM4PR0301MB1906.eurprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts)
x-microsoft-antispam-message-info: JWocOsbu6CVrmkJWXwsk1TVGNazUl0FPeDH0OLGqrVUO6vH5QA/p9D4q5ZliUPS7H+Chpq/f/huwTz8GGpPh6Zbxjn90Wvx8h5qO8s44YZWL/bAIKuWCw6pT/JnWiisSwmCmrtgbyHsuDLyTiwmimmJqLSH5AjbSO290zvApHVPyEtsu53nRwJftqh4jUe0ozDN3QULqwnMnbV0AG14odxEuBKfwZyZOhgftffhIy8Wg1h3Nks1qUHxd5MsN/962jnzjvMv72wSI+J5gKXXJQVxyYXf2vDsqNC8lrzf4xAVg6PQJuBR9Snx71+ATmOOgPyovrIQIpenqyY+ZIYpyHg==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <E3AEB13B7E3CE4429DCF69F7BACAF6E4@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 9a9594ca-cf99-4ded-081f-08d58d056dd6
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2018 19:21:19.9108 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0301MB1937
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/9DHZlFbK5Eqg4YQQHtaIAA56Yko>
Subject: Re: [Cfrg] draft-mcgrew-hash-sigs implementation and findings
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Mar 2018 19:21:26 -0000
Dear Paul, Many thanks for this report - it's excellent to have another implementation, but equally excellent that you shared your implementation experiences based on the draft. Authors: it seems like there's quite a few things here that should be cleaned up. Thanks, Kenny -----Original Message----- From: Cfrg <cfrg-bounces@irtf.org> on behalf of Paul Selkirk <paul@psgd.org> Date: Sunday, 18 March 2018 at 16:35 To: "cfrg@ietf.org" <cfrg@ietf.org> Subject: [Cfrg] draft-mcgrew-hash-sigs implementation and findings I'm pleased to announce a clean-room implementation of draft-mcgrew-hash-sigs-10. There are actually two flavors: 1) a naive implementation that adheres as closely as possible to the text and pseudo-code of the draft (including storing keys in xdr format); and 2) a version that is targeted to the CrypTech prototype HSM, with AES keywrapping for the keys, and using our own hash implementation and hardware-based RNG. Code is available at: https://wiki.cryptech.is/browser/user/paul/hashsig-naive https://wiki.cryptech.is/browser/sw/libhal Most of my previous comments on draft-08 (email to group on 13 November 2017) still stand, and have not been addressed in -09 or -10. Most of those comments are editorial in nature, and I won't belabor them here. What I will belabor is the pseudo-code (including lack of it), because that's essential for properly implementing the draft. The pseudo-code is generally complete and correct for LM-OTS, a little sloppier for LMS, and mostly missing for HSS. Section 4.4, Algorithm 1, step 2: n is not used here. Section 4.7, Algorithm 4a, missing step: set n p according to the pubtype and Table 1. Section 5.2, Algorithm 5, step 1: m is not used here. Section 5.2, Algorithm 5, missing step: generate I for this keypair. Section 5.2, Algorithm 5, missing step: return u32str(type) || u32str(q) || OTS_PRIV[0] || OTS_PRIV[1] || ... || OTS_PRIV[2^h - 1] Section 5.3, missing pseudo-code. I suggest something like the following: 1. determine LMS type, LM-OTS type, and I from private key 2. set h from the LMS type code and Table 2 3. compute the hash value of each leaf node as follows: r = 2^(h+1) - 1 while (r >= 2^h) { T[r] = H(I||u32str(r)||u16str(D_LEAF)||OTS_PUB[r-2^h]) r = r - 1 } 4. compute the hash value of each inner node as follows: r = 2^h - 1 while (r > 0) { T[r] = H(I||u32str(r)||u16str(D_INTR)||T[2*r]||T[2*r+1]) r = r - 1 } 5. return u32str(type) || u32str(otstype) || I || T[1] Section 5.4.1, missing pseudo-code. I suggest something like the following: 1. set type to the typecode of the LMS algorithm 2. create the LM-OTS signature for the message: ots_signature = ots_sign(message, LMS_PRIV[q]) 3. compute the array path as follows: r = 2^h + q i = 0 while (r > 1) { if (r is odd): path[i] = T[r-1] else path[i] = T[r+1] r = r/2 i = i + 1 } 4. S = u32str(q) || ots_signature || u32str(type) || path[0] || path[1] || ... || path[h-1] 5. q = q + 1 6. return S Section 5.4.2, Algorithm 6a, step 2e: "ots_signature = bytes 8 through 8 + n * (p + 1) - 1 of signature". This is actually the remainder of ots_signature after otssigtype. The full ots_signature would be bytes 4 through 8 + n * (p + 1) - 1. Section 6.1, missing pseudo-code. I suggest something like the following: 1. generate L LMS key pairs, as specified in sections 5.2 and 5.3 2. sign each child public key with the private key of its parent: i = 0 while (i < L-1) { sig[i] = lms_sign(LMS_PUB[i+1], LMS_PRIV[i]) i = i + 1 } 3. return u32str(L) || LMS_PUB[0] Section 6.2: missing pseudo-code. I suggest something like the following: 1. If the message-signing key LMS_PRIV[L-1] is exhausted, regenerate that key pair, together with any parent key pairs that might be necessary. If the root key pair is exhausted, then the HSS key pair is exhausted, and it MUST NOT generate any more signatures. if (LMS_PRIV[L-1].q == 2^h) { d = L-1 while (LMS_PRIV[d-1].q == 2^h) { if (d == 0) return FAILURE d = d - 1 } while (d < L) { regenerate keypair LMS_PRIV[d], LMS_PUB[d] sig[d-1] = lms_sign(LMS_PUB[d], LMS_PRIV[d-1]) } } 2. Sign the message sig[L-1] = lms_sign(msg, LMS_PRIV[L-1]) 3. Create the list of signed public keys i = 0 while (i < L-1) { signed_pub_key[i] = sig[i] || LMS_PUB[i+1] i = i + 1 } 4. return u32str(L-1) || signed_pub_key[0] || ... || signed_pub_key[L-2] || sig[L-1] Section 6.3: missing an Algorithm number and heading. Other things I noted while implementing: The python implementation at http://github.com/davidmcgrew/hash-sigs/ is badly out of date (draft-05), and either the code should be updated or the reference should be removed from the draft. The History for Version 05 (which really means changes from 05 to 06?) refers to SPHINCS, which also shows up as an Informative Reference, but the text mentioning SPHINCS was removed in -08. In the LMS signature, it's odd that q is first and lms_type is after the ots_sig. For consistency, I'd expect something more like u32str(lms_type) || ots_signature || u32str(q) || path[0] || ... However, that would be an incompatible change to the protocol, which I don't expect to happen at this late date. I just wanted to flag it as something unexpected. _______________________________________________ Cfrg mailing list Cfrg@irtf.org https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] draft-mcgrew-hash-sigs implementation and … Paul Selkirk
- Re: [Cfrg] draft-mcgrew-hash-sigs implementation … Paterson, Kenny
- Re: [Cfrg] draft-mcgrew-hash-sigs implementation … Scott Fluhrer (sfluhrer)
- Re: [Cfrg] draft-mcgrew-hash-sigs implementation … Paul Selkirk