IETF Logo Mail Archive

Re: [Cfrg] Comments on draft-irtf-cfrg-vrf-01

Sharon Goldberg <sharon.goldbe@gmail.com> Fri, 29 June 2018 23:56 UTC

Return-Path: <sharon.goldbe@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C7C2130F70 for <cfrg@ietfa.amsl.com>; Fri, 29 Jun 2018 16:56:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MLRchHdH1lz6 for <cfrg@ietfa.amsl.com>; Fri, 29 Jun 2018 16:56:25 -0700 (PDT)
Received: from mail-it0-x244.google.com (mail-it0-x244.google.com [IPv6:2607:f8b0:4001:c0b::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCAED130F84 for <Cfrg@irtf.org>; Fri, 29 Jun 2018 16:56:24 -0700 (PDT)
Received: by mail-it0-x244.google.com with SMTP id u4-v6so5132508itg.0 for <Cfrg@irtf.org>; Fri, 29 Jun 2018 16:56:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=FKWFIGsU60zFrddKxj1cYYqh2/G14au8XsU/TGRpxCo=; b=pZI8uzpu/NAHvM4BgWBS4J175JuitE2O+lHDbP4xKTjKHaZ8U7IwT4tTsVO2cT9CLC 1DShlH1Ug5hDm489hNFEJ0N+NVAOPl/1oYw8wh6c45Wn4DxNTCBbpjOOYNiuDpMbGcSg S/3asmDsx75MhBK8QDOsMqt3SCk7l11TMGnoS4xwZNOjIZRvj12+pMRKoxmT2lSOqqNb lcniibSYgH6zHHs495qLj+f7U8D3UDU1BgMjOZ7FJbAhWxnYNGoIQMQKf40E7rYV4F5Y zb5vFWWNAfEPBUR/5U61uLe4l+xvJN31N+X8oGf2uwVnVg5CrUSEDE0Cn3P11EzngDGg B+pg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=FKWFIGsU60zFrddKxj1cYYqh2/G14au8XsU/TGRpxCo=; b=BV/fI7YSQmltgdCxkkjmQ6+MWH7wVuUeaDKcUAgm8qzWQFjwa/Fmhi1Lq5UrUDAmLB bj0xDHaA7PDeEFiFe/uUhGzXya3pf/xgFRVDocUl0Yw2qqk7BW5KHV/GeIuqg2DCtgkf dtV+ibK+5PnunrNbIdyR9Z46HZVbDW9+nJYVH8BGrwkRuxvqKgAgqAxfOMJjFUxj+FZ/ gDsUA1ONJTq5nsz6KMVHUJVDy0LEFW5GQt74SsRCkuPP3QTr2EFcrZf1+eRSLnS1Lp4z 3UWXVH7XCLejrRB7rosi9uJmVh0+g9cQeywrA04MUVDFtfe8rGV+lip0avQxJ6MWSyUe /4jA==
X-Gm-Message-State: APt69E3ngYiZ2h6tFF6Bbtpr/kiOC2g43GlIUwpsgayBOioi1bhKPENU vU5lr12jLycSzwvs+EZtaJirHZ4dfe+WeXBp/78=
X-Google-Smtp-Source: AAOMgpd4/zqbicyyYwLM+2o4cq2p8hneFUNbwL9NkElv80O31cYVzzVGXHO8C19k/lGLfVZYA8Dgpl9UAtp/mHZjtw4=
X-Received: by 2002:a24:cc43:: with SMTP id x64-v6mr3666270itf.9.1530316584163; Fri, 29 Jun 2018 16:56:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a6b:9404:0:0:0:0:0 with HTTP; Fri, 29 Jun 2018 16:55:43 -0700 (PDT)
In-Reply-To: <CAMCcN7SPtbWnKDXMVWr08nr9PoVTyjbKyW8F_bOra6vLwgXmAQ@mail.gmail.com>
References: <CAMCcN7SPtbWnKDXMVWr08nr9PoVTyjbKyW8F_bOra6vLwgXmAQ@mail.gmail.com>
From: Sharon Goldberg <sharon.goldbe@gmail.com>
Date: Fri, 29 Jun 2018 19:55:43 -0400
Message-ID: <CAJHGrrS4KJJg-2ZT8DySF7nd3NYXybVGrW55Amh75F+X5rZ3cg@mail.gmail.com>
To: Marek Jankowski <mjankowski309@gmail.com>
Cc: Cfrg@irtf.org, Leonid Reyzin <reyzin@cs.bu.edu>
Content-Type: multipart/alternative; boundary="00000000000064a34d056fd098db"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/CZ9_zm_QxZj0L5iHsKHlC1HcW5I>
Subject: Re: [Cfrg] Comments on draft-irtf-cfrg-vrf-01
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jun 2018 23:56:37 -0000

Hi Marek,

Thank you for your review of draft-irtf-cfrg-vrf-01.  We addressed you
editorial comments in the new -02 version of the draft, posted today.  We
answer your questions below.

https://datatracker.ietf.org/doc/draft-irtf-cfrg-vrf/

>Moreover, the parameter description seems to require the size of the field
to be an even number of octets. This is, of course, not actually required,
as the instantiation with ED25519 in 5.5 shows. It should be explicitly
mentioned that 2n is the size of a field element in octets, rounded up.

Actually, in both curves we specify in the ciphersuites section, the prime
q is exactly 32 octets (in ED25519 it is 2^255-19). We could be more
general but that would add a potential point of confusion that is not
necessary for the current ciphersuites.

> Section 7.3 - It is possible to also consider deterministic nonce
generation, as in EdDSA.

We also felt this is a good idea. We modified the draft to allow for only
deterministic nonce generation, following either deterministic ECDSA (RFC
6979) or  EdDSA (RFC 8032)

> The matter of domain separation in the context of EC is suggested (in a
TODO) in 5.4. Perhaps it should be added to the RSA-based scheme as well. I
can't think of a specific reason, but this makes for a good practice.

We agree. We added domain separation for the ECVRF. If our approach is met
with general approval, we will do the same for the RSA VRF.

> General question:
> Does pi necessarily give alpha away? That is, in applications where alpha
needs to remain secret, does pi need to be kept secret as well? If not
necessarily, is this a property that the RFC guarantees, or maybe another
possible property for a specific scheme?

That is a good point. Indeed, pi does NOT hide alpha, and we explained this
in 7.5.

Thanks,
Sharon Goldberg + Leo Reyzin

On Mon, Mar 26, 2018 at 10:55 AM, Marek Jankowski <mjankowski309@gmail.com>
wrote:
>
> Dear Goldberg, Reyzin, Rapadopoulos and Vcelak,
> I have several comments and questions about the VRF RFC draft.
>
> Section 2 - The last sentence reads "... is correct VRF hash of ...", but
should be "... is the correct VRF hash of ...".
>
> Section 3.1 - The wording is somewhat confusing to me. specifically, the
second paragraph is a very formal security definition, while the following
one is much less formal, which makes this somewhat awkward to read. I
propose using the same style as section 3.2, which uses informal language
throughout the section (and in the second paragraph in particular).
> Additionally, the use of "More precisely" in the second paragraph of
section 3.2 should also be adopted , as it makes it a lot clearer that the
first paragraph is a general description of the two following ones.
>
> Section 5 - It would probably make for easier reading if, after
describing the security properties of EC-VRF, there was a reference to
section 5.6 for those needing full collision resistance and full uniqueness.
> Moreover, the parameter description seems to require the size of the
field to be an even number of octets. This is, of course, not actually
required, as the instantiation with ED25519 in 5.5 shows. It should be
explicitly mentioned that 2n is the size of a field element in octets,
rounded up.
>
> Section 5.4.1 - It feels worthwhile to explicitly note that the two
hash_to_curve implementations are not compatible. Perhaps explicit domain
separation should be added.
>
> Section 7.3 - It is possible to also consider deterministic nonce
generation, as in EdDSA.
>
> The matter of domain separation in the context of EC is suggested (in a
TODO) in 5.4. Perhaps it should be added to the RSA-based scheme as well. I
can't think of a specific reason, but this makes for a good practice.
>
> General question:
> Does pi necessarily give alpha away? That is, in applications where alpha
needs to remain secret, does pi need to be kept secret as well? If not
necessarily, is this a property that the RFC guarantees, or maybe another
possible property for a specific scheme?
>
> Thank you,
> Marek.
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>



--
---
Sharon Goldberg
Computer Science, Boston University
http://www.cs.bu.edu/~goldbe

v2.23.0 | Report a Bug | By Email