Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness-improvements-08.txt

"Riad S. Wahby" <rsw@jfet.org> Fri, 22 November 2019 16:28 UTC

Return-Path: <rswatjfet.org@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 282801208D7 for <cfrg@ietfa.amsl.com>; Fri, 22 Nov 2019 08:28:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.406
X-Spam-Level:
X-Spam-Status: No, score=-1.406 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.244, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jd77WfCRcrCp for <cfrg@ietfa.amsl.com>; Fri, 22 Nov 2019 08:28:01 -0800 (PST)
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B08A1208C5 for <cfrg@irtf.org>; Fri, 22 Nov 2019 08:28:01 -0800 (PST)
Received: by mail-pf1-f181.google.com with SMTP id r4so3702504pfl.7 for <cfrg@irtf.org>; Fri, 22 Nov 2019 08:28:01 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=tlvn5pHCiLl8KU0ZF4GqUW9DifARwHBIfg7YWJYOQsg=; b=lbswBiM8if9pJdb2Wn9hJulIRWbsZi9BQnnkv+y/yninn5PG2jmK/htABWfv+hKu3u ZixwSxRKzsVdY6r3jEKCOrTwywg7zFvUic0solDPjmuDbj9Md6fBzIp3oNRedDdym4o0 Nqyiv8HZkoiTQqKN0+Zt1A+r4+S7YQJtOO/iflrY+QLB4W+fCjz5c1Qfq0nWggJz77n2 cX5XNR8JmpxK+1d7iiwpt+smTTeDx6Nr2yIaRazQTMQDCbVIZ00B5yykRM5L25HPDNph zMKhJMInwFqWAc2h27ziP0m9gumlmU15X9Nlo1ZvDR6yp5EjRQhIgDCamG0nATYJHJx5 6LkA==
X-Gm-Message-State: APjAAAXvaNV/YS14MFzVsiESAqtGdZljEb+GGy/CYr8u4jWpcdKb5Hsf 89jac7o0HqwyR4ImUJnNQ0w=
X-Google-Smtp-Source: APXvYqx62qyg+ZkelaNCKTie9B+B1V6E3LGHeAEgH6dwOAcNTjhqzVT8zMrB6wvyO+wxzXS9r/JXdg==
X-Received: by 2002:a63:ed4d:: with SMTP id m13mr15723440pgk.442.1574440080770; Fri, 22 Nov 2019 08:28:00 -0800 (PST)
Received: from localhost (positron.stanford.edu. [171.67.76.114]) by smtp.gmail.com with ESMTPSA id y123sm8134317pfg.64.2019.11.22.08.27.59 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 22 Nov 2019 08:27:59 -0800 (PST)
Date: Fri, 22 Nov 2019 08:27:58 -0800
From: "Riad S. Wahby" <rsw@jfet.org>
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Cc: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Message-ID: <20191122162758.kzx3vl4ibayykyqu@positron.jfet.org>
References: <157273808364.6043.6715638492611593951@ietfa.amsl.com> <77AD232C-094D-4FC1-A966-DA56EC44A27F@ericsson.com> <CAMr0u6=7r2wAD_3Yn1hBjJW-y=8FE27jeYQW8wk3wJ-Xh2g2hg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAMr0u6=7r2wAD_3Yn1hBjJW-y=8FE27jeYQW8wk3wJ-Xh2g2hg@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/HJfKqbMam7JUTXpmD4aur-ds4-o>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness-improvements-08.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Nov 2019 16:28:02 -0000

"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> wrote:
> Yes, I believe that it can be a great future direction of work, but this
> will be another construction, requiring additional security analysis etc. I
> think that the topic of improving randomness will be always a very
> important one, so a lot of other good ideas and good constructions may
> arise in the future.

I looked at the security analysis a while ago and although it's not
fresh in my mind now, at the time I was convinced that the analysis
applied almost directly to HMAC rather than a signature. Maybe I'm
crazy, incompetent, or mis-remembering, though! :)

As a more general point: the document's intro hints at this, but
maybe it should be made more explicit that this protocol is geared
towards the case where one's key is stored in an HSM. Sure, it works
in other cases, but the choice to use signatures appears to be directly
motivated by HSMs---otherwise, why not use a cheaper construction?

-=rsw