IETF Logo Mail Archive

Re: [CFRG] I-D Action: draft-irtf-cfrg-rsa-blind-signatures-06.txt

Christopher Wood <caw@heapingbits.net> Thu, 08 December 2022 17:30 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93DD1C14F720 for <cfrg@ietfa.amsl.com>; Thu, 8 Dec 2022 09:30:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=LCSfzOvx; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=FPx3nFq6
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uYNgtsWOm6sc for <cfrg@ietfa.amsl.com>; Thu, 8 Dec 2022 09:30:11 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4147C14CE46 for <cfrg@ietf.org>; Thu, 8 Dec 2022 09:30:11 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 078FD5C0045; Thu, 8 Dec 2022 12:30:11 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute6.internal (MEProxy); Thu, 08 Dec 2022 12:30:11 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=cc:cc:content-transfer-encoding:content-type:date:date:from :from:in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm2; t=1670520611; x= 1670607011; bh=z8ZXW54xq1nDBa6DRzwFTI+Tn9K8bOSwUPSiDDGsdgc=; b=L CSfzOvxxCehF3hQycKatnzuZntLll9M8IhtJLPKk4a+UX+DpNRw2f5vW+U31+KBe k6bPN5/R/bgR6OtRbBTVOrlBWuvUCWzGYnMQQVWHn22RYKHGKadbOELJk8tJUERm uzOh0TCfZaulR1109IlQQ18rgGKUA6WqEeT6kj/uFFdrlH7kBAQYckft9bGBk8/q bk6nxz9ZvTEEjm4FiqPOqgjqdWVFhTHC+E2f5kfoyXnxWpNgYQhUFX0nnJDMSZcN qNYtuU/oQcff7iLsvl4cz9sohFlO+sTqM2ncCVRSJxIkzf/vpFdgaaK8hFV6e1Om xO50AUWt7MiaZNtpMhFLA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1670520611; x= 1670607011; bh=z8ZXW54xq1nDBa6DRzwFTI+Tn9K8bOSwUPSiDDGsdgc=; b=F Px3nFq6XPqkuHQykyfEoXhz6DEwpgrk2EJmfFpWlg5dSxRqG4K4Gmsf/WVRTdUUI XrxNTXi5b3c/4M2wamf/Bdds/zwkaN+fbvFp16V6dKU5U7WxFUhRpvkZYdZWMuOj GKDw3phxRyUW9K+Sp5eyVv7lU5AzfLLwhFHhBuWx1lKNPZ2+twdAno1QBxf/JO3i PvUYI1Os6eeIKp3CV/nIe3rSVl5JaKrS6hlx7j8PpERuz+6I5RS+Rfk7xoGrWXpO 9vKjhxIyg0H7W8jKwmx9+B+eEubfiAj5sJ3pQ7imBz7BCwje/Qb+XDfW3cTvurFt 7ORhoAlpVbGIfMUAlzyNQ==
X-ME-Sender: <xms:Ih-SY9WuhgEVy_GoVAKirokk1T7Msp5igDYw4hBzTOx_uibmiHmG1A> <xme:Ih-SY9nqvdHM4pVNK246XRZUbeIBmkOMvgJsuWb3n9PaCRgdLBAFWVE0C1w85hptJ UVzB2n7noVF__DLTlQ>
X-ME-Received: <xmr:Ih-SY5ZMSJRLDBpNKKsn5hpu_8-Rz9jE9QSg826IUbVs4MLzAswJmCO6YsgTc6iskoXdZq1atMGb5s9GkgGR2x_tmfdItU2llYg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvddtgddutdefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheptggguffhjgffvefgkfhfvffosehtqhhmtdhhtdejnecuhfhrohhmpeevhhhr ihhsthhophhhvghrucghohhougcuoegtrgifsehhvggrphhinhhgsghithhsrdhnvghtqe enucggtffrrghtthgvrhhnpeeihfekueevjeeuueeiteejveeuudeigeffheejveeguefg jedtudduiefgtdeiffenucffohhmrghinhepghhithhhuhgsrdgtohhmpdhivghtfhdroh hrghdpihhrthhfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehm rghilhhfrhhomheptggrfieshhgvrghpihhnghgsihhtshdrnhgvth
X-ME-Proxy: <xmx:Ih-SYwXMwgpqvWd2gyacZ_wMApzHiO9omkNkY-CU2RGUCmnYvwjp-A> <xmx:Ih-SY3kgHT8K6x3cq1scUEnJFpeo5rjt36cmxHB_OIteNiUq8VnDmA> <xmx:Ih-SY9clBmndGyZznZKpCRib9B5dzlBZcNvL1lzbFyTjeZx3-95IAA> <xmx:Ix-SY2sm3mjOB9VZbG-kS1b9cYoM-L4bEKK6cUW9OZrKm3UjRYDEaA>
Feedback-ID: i2f494406:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 8 Dec 2022 12:30:10 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Christopher Wood <caw@heapingbits.net>
In-Reply-To: <CAJowLmN8CZRS9V0N5tW=XohC9QNYRE-FpMe=errGSETAq7WT1w@mail.gmail.com>
Date: Thu, 08 Dec 2022 12:30:09 -0500
Cc: cfrg@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <EF49520B-E29E-40E9-833D-39006F249339@heapingbits.net>
References: <166906886082.62494.8820552099363522855@ietfa.amsl.com> <6A1E08FD-09CF-4929-94DD-8B7A8E6CACBA@heapingbits.net> <CAMmp5CAt-A+qJTDbhwj14b24DUGD+xzxrbBpPGM2hCYfNVA4-w@mail.gmail.com> <CAJowLmN8CZRS9V0N5tW=XohC9QNYRE-FpMe=errGSETAq7WT1w@mail.gmail.com>
To: Franziskus Kiefer <franziskuskiefer@gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/IzYGtBA4jMcXoayZsnfdhgjOp6s>
Subject: Re: [CFRG] I-D Action: draft-irtf-cfrg-rsa-blind-signatures-06.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Dec 2022 17:30:16 -0000

Thanks for the review, Franziskus! Please see inline below.

> On Nov 29, 2022, at 8:47 AM, Franziskus Kiefer <franziskuskiefer@gmail.com> wrote:
> 
> Chris asked me to review the draft.
> Apologies if some items were discussed already, I didn't follow the discussion closely.
> 
> The draft looks good to me. I only found some minor editorial issues.
> I also addressed a few issues here https://github.com/cfrg/draft-irtf-cfrg-blind-signatures/pull/154.
> 
> Section 3.
> random_integer_uniform: The use of boundaries M <= R < N confused me a little. Not thoroughly reading this section and then generating r = random_integer_uniform(1, n) I can see that someone might implement this as  M <= R <= N. But maybe that's just me.

We addressed this in the latest version by being more explicit with words.

> 
> Section 4.1
> Errors: The RSAVP1 can throw an error that is not mentioned here. It can't actually be thrown because of the way the input (r) is defined. But mentioning that the error can't be raised might be useful.

Good catch — we fixed this.

> 
> Section 4.2
> I wonder if the error handling here makes sense. RSASP1 checks the following: "If the message representative m is not between 0 and n - 1, output "message representative out of range" and stop."
> This makes steps 1 and 3 unnecessary unless I'm missing something.
> Consistently raising errors from the functions called from RFC 8017 in all these sections would be nice so implementers know how to handle them.

We also fixed this. We removed redundant errors introduced by this spec and defer them to RFC8017 functions where appropriate. 

> 
> Section 5 comes a little out of the blue without explanation why this is here and who should use it. Would it make sense to either have this as an optional step in section 4 or move it to section 6 where it is used?

As noted in my responses to Martin and Scott, we fixed this with a reformulation of the protocol. In particular, we now have a “message preparation” step that adds randomness for those variants that require it, else does nothing for those that do not.

> 
> Section 8 (last paragraph)
> The draft states that PSS with a zero salt is equivalent to FDH such that the results from BNPS03 apply. But it doesn't say what security to expect from the salted version. Is there anything that could be said here?

We added a note that Lys22 covers the analysis for other variants. 

> 
> Appendix A
> Most values are encoded as "hexadecimal string" but some are prefixed with 0x and others are not. To make it easier for applications to use the test vectors a consistent encoding would be nice.

Nice catch! This has been fixed so that all test vector values are consistent.

Can you please let us know if the new version addresses all of your comments?

Best,
Chris

> 
> Best,
> Franziskus
> 
> On Fri, 25 Nov 2022 at 18:16, Scott Hendrickson <scott@shendrickson.com> wrote:
> As promised in the adoption call, I've reviewed the document. It looks good to me, with a few notes provided below.
> 
> I've sent one editorial nit in https://github.com/cfrg/draft-irtf-cfrg-blind-signatures/pull/152
> 
> Section 1
>  - Consider citing the voting [1] and authentication (maybe the g1vpn whitepaper [2] or private relay explainer [3] examples). It may feel like over-embellishment from our perspective, but someone reading this may not have the same context building systems like this as the authors do. I appreciate the review of other blind signing alternatives later on for the same reason.
> 
> Section 3
>  - In the description of random_integer_uniform(M, N), cryptographic security isn't mentioned, but is mentioned for random(n). Should this mention that the random source needs to be cryptographically secure?
> 
> Section 4.1
>  - All RSABSSA variants from Section 6 appear to use SHA-384 as the hash function, and MGF1. Should we indicate hash and mgf as parameters if they are held constant? I see that they are options in RFC8017, but if they are held constant in the RSABSSA uses, I'd avoid listing them as options until they need to vary.
> 
> Section 4.2
>  -  [editorial pr] blinded_msg, encoded and blinded message to be signed, an byte string -> *a* byte string
>  
> Section 4.3
>  - Same notes on hash and MGF1 from 4.1 feedback
> 
> Section 5
>  - Should this section be placed before section 4, so this reads in order? Randomize, blind, etc
>  - Consider defining || 
> 
> Best,
> Scott
> 
> On Mon, Nov 21, 2022 at 6:06 PM Christopher Wood <caw@heapingbits.net> wrote:
> This version of the document incorporates feedback received thus far in the RGLC. The primary change is the introduction of named variants to replace the old API guidance text. It’s our hope that these address the concerns raised by others and would greatly appreciate confirmation one way or another.
> 
> Best,
> Chris, for the editors
> 
> > On Nov 21, 2022, at 5:14 PM, internet-drafts@ietf.org wrote:
> > 
> > 
> > A New Internet-Draft is available from the on-line Internet-Drafts directories.
> > This draft is a work item of the Crypto Forum RG of the IRTF.
> > 
> >        Title           : RSA Blind Signatures
> >        Authors         : Frank Denis
> >                          Frederic Jacobs
> >                          Christopher A. Wood
> >  Filename        : draft-irtf-cfrg-rsa-blind-signatures-06.txt
> >  Pages           : 31
> >  Date            : 2022-11-21
> > 
> > Abstract:
> >   This document specifies an RSA-based blind signature protocol.  RSA
> >   blind signatures were first introduced by Chaum for untraceable
> >   payments [Chaum83].  It extends RSA-PSS encoding specified in
> >   [RFC8017] to enable blind signature support.
> > 
> > Discussion Venues
> > 
> >   This note is to be removed before publishing as an RFC.
> > 
> >   Source for this draft and an issue tracker can be found at
> >   https://github.com/chris-wood/draft-wood-cfrg-blind-signatures.
> > 
> > 
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-irtf-cfrg-rsa-blind-signatures/
> > 
> > There is also an HTML version available at:
> > https://www.ietf.org/archive/id/draft-irtf-cfrg-rsa-blind-signatures-06.html
> > 
> > A diff from the previous version is available at:
> > https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-rsa-blind-signatures-06
> > 
> > 
> > Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts
> > 
> > 
> > _______________________________________________
> > CFRG mailing list
> > CFRG@irtf.org
> > https://www.irtf.org/mailman/listinfo/cfrg
> 
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email