[Cfrg] LDWM implementation questions (Hash-Based Signatures - draft-mcgrew-hash-sigs-02)

Szabó Áron <baronsz@freemail.hu> Mon, 05 January 2015 10:32 UTC

Return-Path: <baronsz@freemail.hu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD65E1A1B8A for <cfrg@ietfa.amsl.com>; Mon, 5 Jan 2015 02:32:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.896
X-Spam-Level: **
X-Spam-Status: No, score=2.896 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, FREEMAIL_FROM=0.001, HELO_EQ_HU=1.35, HOST_EQ_HU=1.245, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WUU1i82FnZLt for <cfrg@ietfa.amsl.com>; Mon, 5 Jan 2015 02:32:51 -0800 (PST)
Received: from iwiw03d.mail.t-online.hu (iwiw03d.mail.t-online.hu [84.2.42.68]) by ietfa.amsl.com (Postfix) with ESMTP id D9EC11A2130 for <cfrg@irtf.org>; Mon, 5 Jan 2015 02:32:50 -0800 (PST)
Received: from fmx25.freemail.hu (fmx25.freemail.hu [195.228.245.75]) by iwiw03d.mail.t-online.hu (Postfix) with SMTP id 4F4994E9516 for <cfrg@irtf.org>; Mon, 5 Jan 2015 11:31:46 +0100 (CET)
Received: (qmail 62848 invoked by uid 151); 5 Jan 2015 11:32:48 +0100
Received: from fmlb00.freemail.hu (HELO fmxmldata04.freemail.hu) (195.228.245.211) by fmx25.freemail.hu with SMTP; 5 Jan 2015 11:32:48 +0100
Received: from webmail by smtp gw id t05AWmLM023568; Mon, 5 Jan 2015 11:32:48 +0100 (CET)
Date: Mon, 5 Jan 2015 11:32:48 +0100 (CET)
From: =?UTF-8?Q?Szab=C3=B3_=C3=81ron?= <baronsz@freemail.hu>
To: cfrg@irtf.org
Message-ID: <freemail.20150105113248.23567.1@fmxmldata04.freemail.hu>
X-Originating-IP: [91.120.40.131]
X-HTTP-User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
X-Original-User: baronsz
MIME-Version: 1.0
Content-Type: TEXT/plain; CHARSET=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/JmZb2i2yK4FMHBd2xgGfMBY4wlI
Subject: [Cfrg] LDWM implementation questions (Hash-Based Signatures - draft-mcgrew-hash-sigs-02)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jan 2015 10:32:54 -0000

Dear Members,

I am not a mathematician, but as a developer some questions came up during implementation the LDWM algorithm of standard draft (https://tools.ietf.org/html/draft-mcgrew-hash-sigs-02). Please, explain things that I imagine/understand wrong! Thx!

a)
"The LDWM public key is generated from the private key by applying the function F^(2^w - 1) to each individual element of x, then hashing all of the resulting values."

If I understand well the notations, "m" stands for length of (private) key chunks assigned as signature chunks based on the 0/1 value of H(message) "i"th bit (e.g. 256 bits in case of SHA-256, or 512 bits in case of SHA-512) and "n" stands for length of H(message) (e.g. 256 bits in case of SHA-256, or 512 bits in case of SHA-512).

In case of n=length(H(message)), there are no restrictions to the output length and the applied hash algorithm. It is also true in case of m=length(private_key_chunk[i]), but Winternitz parameter - { 1, 2, 4, 8 } - shall be applied to derive public_key_chunk[i] values before hashing (as I saw the pseudo-code in the draft). But why is this transformation specified as a "MUST" requirement? I mean, if I have a restriction that I shall not lose entropy at any sub-step of implementing the algorithm (e.g. because of Grover's algorithm) how can I use e.g. SHA-512 public keys as they are (without any kind of key size reduction) if the maximum value is just w=8 (2^8=256 bits)? So, shall/can I use e.g. w=16? Or is there any way to skip the size reduction sub-step of derived public keys in the pseudo-code (e.g. by inserting an "if-else" in it)?

b)
"A checksum is used to ensure that any forgery attempt that manipulates the elements of an existing signature will be detected."

Could you explain what the exact reason, and added value of this checksum is? I found nothing about this in the core descriptions of Lamport-Diffie one-time signature scheme in Bernstein-Buchmann-Dahmen's book. OK, I understand that this provides an easy way to pre-check signature validity before computing all the needed hashes (good from "developer" viewpoint), but if it is not a core step of algorithm (seeing from "mathematician" viewpoint), then I think this should be just an optional thing, isn't it? I have already read "8.1. Security of LDWM Checksum" section where it is described that "an attacker may try to change the values of h and c" and "then the attacker can compute F^a'(x[j]) from F^a(x[j]) = y[j]" which is the array of public key chunks. But if I assume a trusted-third-party model (e.g. trusted CAs issuing signed public keys as X.509 certificates) the alteration of end user public keys is not possible (OK, hacking the whole trusted chain or finding a new PRNG backdoor w
 ould provide a solution, of course, but now I think about the expected way of operation). So, in case of public key chunks are signed by some kind of CA, perhaps performing and concatenating this C(H(message)) can be avoided...

c)
>From the developer and user viewpoint: beyond the specification of the core algorithm, I think the IETF RFC 5280 (X.509) and/or IETF RFC 3447 (PKCS#1) standard (or maybe this draft itself) shall be modified with an update/amendment in order to describe the exact ASN.1 data structures of private/public keys and created signatures. I know that CA softwares, and applied crypto libraries will not implement these modifications immediately, but for development and testing reasons it would be important to involve these now. (As I see, the OID of algorithm - which is important part of SubjectPublicKeyInfo - is already defined: 1.2.840.113549.1.9.16.3.17.X). So, could you also define the ASN.1-level data structures? (see my attempt below)

LDWMPublicKey ::= SEQUENCE {
 version Version,
 algorithm AlgorithmIdentifier,
 keyChunks KeyChunks,
 otherInfo OtherInfo OPTIONAL
}

LDWMPrivateKey ::= SEQUENCE {
 version Version,
 algorithm AlgorithmIdentifier,
 keyChunks KeyChunks
}

LDWMSignature ::= SEQUENCE {
 version Version,
 signatureChunks KeyChunks,
 checksum Checksum OPTIONAL
}

Version ::= INTEGER { v1(0) }

AlgorithmIdentifier ::= SEQUENCE {
 algorithm OBJECT IDENTIFIER,
 parameters ANY DEFINED BY algorithm OPTIONAL
}

KeyChunks ::= SEQUENCE SIZE(1..MAX) OF KeyChunk

KeyChunk ::= SEQUENCE {
 chunk0 BIT STRING,
 chunk1 BIT STRING
}

OtherInfo ::= SEQUENCE {
 winternitz INTEGER,
 keyDerivation AlgorithmIdentifier OPTIONAL
}

Checksum ::= SEQUENCE {
 checksumCalculation AlgorithmIdentifier,
 leftShiftBits INTEGER
}

Best regards,
Aron Szabo

P.S.: I apologise for that if you get this e-mail twice.