Re: [CFRG] draft-irtf-cfrg-vrf-08 research group last call (RGLC)
Leonid Reyzin <reyzin@cs.bu.edu> Fri, 19 February 2021 01:57 UTC
Return-Path: <leonid.reyzin@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAC8E3A0AB5 for <cfrg@ietfa.amsl.com>; Thu, 18 Feb 2021 17:57:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vhcwBt6pH3Vo for <cfrg@ietfa.amsl.com>; Thu, 18 Feb 2021 17:57:17 -0800 (PST)
Received: from mail-io1-f44.google.com (mail-io1-f44.google.com [209.85.166.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9C7C3A0AB4 for <cfrg@irtf.org>; Thu, 18 Feb 2021 17:57:16 -0800 (PST)
Received: by mail-io1-f44.google.com with SMTP id u20so4103052iot.9 for <cfrg@irtf.org>; Thu, 18 Feb 2021 17:57:16 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=40rAN9ObfqSYMjYmF3foDrnuZ8yRogVlrH6sPnxlmbg=; b=Ln6eAeV6/PzeBJhiXi7qyi4J4vcdfPbXoH4q4iN8/t9BgLh+aGWOoepEiQAJMcapOb X9tJv5ZwKUEWyHmaQROGxh5FOA/FPzf0ooFhqcSv/AjNwAdHJz+63XyKYi5/7c7IPYhK Ifn7BQn5Ge5A4qh7ioeAOxZpwbCBBtwbSn9zMnobtqKyZJB2ZPZnfOZKO+1XKLISP50h J7J2fZ87BGK1fdqOixgzWXoWwVO7MgBevr9BcCEtbTnVYVbxEA/J0H8idixPqdh2Ix9k 13bTj36WVllnRlX6qZcgxwvK2DY28HZqDD7VBUpFcnV0X2RfQBagp/TewcxBnYE6nwZQ Jf8Q==
X-Gm-Message-State: AOAM5319soIhTYXPkEAoxiuOsn1h+S+wMJNbTvcv3dB38kyUchxUxyec gtHem+v32TrWQNlnXBY89KT3mOvXpYgBsxAlm8KepyrBowHzzQ==
X-Google-Smtp-Source: ABdhPJxV40esSaFiOf5dyNsUPnLqiXlwdWtHQtu7HhAgOCQWbjSUG0B9dGvQ310uAx0ecPStjBll2ZYkcfTt5CKtzYc=
X-Received: by 2002:a5d:8052:: with SMTP id b18mr1834271ior.188.1613699835716; Thu, 18 Feb 2021 17:57:15 -0800 (PST)
MIME-Version: 1.0
References: <CAFDDyk9sGYePo=oyfF6++FjLsxksBQV9TgU0CwRU0vTRN-=D3Q@mail.gmail.com> <CACsn0ckmHtAMfmduBBbA0HQ9uxh4sZSP0PBc+GZcW6P=z+EXxg@mail.gmail.com>
In-Reply-To: <CACsn0ckmHtAMfmduBBbA0HQ9uxh4sZSP0PBc+GZcW6P=z+EXxg@mail.gmail.com>
From: Leonid Reyzin <reyzin@cs.bu.edu>
Date: Thu, 18 Feb 2021 20:56:49 -0500
Message-ID: <CAHZ6D0vZpyugSVwOCKHXehrtFYbP2ZbzR5FZk3hHyWrxoWLgWA@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000007b678d05bba6c5b8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/KJwe92nLEkmJGpBe-OST_ilr_MQ>
Subject: Re: [CFRG] draft-irtf-cfrg-vrf-08 research group last call (RGLC)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2021 01:57:20 -0000
Thank you, Watson, for your comments and for subsequent clarifications! > My one textual comment is that typically implementation status is in a > section that says "Note to RFC editor: Remove before publication". > Will fix, thanks. > My one trivial substantive comment is that forcing recomputation by > the verifier of the points hashed to produce the challenge, rather > than having them hash the commitments to obtain the challenge and > verify the equations, prevents batching of verification. In > applications where multiple proofs are verified at once this is a big > improvement. > As Watson and I clarified in subsequent (private) emails, by adding U and V (instead of c) to pi_string in Section 5.1 and thus lengthening the proof (from 80 bytes to 128 bytes for typical parameter values), we can significantly improve verification times in Section 5.3 when multiple VRFs are verified in a single batch, by designing a batch verification algorithm. However, this change does little to improve verification time when a single VRF is being verified, which is what is currently specified. Given that this change offers a different point on the bandwidth / computation tradeoff for batch verification, but requires additional design and analysis for the batch verification algorithm, and offers little advantage in the standalone (non-batch) case, I suggest that we consider it as a different, additional ciphersuite if we feel that there is a compelling case. The draft is designed in a modular way, so that ciphersuites can be added as the need arises, without delaying the progress of the current draft. While batch verification works well when everything is honest, a single malicious pi will poison the entire batch, forcing slower verifications. Thus, batch verification is sometimes not a suitable alternative even when there are many proofs to verify. [Technical details of bandwidth/computation tradeoff are as follows: if we include U and V, then steps 5 and 6 of Section 5.3 become equation verifications, rather than computations. Multiple equation verifications can be combined into a single equation verification by a random linear combination of equations. We thus will go from separate exponentiations to a single multiexponentiation, which is faster, especially for large batches. We would need to decide how the verifier obtains randomness for this random linear combination (presumably, by hashing, but details matter) and analyze exact security of batch verification. This change would not speed up single-VRF verification by much (because it would combine only two equations, one of which is already anyway fast because of a fixed B and a short c, and at the same time it would destroy the advantage of having a short c, because c would get multiplied by a large random coefficient).] > My serious substantive comment is that the formation of the > distinguisher string imposes limitations on the hash2curve registry as > the encoding is not injective. The anachronist in me suggests RS as a > way to split the different parts of the distinguisher. Hash points > seems to assume that the point format will be self-delineating. I > think this can be fixed as part of the last call comments. > > We have figured out that this formation does not need to assume anything about the hash2curve registry, after all. It merely needs to assume that our ciphersuite identifiers in the vrf draft have distinct last bytes (in any case the current design is based on single-byte ciphersuite identifiers; if we suddenly go to over 256 ciphersuites, which seems extremely unlikely, there are reasonable backward-compatible options for new longer ciphersuite identifiers to coexist with the shorter ones). Best, Leo
- [CFRG] draft-irtf-cfrg-vrf-08 research group last… Nick Sullivan
- Re: [CFRG] draft-irtf-cfrg-vrf-08 research group … Watson Ladd
- Re: [CFRG] draft-irtf-cfrg-vrf-08 research group … Leonid Reyzin
- Re: [CFRG] draft-irtf-cfrg-vrf-08 research group … Nick Sullivan