IETF Logo Mail Archive

[CFRG] draft-irtf-cfrg-vrf09 feedback

Antonio Marcedone <antonio.marcedone@zoom.us> Fri, 12 November 2021 22:51 UTC

Return-Path: <antonio.marcedone@zoom.us>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E08B93A0820 for <cfrg@ietfa.amsl.com>; Fri, 12 Nov 2021 14:51:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.844
X-Spam-Level:
X-Spam-Status: No, score=-0.844 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zoom.us header.b=ejFlbx74; dkim=pass (1024-bit key) header.d=zoom.us header.b=IZpjM2y7
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pKpRFUW4xZzK for <cfrg@ietfa.amsl.com>; Fri, 12 Nov 2021 14:51:01 -0800 (PST)
Received: from mx0a-00569201.pphosted.com (mx0a-00569201.pphosted.com [205.220.166.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A17B83A081F for <cfrg@irtf.org>; Fri, 12 Nov 2021 14:51:01 -0800 (PST)
Received: from pps.filterd (m0222710.ppops.net [127.0.0.1]) by mx0b-00569201.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 1ACK93H9010530 for <cfrg@irtf.org>; Fri, 12 Nov 2021 14:51:00 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zoom.us; h=mime-version : from : date : message-id : subject : to : cc : content-type; s=dv03112021; bh=lgh5xIiPPnhwmHOg/hdqDqSa9TIHWcBgnzl+N18vTB0=; b=ejFlbx74GdNBJqcy/DwTUp1G/7JaE/HZBWOpWJpK7BBBrroN5kLePuEjkBGgMTEch615 F5IGZlXirMb9k/ZHNKtGc6dyyxt0iNWHr15AhyV2lLOV5H6Ao+QGd4IU296dejrn+zcb mqAb5NIqxNi4V4wRQI95zkcjInhFiF6iHBs41ledhqZCELFOkgATt1gvvyOX9eSlzC1j i48t7RokhQXRIcPZRtkBqhQzwlNoNXdPWOR04scd5oW2g6lD3SHxWruuM/Bee46i2pJY qwULHEr3toV5Hq51ODYlNeXwJ6XrPotSem452KVomgA4IE9+UzuolcIa4tbvysMxMJLl 4g==
Received: from mail-pg1-f199.google.com (mail-pg1-f199.google.com [209.85.215.199]) by mx0b-00569201.pphosted.com (PPS) with ESMTPS id 3c9y24rg90-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <cfrg@irtf.org>; Fri, 12 Nov 2021 14:51:00 -0800
Received: by mail-pg1-f199.google.com with SMTP id q29-20020a631f5d000000b002dfcc4e0201so3654498pgm.3 for <cfrg@irtf.org>; Fri, 12 Nov 2021 14:51:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zoom.us; s=google; h=mime-version:from:date:message-id:subject:to:cc; bh=lgh5xIiPPnhwmHOg/hdqDqSa9TIHWcBgnzl+N18vTB0=; b=IZpjM2y7JklE0hVW+Yl7aiYAzSjPs5pP7bn+z1bRztV1AorA8cMOTvLKpZkokG3avJ q+AOPz44j8YPnl/bEJN7xY3jegmQIlltDyCLjQtEOjHnDDI352Cypplkoh2QRLNLMjfZ d7TJUydWIGDZQQKD52BT95/butxv7eRXFezFw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=lgh5xIiPPnhwmHOg/hdqDqSa9TIHWcBgnzl+N18vTB0=; b=RzS2mWcvqbRDdE3EoJziCMZ/nGyp1jN338zDjpVtAJcNcZyj6LD2HmliVdRYrjRskL PQ2bOWzCXkK7DZX8RO/PTrbSgCl+bYt8biMF2gq/9JgWKNSC7vPBYNpSbwEfL27OPs9s RWhidEAYrU/3xOrQDVknuO/e5sWPJNF7ODnD1aCrl668e2TOotnjOHs/FxoJ+xTwX7Cv MqgVTtkBRn3lECobtN/hyvu7ogEcYtrQelSQ+O+p37y5tV9f8TmBr2neu5Z935WJY5PS pgLeyQfnaMKSfaHf0EgWaXazsoJHhyhf0e1TqfO9hWzwDTghOzZGS/Dm5dxGS97VUlE3 zIWA==
X-Gm-Message-State: AOAM531YfgoB1hJdLjV6DIjb8wotN2qaNVa9ir89XOpsW/Lk+6AsS9h7 rt74PgnT28ZvaHxcEVHPOGlWJ4QZ9YnYkqpelKE7fdxVcfgq6tSXlsDiUBJexaXXug1PX3AlO3i Rp6TTaPsUbs86sJCgi0Fh
X-Received: by 2002:a17:90b:3807:: with SMTP id mq7mr21995288pjb.38.1636757459632; Fri, 12 Nov 2021 14:50:59 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzE4MrSoy8RJTVayvh9Z6cNv5NAL0+vFy7xBjpzoG/NPI26SjRyQMvqft76vuSfioWCGtraBZ9RESR9y1Ugz/M=
X-Received: by 2002:a17:90b:3807:: with SMTP id mq7mr21995217pjb.38.1636757458991; Fri, 12 Nov 2021 14:50:58 -0800 (PST)
MIME-Version: 1.0
From: Antonio Marcedone <antonio.marcedone@zoom.us>
Date: Fri, 12 Nov 2021 17:50:48 -0500
Message-ID: <CAH2-gx2RW+4ODs2KwPapv+HGWgXxo-Lz-LNk=f7Xev7BPn3zQA@mail.gmail.com>
To: cfrg@irtf.org
Cc: Brian Chen <brian.chen@zoom.us>
Content-Type: multipart/alternative; boundary="000000000000edc6ee05d09f4a10"
X-Proofpoint-GUID: K0zpOUApA7XkLaJRPU3R3KXGMHEmbM7X
X-Proofpoint-ORIG-GUID: K0zpOUApA7XkLaJRPU3R3KXGMHEmbM7X
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.0.607.475 definitions=2021-11-12_05,2021-11-12_01,2020-04-07_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1011 adultscore=0 malwarescore=0 spamscore=0 bulkscore=0 priorityscore=1501 mlxscore=0 lowpriorityscore=0 impostorscore=0 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2111120115
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/MgZzIBpk6korpW4iDEy8h7SVSTE>
Subject: [CFRG] draft-irtf-cfrg-vrf09 feedback
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Nov 2021 22:51:08 -0000

Hello CFRG,

Here is some additional feedback on draft-irtf-cfrg-vrf-09.

In general we think the draft is well-written and helpful to implement the
VRF functionality. We support its publication as an RFC, but have some
concrete suggestions that we feel would clarify the specification, increase
interoperability, and reduce the potential for bad parameter choices.

Technical comments:

- Lack of well-defined RSA-FDH ciphersuites: The specification (and the
references quoted) do not seem to recommend a specific hash function, or a
specific RSA modulus length. Therefore a compliant implementation might
accept weak keys (that are too short), or there might be confusion around
other parameters. We suggest adding a section specifying RSA ciphersuites,
similarly to how it is done for ECVRF. In particular, defining ciphersuites
with a fixed size for the RSA modulus and a specific hash function would
reduce ambiguity and help to quickly determine whether different
implementations of this standard can interoperate. To directly parallel
Section 5, we could add a section 4.4 called “RSA-FDH-VRF Ciphersuites”,
and add a reference to this section in the “Fixed options” of Section 4.

- ECVRF PK Validation: The PK validation procedure for ECVRF seems like a
likely thing for implementers to forget to do, especially given the way it
is described in the standard. Even if a library claimed to implement
ECVRF-P256-SHA256-TAI exactly according to the spec, it would be unclear if
the implementation performs this check or not, which may cause confusion
and security issues in cases where this check is important. We suggest
mandating that compliant implementations MUST perform this check in all
cases, as opposed to only when full uniqueness and full collision
resistance are deemed necessary. Another option might be to have
ciphersuites that turn this on explicitly, and others which don’t.
Adding an additional test vector including a bad public key that the
implementation should reject would ensure implementations correctly cover
this case.

Minor technical comments:

- The suggestion of increasing the security parameter for applications
concerned about tightness of cryptographic reduction cannot really apply to
ECVRF, as the curves are fixed by the spec. If you decide to accept our
previous suggestions and define parameters for the RSA based version, the
same would apply there too. In that case, maybe clarify that this is more
of a forward-looking suggestion for future versions of the spec?

- Section 4: Should the size of the modulus n (or a bound on it) be a
“Fixed option” like hLen?

- Domain separation and notation: Section 7.7 implies that constants like
one_string and two_string that are often used as inputs to the hash
functions are for domain separation. In the RSA case, domain separation is
trivial to check, as these different octets are at the beginning of inputs
to both MGF1 and proof_to_hash. The only thing we would recommend is
perhaps naming the constants in a way that makes this intent self-evident,
such as defining TAG_PROOFTOHASH=0x01 and TAG_MGF1=0x02.
On the other hand, in the ECVRF case things are a bit more complex, as
these octets appear at different positions in different hash functions
(sometimes they are in second position, sometimes in the last), and in some
cases aren’t even there (and we rely on the hash inputs being only known to
honest parties). We wonder if perhaps using a distinct octet (defined as a
constant with a descriptive name) as the first octet of the input to each
hash function would make both intent and reasoning easier.

- Section 5.4.1.1: Suggest mentioning that arbitrary_string_to_point is
allowed to return “INVALID” when it’s first defined, e.g., by inserting ‘or
“INVALID” ’ after “conversion of an arbitrary octet string to an EC point.”
On a first reading, the current definition seems to suggest that it already
maps every octet string to a valid EC point. The fact that there are both a
string_to_point and an arbitrary_string_to_point functions that seem to
serve similar purposes is a bit confusing: as others have noted, the name
doesn’t convey the difference.

- Section 5.4.1.1, step 6: The loop is slightly suspicious in that it seems
potentially unbounded; ctr looks like it can just keep going past a single
octet, causing int_to_string to fail internally in a way that is not
obviously handled. Suggest one sentence of clarification such as “The loop
in step 6 errors if ctr reaches 256, but for all ciphersuites in Section
5.5, this is overwhelmingly unlikely.”, which may be helpful for
implementers.

Minor editorial comments:

- Abstract: The text talks about “several VRF constructions”. But then “One
VRF uses RSA and the other VRF uses...”. It could say “Some VRFs are based
on RSA and others on Elliptic Curves (EC).”

- Implicit definition of the Key Generation algorithm. Section 2 explicitly
defines a syntax for the VRF_hash, VRF_prove, VRF_proof_to_hash, …, but
only implicitly defines the need for a key generation algorithm (there is
no VRF_keygen or similar). We think that explicitly mentioning this
algorithm (with its inputs and outputs both in the EC case and the RSA
case) would improve the clarity of the document, even if its actual
implementation is deferred to some other specification.

- Section 3.4: Suggest elaborating slightly on what “certain VRF
applications” are, in addition to the provided references. A concrete
proposal: “(such as preventing bias when selecting participants in some
consensus protocols as in [GHMVZ17] and [DGKR18])”.

- Section 4, under Primitives: Add a short parenthetical sentence about
what MGF1 does to match the other primitives above it, for example: “(given
a seed, which is an octet string, and a length, deterministically produce a
pseudorandom octet string of the specified length)”

- Section 4.1: The RSAFDHVRF_prove algorithm explicitly uses the RSA
modulus n and its length k. Although these can be recomputed/extracted from
K as in RFC8017, these are not formally inputs to the algorithm and so this
makes the description hard to follow. Maybe we could add a step to
explicitly extract n and k from K (as in Step 1 of ECVRF_prove), or add n
as an explicit input.

- The concatenation operator || is listed as notation in section 4 and as a
primitive in section 5. In general the two sections are not organized
consistently in terms of notation. We realize that this is to use a similar
notation to other unrelated RFCs, but contents in the two sections do not
flow organically.

- The & operator in step 5 of the algorithm to validate keys in ed25519
(Section 5.6.1) is not defined, as well as the notation string[int] to
indicate individual octets in a string. Given that * and || are defined, we
suggest defining those too.

- Section 3.4: The text says “Additionally, the ECVRF is believed to also
satisfy this property ...” with respect to the random-oracle-like
unpredictability property. The language doesn’t make it clear if this is
just a conjecture or if a proof of this (in some formal model) exists in
the literature. A more concrete reference would help.

- Section 5.4.2.2 implicitly assumes that Hash has at least a 64 bytes
output. Indeed, in RFC8032 Hash is fixed to be SHA512. If the intent is to
use the same steps as the Signature algorithm from RFC8032, perhaps it
would be worth explicitly fixing Hash here as well.

Typos:
- Section 5.4.1.1: Right before its description,
ECVRF_hash_to_try_and_increment -> ECVRF_hash_to_curve_try_and_increment
- Sec 7.7: “inputs all the hash functions used” -> “inputs to all the hash
functions used“

Note that we did not check the test vectors.

Sincerely yours in cryptography,
Antonio Marcedone and Brian Chen
Zoom Video Communications
Note: these are our own views and do not reflect those of our employer

[image: Zoom Logo for Email Signature.png] <https://zoom.us/>

*Antonio Marcedone*

Lead, Cryptography Engineering

Zoom Video Communications
[image: FB logo.png] <https://www.facebook.com/zoomvideocommunications> [image:
Twitter Logo.png] <https://twitter.com/zoom> [image: LinkedIn Logo.png]
<https://www.linkedin.com/company/zoom-video-communications-inc-> [image:
Instagram Logo.png] <https://www.instagram.com/zoom/> Refer a Friend
<https://zoom.us/myreferral>
<https://partnerbasecamp.zoom.us/events>

v2.23.0 | Report a Bug | By Email