[CFRG] draft-irtf-cfrg-vrf09 feedback
Antonio Marcedone <antonio.marcedone@zoom.us> Fri, 12 November 2021 22:51 UTC
Return-Path: <antonio.marcedone@zoom.us>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E08B93A0820 for <cfrg@ietfa.amsl.com>; Fri, 12 Nov 2021 14:51:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.844
X-Spam-Level:
X-Spam-Status: No, score=-0.844 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zoom.us header.b=ejFlbx74; dkim=pass (1024-bit key) header.d=zoom.us header.b=IZpjM2y7
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pKpRFUW4xZzK for <cfrg@ietfa.amsl.com>; Fri, 12 Nov 2021 14:51:01 -0800 (PST)
Received: from mx0a-00569201.pphosted.com (mx0a-00569201.pphosted.com [205.220.166.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A17B83A081F for <cfrg@irtf.org>; Fri, 12 Nov 2021 14:51:01 -0800 (PST)
Received: from pps.filterd (m0222710.ppops.net [127.0.0.1]) by mx0b-00569201.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 1ACK93H9010530 for <cfrg@irtf.org>; Fri, 12 Nov 2021 14:51:00 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zoom.us; h=mime-version : from : date : message-id : subject : to : cc : content-type; s=dv03112021; bh=lgh5xIiPPnhwmHOg/hdqDqSa9TIHWcBgnzl+N18vTB0=; b=ejFlbx74GdNBJqcy/DwTUp1G/7JaE/HZBWOpWJpK7BBBrroN5kLePuEjkBGgMTEch615 F5IGZlXirMb9k/ZHNKtGc6dyyxt0iNWHr15AhyV2lLOV5H6Ao+QGd4IU296dejrn+zcb mqAb5NIqxNi4V4wRQI95zkcjInhFiF6iHBs41ledhqZCELFOkgATt1gvvyOX9eSlzC1j i48t7RokhQXRIcPZRtkBqhQzwlNoNXdPWOR04scd5oW2g6lD3SHxWruuM/Bee46i2pJY qwULHEr3toV5Hq51ODYlNeXwJ6XrPotSem452KVomgA4IE9+UzuolcIa4tbvysMxMJLl 4g==
Received: from mail-pg1-f199.google.com (mail-pg1-f199.google.com [209.85.215.199]) by mx0b-00569201.pphosted.com (PPS) with ESMTPS id 3c9y24rg90-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <cfrg@irtf.org>; Fri, 12 Nov 2021 14:51:00 -0800
Received: by mail-pg1-f199.google.com with SMTP id q29-20020a631f5d000000b002dfcc4e0201so3654498pgm.3 for <cfrg@irtf.org>; Fri, 12 Nov 2021 14:51:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zoom.us; s=google; h=mime-version:from:date:message-id:subject:to:cc; bh=lgh5xIiPPnhwmHOg/hdqDqSa9TIHWcBgnzl+N18vTB0=; b=IZpjM2y7JklE0hVW+Yl7aiYAzSjPs5pP7bn+z1bRztV1AorA8cMOTvLKpZkokG3avJ q+AOPz44j8YPnl/bEJN7xY3jegmQIlltDyCLjQtEOjHnDDI352Cypplkoh2QRLNLMjfZ d7TJUydWIGDZQQKD52BT95/butxv7eRXFezFw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=lgh5xIiPPnhwmHOg/hdqDqSa9TIHWcBgnzl+N18vTB0=; b=RzS2mWcvqbRDdE3EoJziCMZ/nGyp1jN338zDjpVtAJcNcZyj6LD2HmliVdRYrjRskL PQ2bOWzCXkK7DZX8RO/PTrbSgCl+bYt8biMF2gq/9JgWKNSC7vPBYNpSbwEfL27OPs9s RWhidEAYrU/3xOrQDVknuO/e5sWPJNF7ODnD1aCrl668e2TOotnjOHs/FxoJ+xTwX7Cv MqgVTtkBRn3lECobtN/hyvu7ogEcYtrQelSQ+O+p37y5tV9f8TmBr2neu5Z935WJY5PS pgLeyQfnaMKSfaHf0EgWaXazsoJHhyhf0e1TqfO9hWzwDTghOzZGS/Dm5dxGS97VUlE3 zIWA==
X-Gm-Message-State: AOAM531YfgoB1hJdLjV6DIjb8wotN2qaNVa9ir89XOpsW/Lk+6AsS9h7 rt74PgnT28ZvaHxcEVHPOGlWJ4QZ9YnYkqpelKE7fdxVcfgq6tSXlsDiUBJexaXXug1PX3AlO3i Rp6TTaPsUbs86sJCgi0Fh
X-Received: by 2002:a17:90b:3807:: with SMTP id mq7mr21995288pjb.38.1636757459632; Fri, 12 Nov 2021 14:50:59 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzE4MrSoy8RJTVayvh9Z6cNv5NAL0+vFy7xBjpzoG/NPI26SjRyQMvqft76vuSfioWCGtraBZ9RESR9y1Ugz/M=
X-Received: by 2002:a17:90b:3807:: with SMTP id mq7mr21995217pjb.38.1636757458991; Fri, 12 Nov 2021 14:50:58 -0800 (PST)
MIME-Version: 1.0
From: Antonio Marcedone <antonio.marcedone@zoom.us>
Date: Fri, 12 Nov 2021 17:50:48 -0500
Message-ID: <CAH2-gx2RW+4ODs2KwPapv+HGWgXxo-Lz-LNk=f7Xev7BPn3zQA@mail.gmail.com>
To: cfrg@irtf.org
Cc: Brian Chen <brian.chen@zoom.us>
Content-Type: multipart/alternative; boundary="000000000000edc6ee05d09f4a10"
X-Proofpoint-GUID: K0zpOUApA7XkLaJRPU3R3KXGMHEmbM7X
X-Proofpoint-ORIG-GUID: K0zpOUApA7XkLaJRPU3R3KXGMHEmbM7X
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.0.607.475 definitions=2021-11-12_05,2021-11-12_01,2020-04-07_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1011 adultscore=0 malwarescore=0 spamscore=0 bulkscore=0 priorityscore=1501 mlxscore=0 lowpriorityscore=0 impostorscore=0 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2111120115
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/MgZzIBpk6korpW4iDEy8h7SVSTE>
Subject: [CFRG] draft-irtf-cfrg-vrf09 feedback
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Nov 2021 22:51:08 -0000
Hello CFRG, Here is some additional feedback on draft-irtf-cfrg-vrf-09. In general we think the draft is well-written and helpful to implement the VRF functionality. We support its publication as an RFC, but have some concrete suggestions that we feel would clarify the specification, increase interoperability, and reduce the potential for bad parameter choices. Technical comments: - Lack of well-defined RSA-FDH ciphersuites: The specification (and the references quoted) do not seem to recommend a specific hash function, or a specific RSA modulus length. Therefore a compliant implementation might accept weak keys (that are too short), or there might be confusion around other parameters. We suggest adding a section specifying RSA ciphersuites, similarly to how it is done for ECVRF. In particular, defining ciphersuites with a fixed size for the RSA modulus and a specific hash function would reduce ambiguity and help to quickly determine whether different implementations of this standard can interoperate. To directly parallel Section 5, we could add a section 4.4 called “RSA-FDH-VRF Ciphersuites”, and add a reference to this section in the “Fixed options” of Section 4. - ECVRF PK Validation: The PK validation procedure for ECVRF seems like a likely thing for implementers to forget to do, especially given the way it is described in the standard. Even if a library claimed to implement ECVRF-P256-SHA256-TAI exactly according to the spec, it would be unclear if the implementation performs this check or not, which may cause confusion and security issues in cases where this check is important. We suggest mandating that compliant implementations MUST perform this check in all cases, as opposed to only when full uniqueness and full collision resistance are deemed necessary. Another option might be to have ciphersuites that turn this on explicitly, and others which don’t. Adding an additional test vector including a bad public key that the implementation should reject would ensure implementations correctly cover this case. Minor technical comments: - The suggestion of increasing the security parameter for applications concerned about tightness of cryptographic reduction cannot really apply to ECVRF, as the curves are fixed by the spec. If you decide to accept our previous suggestions and define parameters for the RSA based version, the same would apply there too. In that case, maybe clarify that this is more of a forward-looking suggestion for future versions of the spec? - Section 4: Should the size of the modulus n (or a bound on it) be a “Fixed option” like hLen? - Domain separation and notation: Section 7.7 implies that constants like one_string and two_string that are often used as inputs to the hash functions are for domain separation. In the RSA case, domain separation is trivial to check, as these different octets are at the beginning of inputs to both MGF1 and proof_to_hash. The only thing we would recommend is perhaps naming the constants in a way that makes this intent self-evident, such as defining TAG_PROOFTOHASH=0x01 and TAG_MGF1=0x02. On the other hand, in the ECVRF case things are a bit more complex, as these octets appear at different positions in different hash functions (sometimes they are in second position, sometimes in the last), and in some cases aren’t even there (and we rely on the hash inputs being only known to honest parties). We wonder if perhaps using a distinct octet (defined as a constant with a descriptive name) as the first octet of the input to each hash function would make both intent and reasoning easier. - Section 5.4.1.1: Suggest mentioning that arbitrary_string_to_point is allowed to return “INVALID” when it’s first defined, e.g., by inserting ‘or “INVALID” ’ after “conversion of an arbitrary octet string to an EC point.” On a first reading, the current definition seems to suggest that it already maps every octet string to a valid EC point. The fact that there are both a string_to_point and an arbitrary_string_to_point functions that seem to serve similar purposes is a bit confusing: as others have noted, the name doesn’t convey the difference. - Section 5.4.1.1, step 6: The loop is slightly suspicious in that it seems potentially unbounded; ctr looks like it can just keep going past a single octet, causing int_to_string to fail internally in a way that is not obviously handled. Suggest one sentence of clarification such as “The loop in step 6 errors if ctr reaches 256, but for all ciphersuites in Section 5.5, this is overwhelmingly unlikely.”, which may be helpful for implementers. Minor editorial comments: - Abstract: The text talks about “several VRF constructions”. But then “One VRF uses RSA and the other VRF uses...”. It could say “Some VRFs are based on RSA and others on Elliptic Curves (EC).” - Implicit definition of the Key Generation algorithm. Section 2 explicitly defines a syntax for the VRF_hash, VRF_prove, VRF_proof_to_hash, …, but only implicitly defines the need for a key generation algorithm (there is no VRF_keygen or similar). We think that explicitly mentioning this algorithm (with its inputs and outputs both in the EC case and the RSA case) would improve the clarity of the document, even if its actual implementation is deferred to some other specification. - Section 3.4: Suggest elaborating slightly on what “certain VRF applications” are, in addition to the provided references. A concrete proposal: “(such as preventing bias when selecting participants in some consensus protocols as in [GHMVZ17] and [DGKR18])”. - Section 4, under Primitives: Add a short parenthetical sentence about what MGF1 does to match the other primitives above it, for example: “(given a seed, which is an octet string, and a length, deterministically produce a pseudorandom octet string of the specified length)” - Section 4.1: The RSAFDHVRF_prove algorithm explicitly uses the RSA modulus n and its length k. Although these can be recomputed/extracted from K as in RFC8017, these are not formally inputs to the algorithm and so this makes the description hard to follow. Maybe we could add a step to explicitly extract n and k from K (as in Step 1 of ECVRF_prove), or add n as an explicit input. - The concatenation operator || is listed as notation in section 4 and as a primitive in section 5. In general the two sections are not organized consistently in terms of notation. We realize that this is to use a similar notation to other unrelated RFCs, but contents in the two sections do not flow organically. - The & operator in step 5 of the algorithm to validate keys in ed25519 (Section 5.6.1) is not defined, as well as the notation string[int] to indicate individual octets in a string. Given that * and || are defined, we suggest defining those too. - Section 3.4: The text says “Additionally, the ECVRF is believed to also satisfy this property ...” with respect to the random-oracle-like unpredictability property. The language doesn’t make it clear if this is just a conjecture or if a proof of this (in some formal model) exists in the literature. A more concrete reference would help. - Section 5.4.2.2 implicitly assumes that Hash has at least a 64 bytes output. Indeed, in RFC8032 Hash is fixed to be SHA512. If the intent is to use the same steps as the Signature algorithm from RFC8032, perhaps it would be worth explicitly fixing Hash here as well. Typos: - Section 5.4.1.1: Right before its description, ECVRF_hash_to_try_and_increment -> ECVRF_hash_to_curve_try_and_increment - Sec 7.7: “inputs all the hash functions used” -> “inputs to all the hash functions used“ Note that we did not check the test vectors. Sincerely yours in cryptography, Antonio Marcedone and Brian Chen Zoom Video Communications Note: these are our own views and do not reflect those of our employer [image: Zoom Logo for Email Signature.png] <https://zoom.us/> *Antonio Marcedone* Lead, Cryptography Engineering Zoom Video Communications [image: FB logo.png] <https://www.facebook.com/zoomvideocommunications> [image: Twitter Logo.png] <https://twitter.com/zoom> [image: LinkedIn Logo.png] <https://www.linkedin.com/company/zoom-video-communications-inc-> [image: Instagram Logo.png] <https://www.instagram.com/zoom/> Refer a Friend <https://zoom.us/myreferral> <https://partnerbasecamp.zoom.us/events>
- [CFRG] draft-irtf-cfrg-vrf09 feedback Antonio Marcedone
- Re: [CFRG] draft-irtf-cfrg-vrf09 feedback Leonid Reyzin