Re: [Cfrg] BLS standard draft
David Wong <davidwong.crypto@gmail.com> Sun, 17 February 2019 16:54 UTC
Return-Path: <davidwong.crypto@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B70C51275F3 for <cfrg@ietfa.amsl.com>; Sun, 17 Feb 2019 08:54:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F9GffN0fYCpt for <cfrg@ietfa.amsl.com>; Sun, 17 Feb 2019 08:54:50 -0800 (PST)
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 305BE12894E for <cfrg@irtf.org>; Sun, 17 Feb 2019 08:54:50 -0800 (PST)
Received: by mail-wm1-x32c.google.com with SMTP id m1so14934080wml.2 for <cfrg@irtf.org>; Sun, 17 Feb 2019 08:54:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5TQ+RszhTr8fwffMDILp595hhNaS+6k8HEell1OBqJg=; b=d2lubRuP4JkyadFOQ0+YBwAMSBzmdtokGv6Q9uFmZpwUAZwksTaJUu/2X7dQBphhaY H59Y1Qtw3Aefk/7+DC0EhzYXwHX+7ofBNCWi/YtjCNekpSlK9FgC6AGPT9ZoG8Q2/z9F UMCCeyTX3SrcU0HcHNyzHT6WkVnKPO0Jqz2AgYU0fyqgd2hrz/j7PzNtSoA11dB0VDV/ XIAXM8BUSATGifc3yaisnadEONsalCPYXUV9WTqNhFoBhScnLWOVqruPnoA3KFb1LLog A+K75vckxBQX2YK6szNMsQUTbLqBOln119T/oD6mB7iwQUnnIcB66//Lcxn/lc1TLtB3 KhZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5TQ+RszhTr8fwffMDILp595hhNaS+6k8HEell1OBqJg=; b=GAgYuvtFjTzPZfL61NuNgcb/jzSWcRTcjjObOoYryS0WtBhaLtYNORCnnl1tuK1baK oiB22r9t6vaShhq8VL8Gh10/Erqln9As44Cv74g4REO/4/84/ScmEgSyf+LncKTk+D5E +O++ziXSowcFbjyT2jQjgRoBaqriK3gRSevftZ19isl9sfUV+oeoPKXezFkk17jnek9Q F4BGT7V1Of2V1ffPCT7uXeZzYefwLvJJmxao1IwlUsTZmG1T+yvdLVMCepr6JpA1fhv/ okS1ubLJ7sq6yZpM+Y524VwQuTk5xQ8e1XbiYLBJRlHExZWVYwOHSdq4c6xh4UuQ46Ch VYqA==
X-Gm-Message-State: AHQUAuYywR4fi3lM5sLU6O6D2S9HTQ4IsXQxxJHjswSonHS49KfubwRj cnh0AXnLo6YJzi+ZIXhVEE133lMrNkiJEzLpMR4=
X-Google-Smtp-Source: AHgI3IY2esLBTMv1E6gkGRWW3Jw9FLFdO3rkUcmN1TCw2tL9Nhqtocgvjn/vQX/Do384uP4jDWOKObyliC1Ak3DY22k=
X-Received: by 2002:a1c:4406:: with SMTP id r6mr12825051wma.114.1550422488018; Sun, 17 Feb 2019 08:54:48 -0800 (PST)
MIME-Version: 1.0
References: <CACnav0oBNCt7VwR5_kvf7HqqVFF33iKv5y3mqeWnwx2UVHhD=g@mail.gmail.com> <CAND9ES1bYNC2V5oCHVXO4CO6iG5QBh+N51K4Mjdu6T3aBxF08A@mail.gmail.com> <CAEseHRqWTQppCOnF2KyZEKZyf4bhYr2nwuE6pHATnq84ttnLXg@mail.gmail.com> <CAHOTMV+0diByqDczj_uEDHZMW+uqzvVCDpi_2fSrr3N=F5tjMA@mail.gmail.com> <CABcZeBMeO=qrcpOZiPunJJSVUesS8j18Cg5zdiYPqc9CQ77P=g@mail.gmail.com> <2d819088.193a2.168e5c5ea85.Coremail.ylzhao@fudan.edu.cn>
In-Reply-To: <2d819088.193a2.168e5c5ea85.Coremail.ylzhao@fudan.edu.cn>
From: David Wong <davidwong.crypto@gmail.com>
Date: Sun, 17 Feb 2019 08:54:36 -0800
Message-ID: <CAK3aN2r9J9ToH6OZPNqUv4vNPx_DqJM+KQC=X=rfHFEkM5hkdg@mail.gmail.com>
To: 赵运磊 <ylzhao@fudan.edu.cn>
Cc: Eric Rescorla <ekr@rtfm.com>, CFRG <cfrg@irtf.org>, Sergey Gorbunov <sgorbunov@uwaterloo.ca>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/UWFVdaIo0ZMGwBFPWtx1GtKWxUE>
Subject: Re: [Cfrg] BLS standard draft
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Feb 2019 16:54:53 -0000
Hi again, I am not sure what the process is. If you have a github repo where we can participate or if you want us to give you feedback here. So here is some feedback from a first read. Feel free to ignore the bits you don't agree with of course. Some common themes were: * Keep in mind that this is for implementations, so remove information that belongs in a whitepaper * Make the RFC timeless (we should be able to read it in 5 years and understand it) * Set things in stone so that the RFC is actionable, don't make it vague. If people want to add to it, extensions and updates are possible later. And here is the more detailed feedback: - abstract: re-write with "what is it?" in mind first, history bits can wait until the introduction. I suggest using developer-friendly terms like "compression" and define aggregation later if the term is needed. Example: BLS is a digital signature scheme with compression properties. With a given set of signatures (sig_1, ..., sig_n) anyone can produce a compressed signature sig_compressed. The same is true for a set of private keys or public keys, while keeping the connection between sets (a compressed public key is associated to its compressed public key). Furthermore, the BLS signature scheme is deterministic, non-malleable, and efficient. Its simplicity and cryptographic properties allows it to be useful in a variety of use-cases, specifically when minimal storage space or bandwidth are required. - intro: - "A signature scheme is a fundamental cryptographic primitive used on the Internet that is used to protect integrity of communication" -> not necessarily used on the internet, and not necessarily for integrity of communications. - "2. Verification requires 2 pairing operations." -> at this point pairing is not defined, and what does that mean for the developer? how does it compare to other signature schemes that do not use pairing? - "we believe the scheme will find very interesting applications" -> too temporal. At some point, it is possible that the scheme will be popular and this sentence will seem out of place. - "the BLS signature scheme is already integrated" -> maybe out of place (as too temporal as well). If not, sort the list by alphabetical order, I think no one will mind that. - "BLS signatures are used for authenticating transactions as well as votes during the consensus protocol" -> I suggest we itemize the different use-cases of BLS (from PKI to blockchain). - section "1.1. Terminology" - "msg" -> I suggest we change that to "message" - "sigma" -> "signature" - "signer/verifier/aggregator" do we need roles for these? Can't we do with just an API ("sign/verify/compress") - "P1" is defined but never seem to be used. Am I missing something? - I suggest we spell "e()" as "pairing()" in the algorithms, and define it here - section "1.2. Signature Scheme Algorithms and Properties" - "A signature scheme comes with" -> "Like most signature schemes, BLS comes with the following API", this way we can leverage the reader's knowledge of other signature scheme. - "The signing algorithm may be deterministic or randomized, depending on the scheme" -> as this is a spec, we need to make a decision here. I think it makes more sense to make it deterministic. - section "1.2.2. Security" -> do we need these security properties in the RFC? It sounds to me like they would belong in a whitepaper instead. - section "2." - "BLS signatures require pairing-friendly curves" -> I suggest standardizing BLS with a set of curves. Extensions or updates can later add more curves if needed. - "There are two variants of the scheme" -> It'd be nice if the two variants were specified in this document, as they both have use-cases. - "Put ... in G1" -> not clear, rephrase - section "2.1. Preliminaries". I recommend renaming "suite_string" to "domain_separator" and having specific values for it instead of potential values. (We're standardizing something after all, ideally it should be self-contained) - section "2.4. Verify: Signature Verification" - "4. If r*Gamma != 0, output "INVALID" and stop" -> I had heard a while ago that this membership check was patented for ECDH. Anyone remembers something like this? - section "2.5. Aggregate" - it should be "sigma = E1_to_string(string_to_E1(sigma_1) + ... + string_to_E1(sigma_n))" - you specify verifying aggregates of SAME msg and of DIFFERENT msgs, but only have the aggregate algorithm for SAME msg specified. - section "2.5.3. Implementation optimizations". Two things: - this should be towards the end of the documentation as these are optional recommendations. Perhaps after "security recommendations" or as an appendix - is it really wise to have the standard contain this? Available optimizations may change over time. I've also never seen an RFC talking about optimizations. - section "2.7. Security analysis" -> I don't think this is necessary to have that in the RFC. - section "3.1. Verifying public keys" - define "G2 membership test" - "to prevent rogue key attacks" -> needs a reference - section "3.4. Randomness considerations" needs a citation, for example on ECDSA issues when the nonce is repeated - section "4. Implementation Status". Standards usually don't refer to implementations AFAIK. I imagine this is because their state can change, and new good implementations can arise after the RFC is set in stone. I think this is good to have in the draft though, so perhaps add an indication somewhere that this will be deleted in the final document. - section "6. IANA Considerations". Do we need this? - section "2.6.1. Preliminaries", "In fact, we will pad each substring with 0s so that the length of each substring is a multiple of 8." specify that this is in bits. Cheers, David
- [Cfrg] BLS standard draft Sergey Gorbunov
- Re: [Cfrg] BLS standard draft William Whyte
- Re: [Cfrg] BLS standard draft Michael Scott
- Re: [Cfrg] BLS standard draft david wong
- Re: [Cfrg] BLS standard draft Tony Arcieri
- Re: [Cfrg] BLS standard draft Eric Rescorla
- Re: [Cfrg] BLS standard draft 赵运磊
- Re: [Cfrg] BLS standard draft David Wong
- Re: [Cfrg] BLS standard draft Sergey Gorbunov
- Re: [Cfrg] BLS standard draft John Mattsson
- Re: [Cfrg] BLS standard draft Michael Scott
- Re: [Cfrg] BLS standard draft Sergey Gorbunov
- Re: [Cfrg] BLS standard draft Antonio Sanso
- Re: [Cfrg] BLS standard draft Antonio Sanso
- Re: [Cfrg] BLS standard draft Marek Jankowski