[CFRG] Re: Rigid generation of RSA from a seed.
Orie Steele <orie@transmute.industries> Mon, 09 September 2024 14:21 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF2A3C157938 for <cfrg@ietfa.amsl.com>; Mon, 9 Sep 2024 07:21:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pSrvFnNIyyHq for <cfrg@ietfa.amsl.com>; Mon, 9 Sep 2024 07:21:32 -0700 (PDT)
Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79D10C15154E for <cfrg@ietf.org>; Mon, 9 Sep 2024 07:21:32 -0700 (PDT)
Received: by mail-pl1-x636.google.com with SMTP id d9443c01a7336-2053525bd90so36874085ad.0 for <cfrg@ietf.org>; Mon, 09 Sep 2024 07:21:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1725891691; x=1726496491; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=2loUKMA50sm+/mWS9McLla7Fri4PmIEhSH/AeOB27Q4=; b=ZVhqQufa8VmmaYnQlr/ewQhzIT6gFc6p0N9QQqxn0zXj3SNEg/2jf7HWZD/Let5P/Y L8A7/KuZ2d/xOhpdXVefo0DDe0NodjtZ44eMRG9mYsCqfSHf/Q4GsMuKg3zTKMT+KYCB Kt3Ktl+HkVyhC8lWX06CecZx+niCUS2Qaxa97fLcLn5oC0q9+zXCNp1c9rPrfT2Br7SM U3rYU23iwr5lGK4ytc66urdLLblE/P63qPN+Qrnuxve2gkDdhv3snL1vvM6LDPN7dtVq fU6Ediww1z59/eU22O0tH5A8jSl6swzBg4m7WDpuWN+ciL+MrYicfMG3c1ya0FE8rlCc czcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725891691; x=1726496491; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2loUKMA50sm+/mWS9McLla7Fri4PmIEhSH/AeOB27Q4=; b=Mkb/oaleKeJdPp0TgZlFBqotRTGEQzGPetDWSg/FhEAnRydiZY9XUpaMf1sh6qUals dr+9xVO0sLpJY2m4GXSYtAPePc8gbT8f2a3WJ+07HlJYxW1mSYtELEeLMSyGpwOFkUWR yygthzaXSjqlDng5P5TNFevLf7ht+5stJVUdQ44NNvB/ktLLEsmAcJy9ghAlGXFRhKPI jxHaMLQKm4CrLd0TxC2DcyJ84f7Wdq0re6qTgoBcBVMGflq2nXuzIRDMuEmqTueTs4nJ aZcchnYkQs9fMqQg5RUnQ8n637iNJrjV6DC1aN1fZtDwF728JxrPkaAnpI0IN3mInc1R tANg==
X-Gm-Message-State: AOJu0YyIGwc9z22Ni/r4xd48M8qgtvM3GcoPCrkk/3rd2KNgtfrxK//O 4Ej/nQ7rog/55f54lrFQsmubmvWHPQFgVejeIo1IydRQP+ymZONniHE34RHlIZ1Ouo+uB7fcg2D u+yEXflNABOhzZfZirlidWEE6u/RsxdcfNa4p9w==
X-Google-Smtp-Source: AGHT+IFMn4sJxBbQIrbnAjxtmOrP/aF+Ydkh+FaUhSgxeGR5QmsQ1EDsTbBed0qibtL2Vr0xhIXTfx2Cutx+zX6pF8o=
X-Received: by 2002:a17:903:228a:b0:203:a14d:ed0 with SMTP id d9443c01a7336-206f049d32amr105002135ad.11.1725891691271; Mon, 09 Sep 2024 07:21:31 -0700 (PDT)
MIME-Version: 1.0
References: <172538719711.1420249.4393971363081609427@dt-datatracker-68b7b78cf9-q8rsp> <02e9a51e-b938-49f2-b832-de4d3ec575ee@redhat.com> <CAMm+Lwh3DwF1GA=WUMEsXZ-Ho__AKB6R-kfkxF9=pRZxn3jZBw@mail.gmail.com> <dad51c80-4eb6-423a-af8f-9a99c86377be@redhat.com> <CAMm+Lwikkoc=kRp_yZbYzPb4sNfwwtXfNPrf9TCsFEJ8wCD+xA@mail.gmail.com> <CAMm+LwjkFMGMCv7mL1dJh-D40tvPQOkVMtxG+Qo5z_OYaxstkg@mail.gmail.com>
In-Reply-To: <CAMm+LwjkFMGMCv7mL1dJh-D40tvPQOkVMtxG+Qo5z_OYaxstkg@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Mon, 09 Sep 2024 09:21:20 -0500
Message-ID: <CAN8C-_LLc54mPKbhwNugGoJE-ebp7ty2PC76jimtXOM5eB9Rxw@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: multipart/alternative; boundary="0000000000002df8ed0621b079c2"
Message-ID-Hash: 3H7XH47K2UWJ5IFZ5LGSOBTN7KIX5XI5
X-Message-ID-Hash: 3H7XH47K2UWJ5IFZ5LGSOBTN7KIX5XI5
X-MailFrom: orie@transmute.industries
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<cfrg@ietf.org>" <cfrg@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: Rigid generation of RSA from a seed.
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/V28CQmMZJN585AoO9rh5kmRLd4M>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
I did something similar for DIDs... by extending BIP32 / BIP39 / BIP44 beyond secp256k1 to ed25519 and bls12381 (I didn't cover secp256r1, or the other P curves) https://did.key.transmute.industries/generate/ed25519?seed=824c576ef63ea1e37a8820236acf37a97cb8c4432afd7172ee682f95b4b38725 ( a smarter strategy would be to put the seed in the fragment of the URL ). did key is basically a URN for public keys... when the public key can be converted to a blockchain / asset network address, you can also think of the did key as a URN for receiving / sending payments. This was just an experiment, obviously the same seed should not be used for multiple key types at the same time, etc... (lots of mistakes were made here, feel free to point them out.). There is some related work here: - https://eprint.iacr.org/2014/998.pdf - https://ieeexplore.ieee.org/document/7966967 The recent discussion of using KDFs to expand z and d in ML-KEM reminded me of this design. ... I was wondering about generating ML-KEM + ML-DSA keys from a single seed... With Ed25519 and X25519 there is point conversion which can be used to produce similar (not the same) results: https://libsodium.gitbook.io/doc/advanced/ed25519-curve25519 In a constrained environment, it can be nice to generate keys deterministically, and not need a separate deterministic key generation algorithm per key type. If you start with an Ed25519 seed, you can convert any Ed25519 key to an X25519 key, and use some algorithm to generate unique key pairs per interaction that can support both signing and key establishment. OS On Sat, Sep 7, 2024 at 12:53 PM Phillip Hallam-Baker <phill@hallambaker.com> wrote: > I have implemented a scheme to perform rigid generation of RSA keys based > on FIPS 185-5 > > The basic idea is that starting with a seed with a particular work factor, > we can generate the public keypair in a deterministic manner. This > approach provides a verifiable means of key generation. The application > that is accepting the private key can check that it has been correctly > constructed in accordance with best practice. > > The seeds could be encoded in a private key info structure same as for > ML-KEM, Ed448 etc. Or they can be specified in a human readable form. For > example, the following UDF key generation string has a 128 bit work factor: > > ZAAA-Q4DQ-QCO4-7TEG-WJYB-QD5B-YAXL-EMY > > It generates a 2048 bit key in about 2 seconds on my machine using the > FIPS 185-5 scheme generating two auxiliary primes used to construct p an q. > > Or you can generate the same key in a fraction of a second by adding a > hint string: > > FGCA-GSAS-IYIQ-GAY > > This specifies the number of rounds needed to derive p and q, the > auxiliary primes and a qualified seed for p and q in that order using a > simple run encoding scheme. > > And of course this can be expressed as a URI: > > udf:ZAAA-Q4DQ-QCO4-7TEG-WJYB-QD5B-YAXL-EMY:FGCA-GSAS-IYIQ-GAY > > > At this point, the main use I have for the scheme is in testing. I can set > up a test vector really easily: > > udf:ZAAA-Q-MY-SSH-TEST-KEY:SICM-CBAP-DEDU-UAQL > > And of course, I have the same scheme for Ed448, X448, ML-KEM, ML-DSA and > I am about to add P256, P384 and P521. > > > I make use of the scheme in the Mesh to provision keys to devices. The > idea of the Mesh being that Alice has 100 devices ranging from laptops > where she does coding to coffee pots and light switches. The Mesh squirts > the set of keys each device needs to perform its assigned purposes. > > Having a consistent, rigid means of generating the keys allows the > degree of trust to be minimized. > > _______________________________________________ > CFRG mailing list -- cfrg@irtf.org > To unsubscribe send an email to cfrg-leave@irtf.org > -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
- [CFRG] I-D Action: draft-irtf-cfrg-rsa-guidance-0… internet-drafts
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Alicja Kario
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Phillip Hallam-Baker
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Alicja Kario
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Alicja Kario
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Phillip Hallam-Baker
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Riad S. Wahby
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Alicja Kario
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Phillip Hallam-Baker
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Mike Simpson
- [CFRG] Rigid generation of RSA from a seed. Phillip Hallam-Baker
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Alicja Kario
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Riad S. Wahby
- [CFRG] Re: I-D Action: draft-irtf-cfrg-rsa-guidan… Alicja Kario
- [CFRG] Re: Rigid generation of RSA from a seed. Orie Steele
- [CFRG] Re: Rigid generation of RSA from a seed. Phillip Hallam-Baker