Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness-improvements-08.txt

"Stanislav V. Smyshlyaev" <> Wed, 27 November 2019 10:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 03F401200F7 for <>; Wed, 27 Nov 2019 02:01:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ggQQmaWAiVGm for <>; Wed, 27 Nov 2019 02:01:38 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 34AFE120044 for <>; Wed, 27 Nov 2019 02:01:38 -0800 (PST)
Received: by with SMTP id s22so4744238ljs.7 for <>; Wed, 27 Nov 2019 02:01:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=89nWxjwpjeyKPFENl92Va5n9El1cak7W4y3V4Y4L39A=; b=Q0guTvptU0bR+GXrP1DZQ3kpd13MqB/1Zi1MWgWC0QJFwBetdtJ/279Wmzx4AkNc2H gY6DF4i/tmr7KssVBaXsg4Z+JiuxmHhYNgP5LfBX3FOcHnO/VT/BBIJj+lWAPAVm5LK5 WAmMhZfeBtp7Lr297pmGxbDD3sYqEMLhDRPnkOvAumeMOE8oBZIgN1H3w7ds0rupa8Wc LHQgJdMHMMjpZjg3QmQhm9+qMlTl2y3vrEfQHkOv7i2UV8F3O68ThI+hqik5htv8qcq/ twUAYrUsadPUmr8N/q8s6QgdLguEer/kbwZeNVkhGu/PN1GTQU735IdedxvvBglSOGJo qbnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=89nWxjwpjeyKPFENl92Va5n9El1cak7W4y3V4Y4L39A=; b=Hc7iR1RXslh+9OLA2vI2voX/Hc41U0VOKZKAvbL5thGYgVEtAb6KpTNMFcjaY7k63Z 4+O2qx99BMmgDRpHwqD1f9d+3BSZf+wuD+XRsEKX0HXuMbS6nrRzSDTLsYicOVRan4W+ nH8ye8JAm37vLu6DtI2CLBfMsQMV0RDdbfrQ1b+Xnb9UFTTWA6zB+XiCkI+wSJGrLBrC G4D7sjyCxrSZxA03nF6nmXm7m6IZ6MBWn+gTyn3GI15vQAQpKL4n7RiBzIMCzf+WzVRn xh6fWSct2cWZmPGqEbKXld2RnBZSgBBzuFN29kgM7iR8LDtHBBpPHZEGX8skPTZ5cuSx Lf9A==
X-Gm-Message-State: APjAAAUnpBlXbUnJwX38BS3wdRDLGhiUpoZFMimGmJiwzkzo3h7AeFo4 5x7sv9ndINubWPODuwFkoUg1Syknx9qhwsO9A98=
X-Google-Smtp-Source: APXvYqyawfjHY5vOUWjA6ix0WrRTLPccLGaTgK0PkwSI0yxa38LMpWO6yDZipX6oHnjkXA9LB/vmNTCU/dkb2kfwctg=
X-Received: by 2002:a2e:9016:: with SMTP id h22mr29945908ljg.137.1574848896272; Wed, 27 Nov 2019 02:01:36 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <> <> <> <>
In-Reply-To: <>
From: "Stanislav V. Smyshlyaev" <>
Date: Wed, 27 Nov 2019 13:02:26 +0300
Message-ID: <>
To: John Mattsson <>, Nick Sullivan <>, Christopher Wood <>, Christopher Wood <>
Cc: "Riad S. Wahby" <>, "" <>
Content-Type: multipart/alternative; boundary="00000000000009908d05985115fd"
Archived-At: <>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness-improvements-08.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Nov 2019 10:01:41 -0000

Many thanks, John!

Regarding a new document on different constructions for "improving
randomness", as I've just written to Riad (in the CFRG list) - I'll be
definitely happy to be involved in this, it seems really important (and,
maybe, arranging a discussion at CFRG at IETF 107 will be useful).
Don't mind if I'll get in touch with you off-list (to discuss, what should
be included in such a document) in the beginning of 2020? Would you like to
participate in this?

About the proposed changes in the I-D - I like all three of them.
Nick, Chris?

Best regards,

вт, 26 нояб. 2019 г. в 15:43, John Mattsson <>om>:

> Thanks for answers Stanislav!
> Stanislav V. Smyshlyaev wrote:
> >The security analysis can be modified for HMAC instead of Signature
> without
> >significant problems, I suppose. And also several useful alternative
> >constructions can be proposed (based on HMAC or DH as an operation with a
> >key).
> I think that would be a very useful thing for CFRG to do in a new draft.
> Even if you only look at TLS servers, they may only have a PSK (RFC 4279 or
> TLS 1.3), and in the future, they may only have a static DH key
> (draft-rescorla-tls-semistatic-dh-02). More good recommendations and
> concrete constructs for randomness is very needed practically. The ideas in
> the draft to
> use a context tag1, a nonce tag2, to split of inside HSM/outside HSM, and
> to prove the security of the construction are great.
> How to use randomness is also a topic for discussion (I don’t suggest
> inclusion in this draft). NIST (FIPS 186-5 Draft) is currently planning to
> include deterministic ECDSA but does not recommend it in general due to
> side-channel and fault attacks (
> One of the recommendation in that paper is to calculate k based on the
> message, but with added noise, an approach implemented in several places
> such as
> >As an example, it can happen if CSPRNG used by some user gets its data
> based on a joint
> >system entropy pool, which can be affected by another user (an adversary).
> Ok, that is a good explanation why the attacker could control the CSPRNG
> but not other parameters. I would suggest adding that to the draft.
> >Which word would you suggest instead of “dynamically”?.
> unique or nonce would be better. Looking at the draft again, I think it
> would make sense to just rename tag2 to "nonce" and tag1 to "context". That
> make things easier to understand and aligns with other RFCs.
> >Yes, we’ve had a lot of discussions about whether to include this
> limitation (following
> >from the security assessment, see [SecAnalysis]) into the I-D – just for
> the reasons you
> >are talking about. But since we wanted our construction to be solid and
> well-proven for
> >all recommended cases, we decided not to omit this limitation. And you
> are right about
> >the encoding issue – the thing is that in the security assessment we
> assume that tag2
> >can have 2^L’.
> If you keep the limitation, I think you need to add more clarification and
> guidance to the reader.
> - The limitation the construction cannot output more than L + L' bytes for
> each nonce tag2 would be good to write in a sentence.
> - Given a fixed L (e.g. 32 in HMAC-SHA-256) and a need to generate N byte
> of randomness. Should the implementer then choose a N - L byte encoding for
> the counter tag2? (Even after reading [SecAnalysis], I do not understand
> why the encoding of tag2 would affect the output length n). Or should the
> implementer choose a small L' and then generate several outputs (with
> different tag2) and concatenate?
> - Is L' fixed or can the implementation choose different encoding lengths
> for each value of tag2 depending on how many output bytes are needed.
> - When using a function with fixed-length output like HMAC-SHA-256 the
> value of L is given. When using a function with variable-length output like
> KMAC128 the value L is set by the user. Any recommendation there, or are
> all values of L equally good?
> - Is L fixed or can the implementation use different L for different
> values of tag1?
> /John
> -----Original Message-----
> From: Cfrg <> on behalf of "Riad S. Wahby" <
> Date: Sunday, 24 November 2019 at 22:37
> To: "Stanislav V. Smyshlyaev" <>
> Cc: "" <>
> Subject: Re: [Cfrg] I-D Action:
> draft-irtf-cfrg-randomness-improvements-08.txt
>     "Stanislav V. Smyshlyaev" <> wrote:
>     > But this makes the scope of the I-D (initially motivated by TLS
> servers)
>     > wider - a "menu of choices" of good solutions instead of one good
> solution.
>     > If we want to do this, then, as it seems to me, the current process
> with an
>     > I-D, which has already passed the RGLC and has moved to Waiting for
>     > Document Shepherd stage, should be stopped and returned to the
> previous
>     > stage of a work item before RGLC.
>     In this case, it seems like a separate document for other constructions
>     is definitely more appropriate---no sense introducing serious delay for
>     this document.
>     But: would it be possible to clarify, maybe just in the intro, that
> this
>     document is primarily geared toward the HSM case?
>     -=rsw
>     _______________________________________________
>     Cfrg mailing list