Re: [CFRG] [irsg] IRSG review request: draft-irtf-cfrg-vrf-13
Colin Perkins <csp@csperkins.org> Thu, 25 August 2022 18:35 UTC
Return-Path: <csp@csperkins.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 481ACC15259F; Thu, 25 Aug 2022 11:35:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=csperkins.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xVgCfAMhd9zS; Thu, 25 Aug 2022 11:34:58 -0700 (PDT)
Received: from mx2.mythic-beasts.com (mx2.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C62BDC1524C0; Thu, 25 Aug 2022 11:34:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=csperkins.org; s=mythic-beasts-k1; h=Date:Subject:To:From; bh=yIbX6sZ5JzQvIu0hWlnJzwwv+RjqHFG2k8C1yhplbKI=; b=MHvL6xPucfR4RuXIr7E2nDV3zt /VrgLWZVWsGTpLeSIwlYPU8WCbmPOxn5ib2PisiVZoyWZiPMwoVlHzULTjo8S8oL1X/EAT8OsS0N0 C+87v6AH4cJsTYsLWTqXn+Blrn5+UrlEAARoZN+vxpc9aMwT0FqSxMNIP4EVjR1beXSPR39jOHujt zibUiotq/w8+IxblmTgQDe5y/ujouxkNfRPymRlI3EgnnVCCfRiWK733NgAsnkgAFJU4yjsMkqHFv lmyD6WS9uB9TjRL6hK96hB7g+UIdGlehd5Qx4IoSn4rUDlboDnOyFWtBVP9PwTlH0xk/UylryB45i xvERBc3Q==;
Received: from [81.187.2.149] (port=47905 helo=[192.168.0.72]) by mailhub-hex-d.mythic-beasts.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <csp@csperkins.org>) id 1oRHgt-001oL8-2C; Thu, 25 Aug 2022 19:34:55 +0100
From: Colin Perkins <csp@csperkins.org>
To: Mallory Knodel <mknodel@cdt.org>, Leonid Reyzin <reyzin@cs.bu.edu>
Cc: Internet Research Steering Group <irsg@irtf.org>, CFRG <cfrg@irtf.org>
Date: Thu, 25 Aug 2022 19:34:39 +0100
X-Mailer: MailMate (1.14r5913)
Message-ID: <38A0BAE0-657F-4EF5-A1F8-0F20995116EC@csperkins.org>
In-Reply-To: <CAHZ6D0tXPE45az=J9AUT3NDgx=9TEDAdO81hbU2xwTFm4o2gxw@mail.gmail.com>
References: <66620D79-509D-4036-95CB-8D8CEE1227D2@csperkins.org> <9625f922-fba2-c2fa-07f1-a297d2ffd5e2@cdt.org> <CAHZ6D0tXPE45az=J9AUT3NDgx=9TEDAdO81hbU2xwTFm4o2gxw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_83CC5520-ECB7-47C7-ABD0-18551AB166C9_="
Embedded-HTML: [{"plain":[184, 11522], "uuid":"C562B424-FD1B-407F-8277-0999B16D143D"}]
X-BlackCat-Spam-Score: 24
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/XEK9L2sghYHi2c-IijCTg3pchTo>
Subject: Re: [CFRG] [irsg] IRSG review request: draft-irtf-cfrg-vrf-13
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2022 18:35:02 -0000
Hi Leo, Mallory, Thanks for the update. Mallory, can you please confirm if the changes address your review comments? Thanks, Colin On 28 Jul 2022, at 19:33, Leonid Reyzin wrote: > Dear Mallory, > > Thank you so much for a careful review. Your review encouraged me to > go > over Sections 3 and 7.1 with an eye toward readability by nonexperts. > I > reworked them accordingly. The new draft is here > https://datatracker.ietf.org/doc/draft-irtf-cfrg-vrf/14/ and here > https://github.com/cfrg/draft-irtf-cfrg-vrf/commit/1be656811c54003a442608e9c6eb537aeb96afb4. > Responses to specific items inline below. > > Sincerely, > > Leo > > Leonid Reyzin > Professor, Boston University Computer Science > > > On Fri, Jul 15, 2022 at 2:22 PM Mallory Knodel <mknodel@cdt.org> > wrote: > >> Hi all, >> >> I've done a review for the IRSG of this document. My comments are >> below. >> As a reminder I'm preserving the IRTF Chair's request for review that >> includes the purpose of the IRSG review stage: >> >> On 6/16/22 7:41 AM, Colin Perkins wrote: >>> ...at least one IRSG member to volunteer to provide a detailed >>> review of >> the draft, as follows: >>>> IRSG reviewers should look for clear, cogent, and consistent >>>> writing. >> An important aspect of the review is to gain a critical reading from >> reviewers who are not subject matter experts and, in the process, >> assure >> the document will be accessible to those beyond the authoring >> research >> group. Also, reviewers should assess whether sufficient editorial >> and technical review has been conducted and the requirements of this >> process document, such as those described in IRTF-RFCs have been met. >> Finally, reviewers should check that appropriate citations to related >> research literature have been made. >> My review does not include sections 4. and 5. because they are >> primarily >> describing VRF constructions, the accuracy of which I cannot attest, >> and >> therefore I recommend an expert review of these if one has not >> already >> been done, though it seems from the shepherd write up that at least >> one >> has been done. >>>> The IRSG review often results in the document being revised. Once >>>> the >> reviewer(s), authors, and shepherd have converged on review comments, >> the >> shepherd starts the IRSG Poll on whether the document should be >> published. >> >> For what it's worth, I think even if none of the changes that I have >> suggested are accepted, though I hope they are helpful, that the >> draft >> be published. Please reach out if there are questions about my >> suggested >> changes; I would like to know which are not accepted. >> >> Super interesting work. I learned a lot and was happy to conduct this >> review! First comments, then nits. >> >> Comments: >> >> * It might be useful to readers to at some point in the document >> discuss why the two VRFs were chosen to be described in depth, >> versus >> others. The shepherd writeup contains some of this information. >> > > Added the following sentence to section 1: The choices of VRFs for > inclusion into this document were based, in part, on synergy with > existing > RFCs and commonly available implementations of individual components > that > are used within the VRFs. > > >> >> * Since sections 4. and 5. are both VRF constructions, you might >> actually preserve the promise that you specify "several" VRFs by >> restructuring the table of contents by creating a section on VRF >> constructions and then make RSA-FDH-VRF and ECVRF sub-sections. You >> could give an introduction to the section that discusses why you >> chose >> these two but also gives the reader some overall sense of where to go >> to >> look at other documentation of comparable construction >> specifications. > > > I think I prefer to keep them separate so as to avoid long section > numbers > and deep nesting. > > As far as comparable specifications, I am not sure what is appropriate > or > expected. There are some referenced in the "implementation status," > but > that section is to be removed, and is very difficult to keep up to > date, > anyway. VRFs are gaining in popularity, and thus whatever we write > there > will likely be quickly out of date. > > >> >> * Terminology section could be expanded to include definitions of: >> trustworthiness, adversarial, function, verifying among perhaps >> others. >> >> > Eliminated the use of "trustworthy" by rephrasing; defined > "adversary", > "adversarial", and "malicious". I want to draw a line at not turning > this > document into Crypto 101, as writing a Crypto 101 document is a very > different and highly involved task. > > >> * Relatedly I get the sense that there are quite a few terms of art >> that are also regular words, like "bounded" that ideally should be >> formally defined somewhere or the nuanced meaning that they have >> (versus >> the regular, everyday word) can get lost on a reader who is not a >> subject matter expert. These could go in the terminology section or >> they >> can simply be described the first time they are used. >> > > Cleaned up the jargon a bit in section 3; removed stuff that would be > meaningless to a nonspecialist while simultaneously unnecessary for a > specialist. > >> >> * Sometimes when "an adversary" is invoked, I think what is meant >> is >> that anyone, including adversaries, could perform or not perform such >> feats, eg 3.2 para 2. >> > > Indeed. In cryptography, anyone is a potential adversary. But you have > to > give it a name, so you can refer to it in the next sentence and > understand > its role. It's a bit like the word "consumer". > > >> >> * Question: in section 3.2 it's stated that trusted collision >> resistance VRFs MUST NOT be used if key generation process cannot be >> trusted, but it seems to me as a lay reader that whether the key >> generation process is trusted is the precise definition of full >> versus >> trusted collision resistance. I'm curious of the answer, but also >> this >> text really needs to be fixed to avoid confusion. >> > > > Full vs trusted collision resistance is a property of the VRF > algorithms as > specified and does not depend on the application. In contrast, whether > the > key generation can be trusted or not depends on who is running the > algorithms -- in other words, depends on the application. > > Rewrote those sections (and 7.1) to clarify. > > >> >> * Is there an opportunity to expand on the type of attacks >> described >> in 3.3 para 3? "a variety of chosen inputs alpha'" is doing a lot of >> work and might not immediately be understood to represent the threat >> of >> brute force or rainbow table attacks, if that is indeed what is meant >> here. >> >> > > Here the adversary doesn't get to do brute force or rainbow table > attacks > because it can't evaluate the VRF on its own, since it doesn't know > SK. But > it may obtain other VRF input/output pairs simply because the VRFs > gets > used somehow in the application. Rephrased to clarify. > > > >> * I am missing something about "selective pseudorandomness" being a >> weaker security property when each time it is mentioned it seems to >> be a >> stronger security property, including the paragraph that immediately >> follows. Either the text it is incorrect or it is too opaque, either >> way >> should be fixed. >> >> > Rephrased. The selective security property holds only against the > adversary > is more limited in what it can do. Hence it's a weaker security > property. > > >> * Would the "malicious key generation" discussed in 3.4 for >> unpredictability also have specific effects related to the other >> properties just described as well, eg collision, uniqueness, etc? It >> seems like a cross-cutting consideration and if so perhaps a >> restructure >> would help readers conceptualise that a bit better. >> > > Added an explanation as part of the restructuring > > >> >> * To that point, section 7.1.2 also discusses this and the >> relationship between the two sections is not entirely clear. Are they >> redundant? >> > > Not quite. 7.1.2 addresses pseudorandomness, not unpredictability. I > added > 7.1.3 to explain this. > > >> >> Nits: >> >> * Abstract | All mentions of "elliptic curves" should be >> uncapitalized >> unless part of a title (this seems to be the convention and the only >> instance currently is in the abstract). >> >> > Fixed > > >> * Abstract | doc specifies "several" VRF constructions, but >> actually >> only presents two. >> > > Removed "several". How many constructions we present depends on how > you > count -- there are two main constructions, but they branch into more > via > details specified in the ciphersuites. > > > >> >> * 3.1 para 1 | fixed VRF public key instead of "fixed public VRF >> key" >> > > Fixed here and elsewhere: "public VRF key" is now consistently "VRF > public > key" > > >> >> * 3.1 para 2 | the comma delimited list is hard to read and suggest >> instead you use alternative formatting like a indented list. >> > > Turned into bulleted list > > >> * 3.2 para 1 | "need to be" probably should be "are", otherwise >> you're >> defining an aspect of the specification it would seem. >> > > Indeed. Rephrased the section consistently. > > >> * 3.3 para 2 | any word ending in -ly should never be hyphenated, >> eg >> "adversarially chosen". >> > > Fixed here and elsewhere > > >> >> * 3.3 para 6 | "does not look" or "is not"? I get why randomness is >> merely an appearance to anyone but the Prover, but to the Prover it >> is a >> certainty, so it "is". Similarly in the following paragraph "does not >> look" could be "can be distinguished from a random value". >> >> > Rephrased to be more clear. Note that "does not look" is a stronger > statement than "is not", but agree that the phrasing was confusing. > > >> * 3.4 title | Some VRFs might be taken out of the heading since it >> seems that all of the properties you are describing are for Some >> VRFs, >> not all. If there is an important distinction here it might need >> expanding in the text instead of the title. >> >> > Clarified at the top of section 3. > > > >> * 3.4 title | Is the word "malicious" important here or could any >> key >> generation experience this? >> >> > That's the term from the literature, so changing it does not seem > appropriate. However, "malicious" generally means "doing whatever evil > you > feel like", which, of course, includes, as a possibility, doing > whatever > benign parties would do. Added a defintion of Malicious to 1.2. > > >> * 7.1.1 para 1 | "stadnard" should be standard. >> >> > Fixed (actually, it should be neither because what we are defining is > not a > standard; rephrased.) > > >> * 7.4 para 1 | Isn't the "private VRF key" the secret key? Seems >> this >> might be an instance that departs from the uniform notation a bit. >> > > Went through and made "VRF secret key" the default term everywhere > (except > when referencing the RSA standard, which uses the term "private key") > > >> >> * 7.8 para 1 | Dislike extensive parentheticals, so suggest making >> the >> latter half of the first sentence its own sentence. (If the point is >> worth including, just include it). >> > > Rephrased > > >> >> * 7.8 para 1 | "four queries" which four what? >> >> > Clarified > > >> * 7.8 para final | the reference in square brackets needs link >> text. >> >> > Not sure what the problem is or there even is a problem -- that's just > how > references to other documents appear when I use xml2rfc. References to > drafts and RFC all look like this throughout the document. > > > >> * 7.10 para 1 | Capitalise the first letter of the first sentence. >> >> > Fixed > > >> With thanks, >> >> -Mallory >> >> -- >> Mallory Knodel >> CTO, Center for Democracy and Technology >> gpg fingerprint :: E3EB 63E0 65A3 B240 BCD9 B071 0C32 A271 BD3C C780 >> >>
- Re: [CFRG] [irsg] IRSG review request: draft-irtf… Mallory Knodel
- Re: [CFRG] [irsg] IRSG review request: draft-irtf… Leonid Reyzin
- Re: [CFRG] [irsg] IRSG review request: draft-irtf… Colin Perkins
- Re: [CFRG] [irsg] IRSG review request: draft-irtf… Mallory Knodel
- Re: [CFRG] [irsg] IRSG review request: draft-irtf… Colin Perkins
- Re: [CFRG] [irsg] IRSG review request: draft-irtf… Leonid Reyzin
- Re: [CFRG] [irsg] IRSG review request: draft-irtf… Colin Perkins