IETF Logo Mail Archive

Re: [CFRG] Last call for draft-irtf-cfrg-vrf-09

Christopher Wood <caw@heapingbits.net> Wed, 10 November 2021 12:27 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FFAB3A0EC4 for <cfrg@ietfa.amsl.com>; Wed, 10 Nov 2021 04:27:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=LVp1IZMJ; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=S0fyY3iV
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fPLpazEMAGqG for <cfrg@ietfa.amsl.com>; Wed, 10 Nov 2021 04:27:22 -0800 (PST)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A79E33A0ED2 for <cfrg@irtf.org>; Wed, 10 Nov 2021 04:27:22 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 74DF85C00BD; Wed, 10 Nov 2021 07:27:21 -0500 (EST)
Received: from imap41 ([10.202.2.91]) by compute1.internal (MEProxy); Wed, 10 Nov 2021 07:27:21 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm2; bh=2MhbAg4omLEbl5hN1ue3C7fNtGZR obBmNhh+oA0CPZ0=; b=LVp1IZMJ31pa99Kn4vFno/+Es4lxvV0DyMbkVwLFv3sj Gm2U8C4ahRtRDvFWlfI5znKUpIwOI2CP3c5BVpwsz1R2lCdkYltDIlEsvVU5Kb/0 b2knFAzZ2QcwFbKh9JYMAu5kpDPe7pS+DLXONVDHeWmvr94lDeazQEg27HE+zkGg bN80qSPpo/RxVlgQVej2b9VEeZ0F5cClNbaQ8F+/CM3KbQzG1zddsrZa8IaVGArp eBqrQnAOs25E3Alb0+5FTXjtX6BKaI/XTDoacpD2ANwpYD+L4bhiu1wo3WLYrf6B PN98BuEAOH2H2hQAadbqoIV2AMV1V+Fm5Qfi9RRiOA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=2MhbAg 4omLEbl5hN1ue3C7fNtGZRobBmNhh+oA0CPZ0=; b=S0fyY3iVmSdDIqEN1G2fMl YmWLpPc4fMvApz8Ban50D4PRKJDbndb7PUu7KE/is4mKYTtlPnwvv2t9IK79UK4E +wg4GrdasG9vcanhE/katI+VgzqHF3NA3XNG39ufn5WVClx0lWlTDVa5sf1SBGh1 82Z4Yre6YnIqSgYPfS79h3E4P9RuV2gwAe13fhumPTwbLNe1lubzv4Mm8P9TV0xC xlHb+PYdPHFsTmXb1U7bpdNNiWXUeW5dpQBi0YT0y1J5GxSE849xXtpkJVEMUH4u o/8HqphV2SjJxX5cOrdbSONnPLX/OSSHP9cHNgQjr2nlXoqXZ9/LyyYubGW/8oOw ==
X-ME-Sender: <xms:qbqLYesB2oKYsbN4drMaCbcLUHmb7DMo0tkUNXBlSvpmspsmPB_dJA> <xme:qbqLYTcPJmsxMDZEFDLLtKDCup3gu4Xhtqz_WKHAF_Xi3v9gD-9On1S4Y30gCn2nk QbcJM6L0Lp2B_tWw0g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrudejgdefkecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfvehhrhhi shhtohhphhgvrhcuhghoohgufdcuoegtrgifsehhvggrphhinhhgsghithhsrdhnvghtqe enucggtffrrghtthgvrhhnpeetgffhgffhtefhjeektedutdfhheeiudffgedvtefgfeef veekffelgeefteffueenucffohhmrghinhepghhithhhuhgsrdgtohhmpdhirggtrhdroh hrghdpihgvthhfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehm rghilhhfrhhomheptggrfieshhgvrghpihhnghgsihhtshdrnhgvth
X-ME-Proxy: <xmx:qbqLYZw89IAu7BxjhKW3n23ay5sSMAyNJKhjNIRM7eVa-hv652t78Q> <xmx:qbqLYZNiJcN_3CTcYWLTPWfWFXroKj3DHtIv27n_5k49N-afmgTxSQ> <xmx:qbqLYe_OQkO3RfShM7P71sYuFtHlwsxyRFcUhcgQXjazpvzzbqiZ3w> <xmx:qbqLYfJREj9AptylbSCp_fuLUT1BSu4Y_Qt7yvc1tgiTU49mL5qhLg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 22D483C0AEC; Wed, 10 Nov 2021 07:27:21 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-1371-g2296cc3491-fm-20211109.003-g2296cc34
Mime-Version: 1.0
Message-Id: <07229251-9eab-42f6-a11d-d8a74bedc34e@www.fastmail.com>
In-Reply-To: <CAHZ6D0tgh5R7=F4ZQiKq34TnaA1p=NJJ85FUihzqh0LoJuFnfA@mail.gmail.com>
References: <CAFDDyk-YoTd=382yAAjuerPmhnS8_34QVkbtJcon+mvT2dBzjw@mail.gmail.com> <9d5f2e50-7437-48bf-8bf1-0cb01fe960e1@www.fastmail.com> <CAHZ6D0tgh5R7=F4ZQiKq34TnaA1p=NJJ85FUihzqh0LoJuFnfA@mail.gmail.com>
Date: Wed, 10 Nov 2021 04:27:00 -0800
From: Christopher Wood <caw@heapingbits.net>
To: Leonid Reyzin <reyzin@cs.bu.edu>
Cc: CFRG <cfrg@irtf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ab9UqjU1nAItxlbF1YexET3zvzU>
Subject: Re: [CFRG] Last call for draft-irtf-cfrg-vrf-09
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2021 12:27:28 -0000

Thanks for the response, Leo. All of your comments seem quite reasonable to me. Please see inline below for one followup comment.

On Tue, Nov 9, 2021, at 8:22 AM, Leonid Reyzin wrote:
> Thank you very much, Chris, for the detailed reading. I address your 
> comments point-by-point below.
>
> - Section 3: Many of the security properties have "weaker" versions (trusted 
>   uniqueness, trusted collision resistance, etc) and claims that these are 
>   sufficient for many applications. It is not clear under what conditions 
>   applications require stronger variants. Perhaps this should be added to
>   the security considerations?
>
> There is some language already there -- for example "Trusted uniqueness 
> is the same as full uniqueness, but it must hold only if the VRF keys 
> PK and SK were generated in a trustworthy manner" -- and more language 
> in Section 7, where these issues are discussed with respect to the 
> specific VRFs defined. In response to your comment, we have edited the 
> document to ensure a tighter integration between these two sections. 
> See 
> https://github.com/cfrg/draft-irtf-cfrg-vrf/commit/91b83b6d68d84b04963dd89e8afa42424ecaae98
>  
> - Section 3.4: Do we have proofs that the schemes in this document satisfy 
>   the RO-like property, or is this merely intuitively true? If the former,
>   perhaps we should note that this analysis remains to be done?
>  
> I don't believe anyone wrote down and published these proofs for these 
> very specific variants, but they follow easily because the output is 
> equal to an application of RO followed by a fixed permutation (and by 
> uniqueness no other output will be accepted). Appendix C of 
> https://eprint.iacr.org/2017/573.pdf does this proof for a very similar 
> variant of the ECVRF, and the proof for FDH is even simpler. To say 
> "analysis remains to be done" would be a bit too strong.
> 
>
> - Section 4/5: Unless I'm missing something, neither the RSA-baed VRF 
> has no
>   variant for achieving "full" security, unlike the ECVRF, which 
> depends on the
>   procedures in Section 5.6. Should this inconsistency be noted in the 
> introduction?
>  
> It is noted in detail in Security Considerations (7.1.1). We have 
> edited the introduction to security properties (Section 3, to be exact) 
> to point to 7.1.1 as part of the response to the first comment.
>
> - Section 5. "Note that with certain software libraries (for big integer and
>       elliptic curve arithmetic), the int_to_string and point_to_string
>       conversions are not needed" --> it seems worth clarifying that this is
>   is true iff the libraries return strings that are encoded in the same way
>   as required by the corresponding ciphersuites, for interoperability reasons.
>  
> Thanks, fixed. See 
> https://github.com/cfrg/draft-irtf-cfrg-vrf/commit/ba0d8b30d656825e9f03cc834bc1638dee7b5f05#diff-382a26a0bcccb52bc8c6ab7c862ed0ee8848df81772776e9fae86b36e5b1be11R858
> 
> - Section 5.3. It might be worth noting that the verification check does not
>   need to be done in constant time as it's a public operation. (The comparison
>   check at the end might lead one to ask whether or not it needs to be constant
>   time, so calling it out early would clarify.)
>
> Thanks, added a discusion to 7.4, where side channels are discussed. 
> See 
> https://github.com/cfrg/draft-irtf-cfrg-vrf/commit/ba0d8b30d656825e9f03cc834bc1638dee7b5f05#diff-382a26a0bcccb52bc8c6ab7c862ed0ee8848df81772776e9fae86b36e5b1be11R1339
>
> - Section 5.4.4. Remove "let" in "let <variable> = ..." statements, as this
>   is not done in other functions where variables are declared and initialized.
>  
> Thanks, fixed. See 
> https://github.com/cfrg/draft-irtf-cfrg-vrf/commit/ba0d8b30d656825e9f03cc834bc1638dee7b5f05#diff-382a26a0bcccb52bc8c6ab7c862ed0ee8848df81772776e9fae86b36e5b1be11R1174
>
> - Section 5.6. It's noted that the procedure in this section does not 
> work if either
>   the curve or generator are untrusted, but aren't these both fixed for 
> the suites
>   in this document? If so, I might remove this paragraph.
>  
> We prefer to mitigate against the risk that someone codes it in a way 
> that has the basepoint transferred from an untrusted source rather than 
> hardwired. We have added a clarification to that effect. See  
> https://github.com/cfrg/draft-irtf-cfrg-vrf/commit/ba0d8b30d656825e9f03cc834bc1638dee7b5f05#diff-382a26a0bcccb52bc8c6ab7c862ed0ee8848df81772776e9fae86b36e5b1be11R1242
>  
> - Section 5.6.1. Do implementations for curves with small cofactors 
> perform validation
>   by checking against known points? I don't know! If this isn't common, 
> I would simply 
>   remove the variant for ed25519, as it just seems simpler to clear the 
> cofactor and 
>   check against the identity element. Conversely, the hash-to-curve 
> document has specific 
>   cofactor clearing suggestions for each curve, and it seems reasonable 
> to be opinionated in
>   this document, too. One might even just re-use the methods in 
> draft-irtf-cfrg-hash-to-curve
>   for P-256 and ed25519.
>
> Yes, other implementations seem to -- we got this idea from another 
> implementation. It's faster and quite simple.
>
> - Section 7.1. Recommendations for randomness generation can probably be cribbed
>   from https://datatracker.ietf.org/doc/html/rfc8446#appendix-C.1. 
>  
> Generation of secrets is an active R&D area and putting it in the 
> standard now seems premature.
>  
> # General comments
> - Can we remove try-and-increment entirely from this specification? The 
> security 
>   relevant discussion in 7.4 can be easily skipped by applications 
> looking to implement
>   one of the options in either 5.4.1.1 or 5.4.1.2.
>
> It requires a more complex set of libraries to implement the other 
> options. There are people who want to use try-and-increment, and in 
> most cases there's no harm, because the side channel attack that it 
> enables is only against the VRF input, which is not a secret.

I agree that it's simpler, and that's why it gives me pause. The temptation to use it for efficiency reasons is arguably quite high. The only text describing when it should be avoided seems somewhat hidden in 5.4.1.1:

   However, because the running time of algorithm depends on
   alpha_string, this algorithm SHOULD be avoided in applications where
   it is important that the VRF input alpha remain secret.

Minimally, I would promote this text to 5.4.1, and probably even add something to the security considerations elaborating on use cases where try-and-increment is not appropriate. 

Thanks again for your work on this document!

Best,
Chris

v2.23.0 | Report a Bug | By Email