Re: [CFRG] Call for adoption for draft-dew-cfrg-signature-key-blinding
Christopher Wood <caw@heapingbits.net> Mon, 20 June 2022 13:55 UTC
Return-Path: <caw@heapingbits.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43DA6C15AACE for <cfrg@ietfa.amsl.com>; Mon, 20 Jun 2022 06:55:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.13
X-Spam-Level:
X-Spam-Status: No, score=-2.13 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=QmYETXdY; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=yELaTZ/x
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UnNk1CzdJopf for <cfrg@ietfa.amsl.com>; Mon, 20 Jun 2022 06:55:45 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95A18C15AAC6 for <cfrg@irtf.org>; Mon, 20 Jun 2022 06:55:45 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 3623B5C01E2; Mon, 20 Jun 2022 09:48:40 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Mon, 20 Jun 2022 09:48:40 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=cc:cc:content-transfer-encoding:content-type:date:date:from :from:in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm2; t=1655732920; x= 1655819320; bh=1oXgdAslsbOnDX21t7e0eGpu71/EkkeFc1l9RGNJM5Y=; b=Q mYETXdY+gj69nSsbgkNpKjGcp74wM/Y9nsclNGyq6OjYKpH9s190QD/Elbairndq trs+dOFCv022jWl36+t+5i1PcVxPUXMRN/W97LbnGfn3GEnk2sG5YCpSiBsogFok XP8gh/uvg0OyVXxX803IEvydAkPU9xIZf5rgb/zTnFmTRuae/YAe6zrGc5dD+SiZ VWS8CAzhy2hkTsz3FDclotehrdNrG3RGzFduA4/56o3xQurv4lEf9gdW+Uuu4Wsf el3ahNdLvHGoSHdsMwJTvyanl+A654Fg9U9fx7TRc+Lhh9JDvRiqM3Un5Tl2LTRu HhdQwIkO01sPzogg1K+mg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1655732920; x= 1655819320; bh=1oXgdAslsbOnDX21t7e0eGpu71/EkkeFc1l9RGNJM5Y=; b=y ELaTZ/x/bTltCatQhhXA5JMMFLkzMcn5mgTHMPZpXQqR9WdkA0cBFIfnVl04CWAx XVVs29tEVZy1FOx8WXu7FiurIsjzF//nDVY54uaKUlGhgEBpo3lpuI4Z4VTXMzBE AUMvYC+DRDCwIL6IeWMYdS/v0ye7z0IouZnO0035bsp+IFmBbXJFunrNDtgo1DBy HAmzucDGUOhGncynDhLAdKt6aPPP9sv1IyJZ6n/2oo/iVCn7G52brEdhsuclpB2V lENAqMrvSqzx3WXa2D3NL4vD/d3wcE2ETro1GtHmxCud+j1wgHNwpXrmYA0dy1eT 3bd4rVxsDGqw6Xn5hTv3A==
X-ME-Sender: <xms:t3qwYo_sETlG-9EW4K1RCzTVAKtZYUJmISXOpL4kwnXfBhg39-ilHQ> <xme:t3qwYgtP9MRhj9GorJqwjml3kM1WokHyASlKhVmCXfswEH9Eac-hEPP6_pJ_-EkxN zmlsRM4qBOUs-Cb6HQ>
X-ME-Received: <xmr:t3qwYuDhjboAmPcr0TjObrH2lpldJvRXg9RyW-OE84aa5XW3IO4Qsi7lv2gaddJbwUogplWev-Resk1TFI6aZOQ2IsWGU7UGl9s>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrudefuddgjedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne goufhushhpvggtthffohhmrghinhculdegledmnecujfgurheptggguffhjgffvefgkfhf vffosehtqhhmtdhhtddvnecuhfhrohhmpeevhhhrihhsthhophhhvghrucghohhougcuoe gtrgifsehhvggrphhinhhgsghithhsrdhnvghtqeenucggtffrrghtthgvrhhnpedvjeev ffegvdetveelfeejhffhteelfeetledvgfeuteeihfffieffjeelteejhfenucffohhmrg hinhepghhithhhuhgsrdgtohhmpdhgihhthhhusgdrihhopdhtohhrphhrohhjvggtthdr ohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe gtrgifsehhvggrphhinhhgsghithhsrdhnvght
X-ME-Proxy: <xmx:t3qwYofYu6adOy2OWwZY9uM7zqHIfFqeIcl95RJgv3NItv0G5bjrLw> <xmx:t3qwYtM_PK3c71_n9OalRN-99GjPh_KMuG_2mx6iVmjnRp_cRTuf1g> <xmx:t3qwYilbaTWNd2rNoTTZ5oUxKXvZqpL7NwSBjpcxnl04rF_qBw8BLw> <xmx:uHqwYg2TAWla19OymgM1SxIFQVM0Qqqffst41460yls7JNuUb8lMxw>
Feedback-ID: i2f494406:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 20 Jun 2022 09:48:39 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\))
From: Christopher Wood <caw@heapingbits.net>
In-Reply-To: <20220605144737.GL3694@yoink.cs.uwaterloo.ca>
Date: Mon, 20 Jun 2022 09:48:38 -0400
Cc: Christopher Patton <cpatton=40cloudflare.com@dmarc.ietf.org>, "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>, CFRG <cfrg@irtf.org>, cfrg-chairs@ietf.org, draft-dew-cfrg-signature-key-blinding@ietf.org, Ted Eaton <eeaton@uwaterloo.ca>
Content-Transfer-Encoding: quoted-printable
Message-Id: <70EBE7A4-9356-4F23-AB6B-BC21B9D2CE03@heapingbits.net>
References: <CAMr0u6k9cXb8wL4zr5=jw-knpvXkNO285nap3Ch1MKVJODd0sg@mail.gmail.com> <CAG2Zi20C-yaR8VRN=qMuYbU_FOsFcOnMKnW5P8E54rprX1cDGA@mail.gmail.com> <20220605144737.GL3694@yoink.cs.uwaterloo.ca>
To: Ian Goldberg <iang@uwaterloo.ca>
X-Mailer: Apple Mail (2.3696.80.82.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/cBNSNm_plKQdEEcnKv-kc77A338>
Subject: Re: [CFRG] Call for adoption for draft-dew-cfrg-signature-key-blinding
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jun 2022 13:55:50 -0000
Thanks for the thorough review, Ian! I filed a couple issues to track various suggestions you made: - https://github.com/chris-wood/draft-dew-cfrg-signature-key-blinding/issues/33 - https://github.com/chris-wood/draft-dew-cfrg-signature-key-blinding/issues/32 - https://github.com/chris-wood/draft-dew-cfrg-signature-key-blinding/issues/31 Please see inline below for responses to some of your specific comments and questions. > On Jun 5, 2022, at 10:47 AM, Ian Goldberg <iang@uwaterloo.ca> wrote: > > I support adoption. My initial review follows. > > Notes from 5 Jun 2022 on > https://chris-wood.github.io/draft-dew-cfrg-signature-key-blinding/draft-dew-cfrg-signature-key-blinding.html > version of 29 Apr 2022 > > In the abstract, the "core property" you give for key blinding (as well > as the "moreover" property) would also apply to "just generate a fresh > key". It seems to me that the core property for key blinding should > distinguish itself from that scenario in some way. You have maybe one > sentence more detail in Section 1 ("In some applications, it's useful > for a signer to produce digital signatures using the same long-term > private signing key", so you're insisting on the same long-term signing > key), but that still admits the trivial construction of skR = KDF(skS, > counter), pkR = skR*G, where skS is the long-term key. It doesn't seem > like this construction would satisfy what you need. So what property > distinguishes what you're looking for? The clue appears to be in the > paragraph after: "producing a public verification key which is a > function of the long-term public verification key and same blinding > key". So this property, that the public verification key needs to be > producible from the master public key and the blinding key, appears to > be vital, and should be highlighted up front, perhaps explicitly > distinguishing the two more trivial cases above? Great suggestion! Indeed, as you observe, the two constructions you propose don't suffice. We did struggle concisely describing the desired property, and this comment certainly helps make the situation more clear. > > As noted in Ted's talk the other day, UnblindPublicKey is actually > optional (some key blinding systems intentionally don't provide a way to > unblind), and indeed you cite Tor's onion services protocol as a > motivating example, which is one such. It would be good to be explicit > about this, since this mode is actually useful (and used in practice > already). Note that this is not the same as the question of whether the > blinding key remains secret. For example, you can't unblind > pkS = H(bk, pkR, timestamp) * pkR whether or not you know bk, but that > still seems like a useful construction. There's an open issue for this right now, and we'll use that issue to track UnblindPublicKey being optional: https://github.com/chris-wood/draft-dew-cfrg-signature-key-blinding/issues/30 > > You cite [TORDIRECTORY] for "the Tor onion services protocol", but it > should be [TORONION] > https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt instead. > > "two separate key signing keys": you don't have key signing keys; > presumably you meant "two independent signing keys", or something like > that? > > At the start of 3, now you _insist_ that bk is secret: "Similar to the > signing key, the blinding key is also a private key that remains > secret." But then what of the critical property above that > distinguishes key blinding from "generate a fresh key"? If no one other > than the key holder can blind or unblind public keys on their own, so > that the key holder has to actually deliver the new public key each > time, then why _not_ use one of the two trivial constructions above? Thanks for pointing this out. This text needs to be updated to drop the claim that bk remains secret. Indeed, it's necessary to invoke the UnblindPublicKey operation. > > Nit: "a random scalar in the P-256 group": in my mind, "the P-256 group" > is the group of elliptic curve points, not the scalar field. But > hopefully no one will get confused by this wording. > > It's a little jarring that the list of four new functionalities is > repeated in Section 3, just a page or so after it first appears in > Section 1. > > Again in 3, the correctness condition requires the existence of > UnblindPublicKey, which may not exist. > > Aren't you missing another correctness condition at the end of Section > 3? Namely, that public keys produced with BlindPublicKey will correctly > verify signatures produced with BlindKeySign (using the standard > signature verification function)? > > In Section 4.1, "Interpret the lower 32 bytes buffer" isn't clear to me. > What is the "lower 32 bytes buffer" of a 64-byte buffer? The first 32 > bytes? And you just throw away the last 32 bytes? (You're using > SHA-512 here because it's already needed for Ed25519, right?) It's the first 32 bytes, yeah, though we should clarify. And yep, using SHA-512 due to RFC8032. > Explicitly skipping the buffer pruning step: this could lead to > complications. At least the last time I looked at the PyNaCl library, > for example, there was _no way_ to construct a PrivateKey object without > the library doing the buffer pruning. Indeed, but not skipping the pruning step leaks information about the underlying key. Ted discovered this bug in an earlier version of the draft. Rather than try to argue that this leakage can't be exploited, we deemed it simpler to simply skip the pruning step altogether. Libraries that implement this routine (and can skip the pruning step) can reasonably do this as needed, whereas implementations that reuse existing libraries may have a harder time. > > In Section 4.2, in which of steps 1 and 2 do you or don't you do buffer > pruning? It sounds like you do in step 1 but not in step 2? Yep, that's right. We'll make this more clear. > In Section 4.2, step 3, again not all Ed25519 libraries expose scalar > multiplication like this, particularly unpruned. > > In Section 5.2, it seems more explicit that step 1 and step 2 both *do* > do buffer pruning. (Except that contradicts Section 5.1, which suggests > it does *not*?) Is Ed448 intended to be different from Ed25519 here? No, this is laziness on our part. They should use the same sort of language here. > > In Section 6.1, UnblindPublicKey should take an argument of pkR, not pk. Fixed! > > I did not check the test vectors. Thanks again for the review. Best, Chris
- [CFRG] Call for adoption for draft-dew-cfrg-signa… Stanislav V. Smyshlyaev
- Re: [CFRG] Call for adoption for draft-dew-cfrg-s… Tommy Pauly
- Re: [CFRG] Call for adoption for draft-dew-cfrg-s… Christopher Patton
- Re: [CFRG] Call for adoption for draft-dew-cfrg-s… Ian Goldberg
- Re: [CFRG] Call for adoption for draft-dew-cfrg-s… Steven Valdez
- Re: [CFRG] Call for adoption for draft-dew-cfrg-s… Riad S. Wahby
- Re: [CFRG] Call for adoption for draft-dew-cfrg-s… Stanislav V. Smyshlyaev
- Re: [CFRG] Call for adoption for draft-dew-cfrg-s… Christopher Wood
- Re: [CFRG] Call for adoption for draft-dew-cfrg-s… Christopher Wood