IETF Logo Mail Archive

Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE

Jim Schaad <ietf@augustcellars.com> Wed, 19 September 2018 17:53 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82FCF130E02 for <cfrg@ietfa.amsl.com>; Wed, 19 Sep 2018 10:53:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aid2Dcs8W_ko for <cfrg@ietfa.amsl.com>; Wed, 19 Sep 2018 10:53:31 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 457CF130E3B for <cfrg@irtf.org>; Wed, 19 Sep 2018 10:53:30 -0700 (PDT)
Received: from Jude (192.168.1.157) by mail2.augustcellars.com (192.168.1.201) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Wed, 19 Sep 2018 10:49:24 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: "'Saqib A. Kakvi'" <saqib.kakvi@uni-paderborn.de>, cfrg@irtf.org
References: <3B4BE320-418B-4FC1-8427-0EF2F58A0F01@vigilsec.com> <6FD96340-0D8D-44C0-9374-9D7A3F36F967@gmail.com> <27af097a-6769-fcc4-7b28-12c1ea77055a@uni-paderborn.de>
In-Reply-To: <27af097a-6769-fcc4-7b28-12c1ea77055a@uni-paderborn.de>
Date: Wed, 19 Sep 2018 10:53:20 -0700
Message-ID: <000d01d45041$a8930250$f9b906f0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_000E_01D45006.FC353BC0"
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-us
Thread-Index: AQEEZp9Jmzqi3dvAEs8tD+EEfxF7UQLPQyI6AbdQ/5Kmc4D6oA==
X-Originating-IP: [192.168.1.157]
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/cH_FHh5rOSDwMIwOyS27BJViBcY>
Subject: Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Sep 2018 17:53:34 -0000

I have to admit that I was thinking about using a Full Domain Hash for the
signature, esp. because you could probably XOR in the ASN.1 hash algorithm
identifier and get back the hash substitution attack.   However when I look
at http://web.cs.ucdavis.edu/~rogaway/papers/exact.pdf I see that they claim
that PSS is more secure that Full Domain.  I have not done any sort of
search to see if things are tighter now than they were back in '96.

 

Jim

 

 

From: Cfrg <cfrg-bounces@irtf.org> On Behalf Of Saqib A. Kakvi
Sent: Wednesday, September 19, 2018 8:58 AM
To: cfrg@irtf.org
Subject: Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE

 

Hello Russ,

Replacing MGF1 with SHAKE should not present any problems that I can see.
The Mask Generation Function was used to overcome the fact that hash
functions have fixed length outputs. The fact that SHAKE is an eXtensible
Output Function (XOF) means that one no longer needs to use an MGF.

On the other hand, since we do have an XOFs, I'm not sure that RSA-PSS
should still be the algorithm of choice, but rather one might consider
switching to the simpler RSA-Full Domain Hash or PKCS#1 v1.5 signature
schemes.
Tibor Jager, Alexander May and myself have recently found a security proof
for PKCS#1 v1.5 signatures, with the caveats that one must double their
modulus length and use an XOF/MGF. I will be presenting this result will at
CCS 18 next month, and would be glad to discuss it with anybody there.
Additionally version should be appear in the IACR ePrint archive in the near
future. I am also happy to send a copy of the paper to anybody who would
like to have one.

Best
Saqib





 

From: Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com> >

Subject: [Cfrg] A new MGF for RSA-PSS based on SHAKE

Date: 17 September 2018 at 22:57:10 CEST

To: IRTF CFRG <cfrg@irtf.org <mailto:cfrg@irtf.org> >

 

Dear CFRG:

The IETF LAMPS WG is specifying the use of SHAKE with RSA-PSS for use with
certificates and CMS signed objects.  The current drafts are:

              draft-ietf-lamps-cms-shakes-01.txt
              draft-ietf-lamps-pkix-shake-02.txt

In discussion of these drafts, it was suggested that instead of replacing
SHA-1 in the RSA-PSS default mask generation function (MGF), one could
replace the entire MGF with SHAKE.  While it does look like a simple
substitution, I do not think the IETF LAMPS WG is the right group to make
the assessment.  CFRG may have people with the right skills, so I would
greatly appreciate you thoughts on this idea.

Russ

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org <mailto:Cfrg@irtf.org> 
https://www.irtf.org/mailman/listinfo/cfrg

v2.30.2 | Report a Bug | By Email | System Status