IETF Logo Mail Archive

Re: [CFRG] I-D Action: draft-irtf-cfrg-rsa-blind-signatures-06.txt

Christopher Wood <caw@heapingbits.net> Thu, 08 December 2022 17:38 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 088DAC14CE3E for <cfrg@ietfa.amsl.com>; Thu, 8 Dec 2022 09:38:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=ddeHEb9O; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Bh3K+J41
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2h1tNA3lidQ2 for <cfrg@ietfa.amsl.com>; Thu, 8 Dec 2022 09:37:57 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC7A4C14CF15 for <cfrg@ietf.org>; Thu, 8 Dec 2022 09:37:57 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 2983B5C00DF; Thu, 8 Dec 2022 12:37:57 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Thu, 08 Dec 2022 12:37:57 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=cc:cc:content-transfer-encoding:content-type:date:date:from :from:in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm2; t=1670521077; x= 1670607477; bh=YaNLZ3SiaDFOHzX/u8vn5u5mCGiZu1YmWNwPYyyrIeQ=; b=d deHEb9Oqqtn3tTNuFaS6jpoJSzBTe6kdaICWs+V2axg4V38RYTPhquc46uRG/ez2 Gr9YkwJ/ccV96092yNfSQMn7tz48aTk9zYNOheeiQzkscSm+Z9OgN0GnknHGpiqo enGPIYQ+e5BLeSKN+r8SftwT5uh8vWWyw24Nwbh8jYoDTcl9CoPSAJ9XPB+M0k3l Z0bEb4FP4UTbDrsjHb6K313qVbOb/7YJZBPupFu5Qat1CRpwJOzEp1ugKQ7hqOjE QL0z/Y15Xxw0MdCNsnLbVTuqpvcON7i/njT3E3LpoClBqKxE33tc8qItNlhF3T+o PnHHavfCo4/SGFBax0b+w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1670521077; x= 1670607477; bh=YaNLZ3SiaDFOHzX/u8vn5u5mCGiZu1YmWNwPYyyrIeQ=; b=B h3K+J41Of48rpx3RZj7C2/EckqqM9hh3OMwb2ocG3YrjXuzuzUsYipDUs5DPrjif z5pTWwVzI220JF8FLFUHMMlQisRJLMVIQkpvas3qkkKW8EXKm56q80Qu+F/knqZU JmozVsQTl3sLjSCfxUeiYvhzccAMSp+wS54LSpC+xM6WqvuzDJfGE4en8zRiV972 pCPAcPlkfB3F4GFiupJ0rHrBMamdJ0j67a17u4RmUGj7B5lrlWOHyFFvySq5YgKO zSV92OAa8dkstNBdrMyA/SDYYSA7xwVhEjEmCx9fTBc0vPPcuj6T6oErsu3i0707 SatebSM4Uir0GgygesQQw==
X-ME-Sender: <xms:9CCSY04_FAr9WOMGMEavET8eUwya3yevx0neUCAqRFiGQadsFTI2jw> <xme:9CCSY14kXcOVmI6w-1CwOV2neGSx2iwP5EDR-YhAfsmifxPtgnhEO2CfmloPBUsYj GGqt1ZLYE42i6rvLlw>
X-ME-Received: <xmr:9CCSYzdIXd-VyIkG5jqJJjbfX2XUd8hDnlC_YvwGEEpea9rZt0H9wTyoWFbIgXFTKHwro0n9C4CtQ5JnpKFPl9zom1UWcwc9SQU>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvddtgddutdegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheptggguffhjgffvefgkfhfvffosehtqhhmtdhhtdejnecuhfhrohhmpeevhhhr ihhsthhophhhvghrucghohhougcuoegtrgifsehhvggrphhinhhgsghithhsrdhnvghtqe enucggtffrrghtthgvrhhnpeffudetlefhhedtleeuteeuueehkeefffdtgeefvdetveeh jefgheevfeetgedvvdenucffohhmrghinhepihgvthhfrdhorhhgnecuvehluhhsthgvrh fuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheptggrfieshhgvrghpihhnghgs ihhtshdrnhgvth
X-ME-Proxy: <xmx:9CCSY5KVMHNsviMa7Uwan4rdqFgpip6TOVRptcVmLoX_RJ-Jfw3uZg> <xmx:9CCSY4Kf7GwNim_zwYvZu10juHMjLGcueKFWa_Qir_wlSJ9cuwPNzg> <xmx:9CCSY6xSzUAFKyOAEkcOZ9i0w-hdVkpFTaf7zvrevKL5xZUXNz5Fqg> <xmx:9SCSYyyVIHw-sD6-fnoUjqXfTk4ZVKgEOvNIudXmUYfgaCo0uLzBpg>
Feedback-ID: i2f494406:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 8 Dec 2022 12:37:56 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Christopher Wood <caw@heapingbits.net>
In-Reply-To: <20221129225921.GR7583@yoink.cs.uwaterloo.ca>
Date: Thu, 08 Dec 2022 12:37:55 -0500
Cc: cfrg@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <E6C680D7-9480-4E43-BFD9-5A38BB8B1CB3@heapingbits.net>
References: <166906886082.62494.8820552099363522855@ietfa.amsl.com> <6A1E08FD-09CF-4929-94DD-8B7A8E6CACBA@heapingbits.net> <CAMmp5CAt-A+qJTDbhwj14b24DUGD+xzxrbBpPGM2hCYfNVA4-w@mail.gmail.com> <CAJowLmN8CZRS9V0N5tW=XohC9QNYRE-FpMe=errGSETAq7WT1w@mail.gmail.com> <20221129225921.GR7583@yoink.cs.uwaterloo.ca>
To: Ian Goldberg <iang@uwaterloo.ca>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/d3V0dTiuyBb1OQlG1FxUaKJqL_M>
Subject: Re: [CFRG] I-D Action: draft-irtf-cfrg-rsa-blind-signatures-06.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Dec 2022 17:38:02 -0000

Thanks, Ian! Please see inline below.

> On Nov 29, 2022, at 5:59 PM, Ian Goldberg <iang@uwaterloo.ca> wrote:
> 
> On Tue, Nov 29, 2022 at 01:47:40PM +0000, Franziskus Kiefer wrote:
>> Chris asked me to review the draft.
> 
> Me as well.  My notes are below.
> 
> In Section 1, [I-D.irtf-cfrg-voprfs] is a broken reference.
> Interestingly, Section 1 motivates this document with, "Specifically,
> VOPRFs are not necessarily publicly verifiable", but
> draft-irtf-cfrg-voprf-16 (which is presumably what the dangling link is
> supposed to point to) _is_ publicly verifiable
> (https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-16#section-2.2.2)
> Is there another motivation for using RSA instead of
> draft-irtf-cfrg-voprf-16?  Is it just the "in such a way that the
> resulting (unblinded) signature can be verified with a standard RSA-PSS
> library"?  As you point out here, VOPRFs are strongly related to
> deterministic blind signatures.  Should VOPRFs be discussed in Section
> 8.7?

We decided not to make a change here. The full text reads:

   Recently, interest in blind signatures has grown to address
   operational shortcomings from applications that use Verifiable
   Oblivious Pseudorandom Functions (VOPRFs) [VOPRF], such as Privacy
   Pass [PRIVACY-PASS].  Specifically, VOPRFs are not necessarily
   publicly verifiable, meaning that a verifier needs access to the
   VOPRF private key to verify that the output of a VOPRF protocol is
   valid for a given input.


The important bit here is that the private key is needed to verify the VOPRF value, which is what publicly verifiable means in this context. We determined this was clear enough as-is, but if you have concrete suggestions for how to improve it further, please do share!

> 
> Section 4: "In this protocol, the server learns nothing of msg, whereas
> the client learns sig and nothing of skS.": this doesn't specify whether
> the server learns sig.  (It does not.)  This paragraph should also say
> that skS is input by the server and msg is input by the client.

That’s a good suggestion. We fixed this in the latest version.

> 
> In Section 4.1, step 1:
>    encoded_msg = EMSA-PSS-ENCODE(msg, (kLen * 8) - 1)
> doesn't look right to me.  kLen is the length of the modulus in bytes.
> What if the modulus is 2049 bits, say?  Then klen=257, and (kLen*8)-1
> is 2055, which is too large.

Great catch! We fixed this by using a function that computes the bit length for N.

> 
> Does step 5 need to be done in constant time?  Does any of this
> function (or the other ones)?  Section 8.1 talks a bit about this for
> the Sign algorithm (which protects the secret key from timing attacks),
> but the client's message (and blinding factor) also need to be protected
> from the server, no?

We added a note to the security considerations (Section 7.1) that covers this part of the threat model. Ultimately, we decided trying to make Blind (and the newly introduced Prepare) function(s) constant time did not seem fruitful for most threat models and applications, but we would be happy to hear if others disagree.

> 
> In step 6, it's a little funny to raise the error "invalid blind" as
> opposed to "Oh look we factored the server's public key!".  The text
> above the algorithm says "The probability of multiple such errors in
> sequence is negligible." but in fact the probability of even one such
> error is negligible.

Fair point. We added a note about how applications can deal with these errors in Section 6.1.

> 
> Section 5: "randommization" -> "randomization"
> 
> Section 8: the term "RSA-FDH" is used in the first sentence, but not
> defined until Section 8.6.
> 
> Section 8.1 says that implementations SHOULD verify that the signature
> is correct.  Finalize in Section 4.3 already does this explicitly.  Did
> you mean that BlindSign should also do this before returning blind_sig?
> Is there a reason not to explicitly write it in, as with Finalize?

We decided to add this step explicitly to BlindSign, and expanded Section 7.1 to note that this fault check step can be removed or skipped if not applicable to your threat model. 

> 
> Section 8.3: "to learn information about low-entropy with input
> messages": should "with" be removed?
> 
> Section 8.4 is interesting; it says the implementation shouldn't let the
> client pass the salt value because the client might embed some sensitive
> data in it.  But the client could just as easily (in many cases) embed
> that data in the message, no?  I'd be more worried about the other way
> around: the implementation embedding secret data about the client
> without the client's knowledge (algorithm substitution attacks,
> kleptography, etc.).

Good points. We generalized this section to cover this better.

Can you please let us know if the latest version addresses your comments?

Best,
Chris

v2.46.0 | Report a Bug | By Email | System Status