Re: [CFRG] draft-irtf-cfrg-vrf RSA-FDH-VRF missing test vectors

Leonid Reyzin <reyzin@cs.bu.edu> Tue, 09 August 2022 21:53 UTC

Return-Path: <leonid.reyzin@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E70FEC159493 for <cfrg@ietfa.amsl.com>; Tue, 9 Aug 2022 14:53:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.409
X-Spam-Level:
X-Spam-Status: No, score=-1.409 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VRT6Q5VezFcE for <cfrg@ietfa.amsl.com>; Tue, 9 Aug 2022 14:53:01 -0700 (PDT)
Received: from mail-ed1-f42.google.com (mail-ed1-f42.google.com [209.85.208.42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22A74C159492 for <cfrg@irtf.org>; Tue, 9 Aug 2022 14:53:01 -0700 (PDT)
Received: by mail-ed1-f42.google.com with SMTP id x21so16801454edd.3 for <cfrg@irtf.org>; Tue, 09 Aug 2022 14:53:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=3F6V+qOqk5BnIdwpefZH/5IIKdxF/d1m60WFwYc2S0g=; b=PO2rDojUXUIkG6z3IbBtS8Qpez9AmQMO90hN7WH4QVSccLeI1NLoCbCTv1kwL77Vpn kbV4cO1O7phF7vOP4t11CP83e1VoN/+ybGOdrux6YL6GFKr89csNM2VzkvcLsQLOxhpK 4DpUp0iWWtn+CQA+5qV9nVhEwFcRWI3ayxYEWaLP9NiFkjeBhjtE0NCnOgzluvkrf8VR eZBTLsBu++cMR1As4lAoUej5Nn36hGoVOMERz565zVzUo4aWfge7bfiRGyrv5BG24Fgj aBrKxtv/iHq98luDUR7ZJwzaOJQ1gZeg/5r1yIREGwxLPwjQe0EnTq75WhuzTlIu1ZhW /oMw==
X-Gm-Message-State: ACgBeo0oEcGYX7VkBbHJ8IxMd6f/kkmRmKqUubq+C7d1/b3bNu8+YOxf N2Uw8CkR0OWFRZma12QtN343do0qCXDdL4bbJOHJQmAPeIA=
X-Google-Smtp-Source: AA6agR4vtztQhm5V3BKMCc9J+AUjxvE673QKpW9qufdXVZPJMc40UeSurJ/X9E94NXwWAOn7ox1666PgLBkblgfjS4M=
X-Received: by 2002:a05:6402:28c4:b0:43a:cdde:e047 with SMTP id ef4-20020a05640228c400b0043acddee047mr24087631edb.368.1660081979445; Tue, 09 Aug 2022 14:52:59 -0700 (PDT)
MIME-Version: 1.0
References: <CA+rFVvqkTXfN+KT+b47VpOnWnLQRUtww12q6chNwTOiHWxS7rg@mail.gmail.com> <CAHZ6D0t+DhCQq=R2gxTxgZog2na1pPU76HfzO+zdJuiZFrmTnA@mail.gmail.com>
In-Reply-To: <CAHZ6D0t+DhCQq=R2gxTxgZog2na1pPU76HfzO+zdJuiZFrmTnA@mail.gmail.com>
From: Leonid Reyzin <reyzin@cs.bu.edu>
Date: Tue, 09 Aug 2022 17:52:32 -0400
Message-ID: <CAHZ6D0vP4ndnr3W2XbpvgiO3Xf=mfLTBNM=AoTEzLzW01CJH9g@mail.gmail.com>
To: Malte Ulrik Thomsen <malteut@gmail.com>
Cc: CFRG <cfrg@irtf.org>, draft-irtf-cfrg-vrf@ietf.org
Content-Type: multipart/alternative; boundary="000000000000aed61505e5d5f468"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/izPuHx0lvEC2dQ5ma6Wk9ClkYXA>
Subject: Re: [CFRG] draft-irtf-cfrg-vrf RSA-FDH-VRF missing test vectors
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2022 21:53:02 -0000

Thanks again, Malte, for working with me on this. The new draft
incorporating RSA-FDH-VRF test vectors (verified by two
implementations produced independently) is now available here
https://datatracker.ietf.org/doc/draft-irtf-cfrg-vrf/15/ and here
https://github.com/cfrg/draft-irtf-cfrg-vrf

On Thu, Aug 4, 2022 at 4:39 PM Leonid Reyzin <reyzin@cs.bu.edu> wrote:

> Dear Malte,
>
> This is wonderful, thank you! I think the draft would be enhanced by the
> addition of RSA test vectors. I would like to get an independent
> implementation that verifies their correctness before they are in the
> draft. Let's talk off-list to think whether and how we can do that.
>
> It's great to know that Edwards 25519 vectors match again. Thanks for
> that, also.
>
>  Leo
>
>
>
>
> On Thu, Aug 4, 2022 at 1:37 PM Malte Ulrik Thomsen <malteut@gmail.com>
> wrote:
>
>> Hello,
>>
>> In draft-irtf-cfrg-vrf-14 (
>> https://datatracker.ietf.org/doc/draft-irtf-cfrg-vrf/) there are no test
>> vectors for RSA-FDH-VRF, there are only test vectors for the ECVRFs. For
>> our bachelor project, my friends and I recently wrote an implementation of
>> RSA-FDH-VRF in hacspec (https://github.com/hacspec/hacspec). Here is a
>> link to our implementation of RSA-FDH-VRF:
>> https://github.com/hacspec/hacspec/blob/master/examples/rsa-fdh-vrf/src/rsa-fdh-vrf.rs.
>> The correctness of our implementation has been assured only using property
>> based testing.
>>
>> I have generated test vectors for RSA-FDH-VRF if you want these included
>> in the draft. The attached test vectors are generated for
>> RSA-FDH-VRF-SHA256 using 2048-bit RSA from pkcs1. I'll be happy to generate
>> more test vectors if you prefer specific RSA keys, want vectors for
>> different bit lengths of RSA, or using SHA512. Currently, hacspec does not
>> have an implementation of SHA384, so I can't generate test vectors for
>> RSA-FDH-VRF-SHA384.
>>
>> We also wrote implementations of ECVRF-EDWARDS25519-SHA512-TAI and ECVRF-EDWARDS25519-SHA512-ELL2.
>> Here is a link to the PR for these implementations:
>> https://github.com/hacspec/hacspec/pull/269. It is likely to be merged
>> in the coming days. These implementations agree with the test vectors from
>> the draft, and have also been tested using property based testing.
>>
>> Best,
>> Malte Thomsen
>>
>