IETF Logo Mail Archive

Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE

Jim Schaad <ietf@augustcellars.com> Wed, 26 September 2018 14:55 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C175D130F30 for <cfrg@ietfa.amsl.com>; Wed, 26 Sep 2018 07:55:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZaYxJV2GNlsr for <cfrg@ietfa.amsl.com>; Wed, 26 Sep 2018 07:55:05 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33652130FED for <cfrg@irtf.org>; Wed, 26 Sep 2018 07:54:54 -0700 (PDT)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Wed, 26 Sep 2018 07:50:18 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'John Mattsson' <john.mattsson@ericsson.com>, "'Saqib A. Kakvi'" <saqib.kakvi@uni-paderborn.de>, cfrg@irtf.org
References: <3B4BE320-418B-4FC1-8427-0EF2F58A0F01@vigilsec.com> <6FD96340-0D8D-44C0-9374-9D7A3F36F967@gmail.com> <27af097a-6769-fcc4-7b28-12c1ea77055a@uni-paderborn.de> <000d01d45041$a8930250$f9b906f0$@augustcellars.com> <a21a5c72-f9e5-2eb7-4144-bdded4c8321d@uni-paderborn.de> <E7059316-430B-4DE0-A0C7-09A0B6783C0F@ericsson.com>
In-Reply-To: <E7059316-430B-4DE0-A0C7-09A0B6783C0F@ericsson.com>
Date: Wed, 26 Sep 2018 07:54:18 -0700
Message-ID: <000601d455a8$ceba75a0$6c2f60e0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01D4556E.225D2440"
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-us
Thread-Index: AQEEZp9Jmzqi3dvAEs8tD+EEfxF7UQLPQyI6AbdQ/5ICTiDpsQH6H192AUyORzqmUafrwA==
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/pEHdCG3NA5UQAi0VCmimM8Zh8JQ>
Subject: Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2018 14:55:10 -0000

The current proposal in the draft is to replace SHA-1 in MGF1 with SHAKE where the SHAKE output size is essentially infinite so that there is never a need to iterate on the counter.  This means that you compute

      SHAKE(  mfgSeed || I2OSP(counter = 0, 4) , maskLen)

 

What I suggested was that we just switch to a new MGF function where we computed

        SHAKE ( mfgSeed, maskLen)

 

Jim

 

 

From: Cfrg <cfrg-bounces@irtf.org> On Behalf Of John Mattsson
Sent: Tuesday, September 25, 2018 11:41 PM
To: Saqib A. Kakvi <saqib.kakvi@uni-paderborn.de>; cfrg@irtf.org
Subject: Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE

 

Hi,

 

I think an important aspect here is what we actually believe people will implement. Given that there is an ongoing (but slow) move to ECDSA/EdDSA and people are expecting to start implementing the outcome of the NIST PQC standardization in 5 years, I do not know how interested people are to implement something new based on RSA.

 

If FDH gives better security it should be discussed, but based on your comments it is only as secure as PSS. I feel like making small and easy to implement changes to RSA-PSS is the way to go.

 

Is the use of SHA-1 in RSA-PSS causing any known security problems, or is the idea to remove SHA-1 anyway (which makes sense)?

 

Cheers,

John

 

From: Cfrg <cfrg-bounces@irtf.org <mailto:cfrg-bounces@irtf.org> > on behalf of "Saqib A. Kakvi" <saqib.kakvi@uni-paderborn.de <mailto:saqib.kakvi@uni-paderborn.de> >
Date: Wednesday, 19 September 2018 at 20:32
To: "cfrg@irtf.org <mailto:cfrg@irtf.org> " <cfrg@irtf.org <mailto:cfrg@irtf.org> >
Subject: Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE

 

Hello Jim,

PSS was more secure than FDH in 1996, but that has since changed. Jean-Sebastian Coron showed an optimal proof (with proof of optimality) in 2001 (ia.cr/2001/062) and in 2012, Eike Kiltz and myself showed that one can get a better proof for FDH for small exponents. (http://www5.rz.rub.de:8032/mam/foc/content/publ/rsa-fdh_fullversion.pdf) In this case FDH is as secure as PSS.

Best,
Saqib

 

On 19/09/2018 19:53, Jim Schaad wrote:

I have to admit that I was thinking about using a Full Domain Hash for the signature, esp. because you could probably XOR in the ASN.1 hash algorithm identifier and get back the hash substitution attack.   However when I look at http://web.cs.ucdavis.edu/~rogaway/papers/exact.pdf <http://web.cs.ucdavis.edu/%7Erogaway/papers/exact.pdf>  I see that they claim that PSS is more secure that Full Domain.  I have not done any sort of search to see if things are tighter now than they were back in ’96.

 

Jim

 

 

From: Cfrg  <mailto:cfrg-bounces@irtf.org> <cfrg-bounces@irtf.org> On Behalf Of Saqib A. Kakvi
Sent: Wednesday, September 19, 2018 8:58 AM
To: cfrg@irtf.org <mailto:cfrg@irtf.org> 
Subject: Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE

 

Hello Russ,

Replacing MGF1 with SHAKE should not present any problems that I can see. The Mask Generation Function was used to overcome the fact that hash functions have fixed length outputs. The fact that SHAKE is an eXtensible Output Function (XOF) means that one no longer needs to use an MGF.

On the other hand, since we do have an XOFs, I'm not sure that RSA-PSS should still be the algorithm of choice, but rather one might consider switching to the simpler RSA-Full Domain Hash or PKCS#1 v1.5 signature schemes.
Tibor Jager, Alexander May and myself have recently found a security proof for PKCS#1 v1.5 signatures, with the caveats that one must double their modulus length and use an XOF/MGF. I will be presenting this result will at CCS 18 next month, and would be glad to discuss it with anybody there. Additionally version should be appear in the IACR ePrint archive in the near future. I am also happy to send a copy of the paper to anybody who would like to have one.

Best
Saqib





 

From: Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com> >

Subject: [Cfrg] A new MGF for RSA-PSS based on SHAKE

Date: 17 September 2018 at 22:57:10 CEST

To: IRTF CFRG <cfrg@irtf.org <mailto:cfrg@irtf.org> >

 

Dear CFRG:

The IETF LAMPS WG is specifying the use of SHAKE with RSA-PSS for use with certificates and CMS signed objects.  The current drafts are:

              draft-ietf-lamps-cms-shakes-01.txt
              draft-ietf-lamps-pkix-shake-02.txt

In discussion of these drafts, it was suggested that instead of replacing SHA-1 in the RSA-PSS default mask generation function (MGF), one could replace the entire MGF with SHAKE.  While it does look like a simple substitution, I do not think the IETF LAMPS WG is the right group to make the assessment.  CFRG may have people with the right skills, so I would greatly appreciate you thoughts on this idea.

Russ

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org <mailto:Cfrg@irtf.org> 
https://www.irtf.org/mailman/listinfo/cfrg

v2.29.0 | Report a Bug | By Email | System Status