IETF Logo Mail Archive

[CFRG] 回复: I-D Action: draft-irtf-cfrg-det-sigs-with-noise-03.txt

Niu Danny <dannyniu@hotmail.com> Sun, 08 September 2024 10:33 UTC

Return-Path: <dannyniu@hotmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EF0CC14F749 for <cfrg@ietfa.amsl.com>; Sun, 8 Sep 2024 03:33:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.232
X-Spam-Level:
X-Spam-Status: No, score=-1.232 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SnJ8PVLeOWfF for <cfrg@ietfa.amsl.com>; Sun, 8 Sep 2024 03:33:22 -0700 (PDT)
Received: from TYVP286CU001.outbound.protection.outlook.com (mail-japaneastazolkn190110001.outbound.protection.outlook.com [IPv6:2a01:111:f403:d405::1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16527C14CEFC for <cfrg@irtf.org>; Sun, 8 Sep 2024 03:33:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=cgFkb8e5LkiNijbxqPI/z2c3O2kFLKASDQTpDJd6TafQCUsKHsWlmYDUXZU1NK3+8mMrrbK1zAB1927yuv2ajSy2cEmgCF8N4R2bHK17ZPzdVaquPoemYdrrRdb5LLvU6X8nqPYcFPHSs9J2jCIII8dVO2TjQJDQM91aqPc0q2yjlsHBDJKhk1joWvE3WSMIKARu/elp1RpASyelo9gHPGpzBg9IU8NG0lAfJNMsWskvXQLUA03BMTPXvZuh12JGZjhQ85umCRSuQbeCsriyj8jM75QqNmh91YWXk03iF8GCHZIchSQeU6bTw+G04DfNimHJ3sHt8PK+tfHcslvKOg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yMeUEYXmvNRGTShmNOwiIFD/G8YGS/fg5HjLAephkok=; b=WcXPtez6t+FUmSsxbEBCvQ+12RvDy/VAK+Qxt+XrW/OI0zegHQtdywY1Bjx/RNuJd6xKLsGF+f1yPAu4je0QyPhbAYpxsWnMaQkgJSBzkOrBB7Q3aHp1GIge3m54izrrtBLW0Ym00LpFOrnqCm9jPOWiy63rtAmRxzKjIJhO1HYqJgzwYkVv/aMC633I6A/B4EvUeFuwru8677dpGP1FSbxWuAiEZ535AVzyYHuyfz4rbUfWKBgjLe1byPvh1Q3LNMi0qBzVM/5HRjgEmIb3GjHQ3OEPP9Zikr8B20jNm9ugXsTwHcmvziEQY+0f9afa9tiHLZMx0iYmvk1Mbj590A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yMeUEYXmvNRGTShmNOwiIFD/G8YGS/fg5HjLAephkok=; b=cC2cMOjqFYk6+tu/65j11vU9bVrTwIu+JuP0BlpIwplkq/gGGYbezsu9S3Ikr76Gwp6yjMhavI8hngqSkBOlxuJPu/BEPkFd1b7oTTV3WRRVbPMF+Jdy8L/w68+no8sF8uUOGzUnk8hc1dC3wdxoNQosqYZZSTeo1Pa5kfLDWrbDsisIYDvFSbXa3Lg31+xCEJETfdLSCDPlCDHkVCv3LzOIFaqriuWiVjLB3mYGBATbikZFXD7N8OIsProncYYzcYbjE9POnBI8Ukm/G/YvHV9ic9JbzPDlJLPOzWoiQN58mLPM2wsw7TxZoqTkIDk1URI4i7nkbK4DAcJUmfAG4w==
Received: from TYAPR01MB4992.jpnprd01.prod.outlook.com (2603:1096:404:127::18) by OS3PR01MB8538.jpnprd01.prod.outlook.com (2603:1096:604:199::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7939.23; Sun, 8 Sep 2024 10:33:19 +0000
Received: from TYAPR01MB4992.jpnprd01.prod.outlook.com ([fe80::ff51:d3ba:76fe:c1f7]) by TYAPR01MB4992.jpnprd01.prod.outlook.com ([fe80::ff51:d3ba:76fe:c1f7%4]) with mapi id 15.20.7939.017; Sun, 8 Sep 2024 10:33:19 +0000
From: Niu Danny <dannyniu@hotmail.com>
To: "D. J. Bernstein" <djb@cr.yp.to>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] I-D Action: draft-irtf-cfrg-det-sigs-with-noise-03.txt
Thread-Index: AQHad62ZdG54XWhYDkiFkDSuQ+ISzLE6cZgAgAjuhYCBC2IIzQ==
Date: Sun, 08 Sep 2024 10:33:19 +0000
Message-ID: <TYAPR01MB4992039FC820D0425D2C6BE4C1982@TYAPR01MB4992.jpnprd01.prod.outlook.com>
References: <GVXPR07MB9678799A86599695B7B31F41892F2@GVXPR07MB9678.eurprd07.prod.outlook.com> <20240322070827.738849.qmail@cr.yp.to>
In-Reply-To: <20240322070827.738849.qmail@cr.yp.to>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [j+PiqRDKFiy8xGkHETTEMSIMOXAfEqiTtRV77uzBhstqcjBSp4kq6XkYoYO9LKFV]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: TYAPR01MB4992:EE_|OS3PR01MB8538:EE_
x-ms-office365-filtering-correlation-id: ff10711d-9aaa-4a0d-1d09-08dccff1a818
x-microsoft-antispam: BCL:0;ARA:14566002|15080799006|461199028|19110799003|15030799003|8060799006|3412199025|440099028|4302099013|102099032|1602099012;
x-microsoft-antispam-message-info: Zz0QCDpgM1DRxT94raU/CSXRevmIyvjf2WU87pzxlGYYFsNkRcn8yW7GtM+gZUSeOvuoGcjhS36D8oNopGuGdZ1CwAqxGiUgP3/kGelu6UJPaH3L9Gho1YlnJfUt68kYBTAoePRzYEwWGketqiNOtTgwFc5VmGDZ0qgBY4PLdG3GRwAclUSiBpOU/6mCjGv5/WBZ8YwfunU1UhxWxx8ItvLlwxsC4jICsxzOMByOB+Oudjhj0QHXI79opOqjJmSHogg8tDUm+vfmS276nup50sWw6qeEO9BTXyyq/qMY1QW0efZURK2/+jUQvZdc4H4Ngwj5EFbRAix45W6Jiw/A6Mbg7cUz14Rlk+WKty1CvHok4eXqNfh5Ot5LAsX/8/XPHMok46U6XLAWLZy2ZbIL0p//FpnL997/TrylgBguquY/wJFI3R+DCBY8ePa9sd2E5W2J/my+fV5p+YYyBHJ8qerZZ/F5iIQnWl97qPXTxA/DEGbbjswrZv+Mk1RwIM8pi4CPrj1HtYM2KW+M3bVsfTty8FbrHvGqev+CEE1+no7B1sZglK15d47LyhBFEfWbjBA/QANOb1BT7DWEclYDGk0QEEfp3k8jR/84k6p+WmzFANNIJSmFJev30t0mq19+5hGDseAJm86wGPZmGSRK3J3DkdzGCzfhS28U/pTuAgPDpX6vb7AYmg+VcBtNA08J4OpTEKRFhWT3ApQcRWlwlzAonl0SxkkwGrDRB+FsFOF0MJ4d0zqFV3+eqKzg2Iugda3xhid6JWvfq+sxI60+9jIh9bw5oYXypCrvPA4zQWEUpo+Gg9k4Tnm/x9qAAind
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: rAZN+taCm5CMaTQymfhctD+Yf8Um9MjVEWfcGAymkE5DEhrOjo+uToSa1W4fuR8msTYLd0PmlgdBRPgfaIS1N5+fYYw3vbV3VsVoJL6rrucVpVJ0K2W7fFkps9Sf2rxevy4vosEzR6TfkYtCxy0MElVrptlg5sqU6T7HfVLBEqFwCS5sgLo7ggE+q0Mlh5Dbsc+muTEm19MA6/mKlp4mcpkkefbnLGR3boa6PvHgco+CAFgRmfYMOZ11Cv585L3vRTs1OJUdctbDhDLt04Qa1xNEc5sK5eGFzT8ZJH6UH4Ky5l83RERFXiriMaEaGfQaGUJ+cUwDzr4VKsC/GSIw7MND3jm2vXoJtlxJICAaT7IbTZ8ezlh3rGLUMNEPbeQCTUaoQnZPOvMvUtj4eUMEGEeOQ48ifyGhFE6+yoH2kjbe/3xDLwSOB+lRLKj+M/OHG/S4CVseTsMgfXuNY4FXPXp6nOqridm829Sp/ktf9LaQjMTm8N3mSyCJIffyfSKATYuJhdmmW3u4efhTr/Vtadqbp2PbR5RiIqD+XzWcKUL1GYH7EYmETXYENUrLb3E04688f/td6ZFwvObaZ5NhGoBhjZSgeX/rxppQP4jsVf2ZO9bViTqZVSRKQ7h/eOZ+LOu7i4MhHVUng88iI9wqvga747MY1DCKRXWiE0dk1rznqLLOXSBi4o3bsT43vnDB00CD+8K3NOp9pOvAHIMA4CE6FfvpOtK4j3lrvTClkVcj0P5SdYDoov/IeG2rpT6cBX7GvLLktsWiWZoS4eEIsekzUtD4d6iqdqkuyGVT9OGtub++QdEp/LdMnclB09ntn7rrx6JZEGoA5lcIZyNqruG3u8Nam/dUy8fa3ySh4F8gFwGY8GX5W2gM1lrFeT5zGu8u02qaFzXLUDaN1W3+9pYlE5z4Sewi/BLQAYos5qTSN/y59xGS8U4rHa0vs6tiCEOSfp2a0ev4XJgjJ65pnzBSfpVTa+LA63nS4I5ZPZ4685dfaMIaFWz4RQpi256wC+85RRCSl389sjSYEXkrSHjyMTc96Sa0pNUX5a2QQsHZjdjz9yginYpLVZZTLGByJRWJKSZcpCsbyc1N1IBCLv0xN1vZSQ3qEKnDG3DOkr1oWN3Y7VU90uVIGw5EBZREIJFg4hYruuF2lFN1EuId0tGZJ8cN0EzH8HNYNLrMJ1RHmQRGmtz552iKebZ5qgdCu5nV+DJlKLpqa6jhujEmQDtr7+YMoCPpyzEPA35teyJBJEKT6WdVD3QgvnOLQsqL3s2cn0h6U9RDOLF101E3mA==
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-7719-20-msonline-outlook-15995.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: TYAPR01MB4992.jpnprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: ff10711d-9aaa-4a0d-1d09-08dccff1a818
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Sep 2024 10:33:19.3707 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: OS3PR01MB8538
Message-ID-Hash: NGINVXLCWK7FA3HHIUTF5OQXR7DWR5MU
X-Message-ID-Hash: NGINVXLCWK7FA3HHIUTF5OQXR7DWR5MU
X-MailFrom: dannyniu@hotmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] 回复: I-D Action: draft-irtf-cfrg-det-sigs-with-noise-03.txt
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/reovYT5ESukh1appBdsUAYmpKNM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

To be honest, I'm quite frusterated with the progress of this draft, and its content, which in my opinion is sort of over-design.

Since neither the previous RFC6979 nor the current draft or its any possible future formalization are "normative" according to anyone, I'm adopting the construct from djb in his mailarchive.ietf.org/arch/msg/cfrg/R7tUulCdBh9wHMVaCsr-ho-Xi9I/ message, on my master branch.

I'll retain the branch tracking the current development in case of any future development.

________________________________________
发件人: CFRG <cfrg-bounces@irtf.org> 代表 D. J. Bernstein <djb@cr.yp.to>
发送时间: 2024年3月22日 15:08
收件人: cfrg@irtf.org
主题: Re: [CFRG] I-D Action: draft-irtf-cfrg-det-sigs-with-noise-03.txt

I think the best way to convert deterministic Ed25519 signing software
into randomized Ed25519 signing software is to overwrite noncekey with
H(noncekey,randomness) right after the usual derivation of noncekey from
the secret key, i.e., before computing nonce = H(noncekey,message).

This makes the code changes as simple as possible: for example, the
relevant changes from earlier code to lib25519 replaced

    unsigned char secret[64];
    crypto_hash_sha512(secret,sk,32);

with

    unsigned char secret[96];
    crypto_hash_sha512(secret,sk,32);
    randombytes(secret+64,32);
    crypto_hash_sha512(secret+32,secret+32,64);

and left everything else unchanged.

The main security risk from randomization comes from typical test
frameworks not being able to test randomized functions: basically, the
entire signing function ends up being tested merely for "yes, signatures
verify", so bugs in how nonces are generated won't be caught. Randomized
functions are tested in the lib25519 test framework, and aligning the
randomization details has the secondary advantage of allowing reuse of
test inputs and test outputs from lib25519.

---D. J. Bernstein

_______________________________________________
CFRG mailing list
CFRG@irtf.org
https://mailman.irtf.org/mailman/listinfo/cfrg

v2.40.3 | Report a Bug | By Email | System Status