IETF Logo Mail Archive

Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE

John Mattsson <john.mattsson@ericsson.com> Thu, 27 September 2018 06:37 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4055130E04 for <cfrg@ietfa.amsl.com>; Wed, 26 Sep 2018 23:37:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.298
X-Spam-Level:
X-Spam-Status: No, score=-4.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=U6+YLjB7; dkim=pass (1024-bit key) header.d=ericsson.com header.b=SUX1a0Zt
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XksNiZhDYjdj for <cfrg@ietfa.amsl.com>; Wed, 26 Sep 2018 23:37:26 -0700 (PDT)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 605D2130E02 for <cfrg@irtf.org>; Wed, 26 Sep 2018 23:37:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1538030243; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=G0+PaRPmn2AfneENEBuwADk3wkOKj/GieAuFTHJUnfI=; b=U6+YLjB71Z7CA5t3NFM2DXEt1EVHg3/BsYWCjVutKogaYFNgf6i5XJ+g2e7TpP4r K10eEHaQ6m1XXlCAAF865K4l51+Gp2P8npk2amAKSl7D1McIbd9iQ3ySTLvFAOrE AWQctI4I6U3HbzyJsIwzJHgbIfl2cFZg1sXU/fNigfw=;
X-AuditID: c1b4fb25-cd2929c0000013ad-67-5bac7a8b7aae
Received: from ESESBMB502.ericsson.se (Unknown_Domain [153.88.183.115]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id 2B.5D.05037.B8A7CAB5; Thu, 27 Sep 2018 08:36:59 +0200 (CEST)
Received: from ESESBMB502.ericsson.se (153.88.183.169) by ESESBMB502.ericsson.se (153.88.183.169) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Thu, 27 Sep 2018 08:36:56 +0200
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB502.ericsson.se (153.88.183.169) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Thu, 27 Sep 2018 08:36:56 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=G0+PaRPmn2AfneENEBuwADk3wkOKj/GieAuFTHJUnfI=; b=SUX1a0Zt2KKWKr5UOcv//15I/pqmveU7sHfjXHMgj3QxAdbNrzBk9zzDY60N+bN9t8cl4xZB8gE9GG6K+7pmkvGU9uqgqfFp+j96HKDJQaYK/zQ6sTxOGJ/x7QQJR8gXjOAT4IBVmPtuyGCfsLSkEAwLOKlhGNtH7FDrnNHk7kk=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.166.22) by HE1PR07MB1659.eurprd07.prod.outlook.com (10.166.124.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1185.14; Thu, 27 Sep 2018 06:36:53 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::89a8:7fde:25b0:fb1d]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::89a8:7fde:25b0:fb1d%3]) with mapi id 15.20.1185.019; Thu, 27 Sep 2018 06:36:53 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Jim Schaad <ietf@augustcellars.com>, "'Saqib A. Kakvi'" <saqib.kakvi@uni-paderborn.de>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] A new MGF for RSA-PSS based on SHAKE
Thread-Index: AQHUTskQCsT2iUUkSEqB7bcREYE6+6T3xbpkgAAgAQCAAAqeAIAKW0oAgABoZACAASjcAA==
Date: Thu, 27 Sep 2018 06:36:53 +0000
Message-ID: <3BB9195B-F10E-4497-91AA-950B591DC61B@ericsson.com>
References: <3B4BE320-418B-4FC1-8427-0EF2F58A0F01@vigilsec.com> <6FD96340-0D8D-44C0-9374-9D7A3F36F967@gmail.com> <27af097a-6769-fcc4-7b28-12c1ea77055a@uni-paderborn.de> <000d01d45041$a8930250$f9b906f0$@augustcellars.com> <a21a5c72-f9e5-2eb7-4144-bdded4c8321d@uni-paderborn.de> <E7059316-430B-4DE0-A0C7-09A0B6783C0F@ericsson.com> <000601d455a8$ceba75a0$6c2f60e0$@augustcellars.com>
In-Reply-To: <000601d455a8$ceba75a0$6c2f60e0$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.11.0.180909
x-originating-ip: [95.192.155.224]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR07MB1659; 6:2Wa/enCgGdrFilIY3qZgxCZw6BK8odJIJvVdi1qETIdMCFBTSoj0t3GpVE4Nvzycez5983QsxC3ZUCLayOrYX6TdxMAdpNuFbghU6lE8X4TuF2UJv8ZkCJw4FnKcjE4Gz/v9Qjz7J5Wk00IZ2IQsvH40MtxAV8ct6RxZm6QuNKVfNp5j4Z9OyIXLEJtMG7UibLKrFlV6Yx0i1fGUWINo5pOsFscutkeEDxmPfuN1IxOHudXyNrsAXo7OpMeH1hQQQ8v7ZzNq2LHeuFh2U3yUBLbxjQD3fQNvWMDTxc/8eLLzZyky126dhS1u8XY1joa9aqdxAN9ie9PzaW0m7FzKzdotJWcELFeLkegCh/7t/YyktwqxOvyGaWmijsKnNgqIU8R6U2wHLLXCs0h4P5NmxZndWHhjSE44cuVkmu4d+uRDUVp7tm4Bz+mkS09kASUK4R4u730QfyvQqn1fimNdSw==; 5:Zdhxcfqvh8JDyBx6/aAqAvQ1n4MQ+Nha1WP72lPBTKfyfrgrzs5XzHX+S4Q4zXmUQR1EWICWykM+0n5rxBadEzq1DkYhlxZzecUepqnM0NTPiB6RJyn8JwGPoLCqYMASJsT5LahYUQHzx7c0SyQBZKSqO/5ABI4rlfBBNfHg5j4=; 7:WFCaQUtZrmdQlKcAdEKbu/zuKRyR2JTa8yx123yDQliITkjZGYHGwJzRa5THKkMEogxS2Y4NSC/a6obG9lCDDKNwm7IhqTiIz906dL/T4+Lo/tfXHFlxHaWUEENwDHl2Vu6DaPmB5QSl8SHDA8RrAHF3Jdf0kQsKrGG1naL7t1++DWrw9qhd1ygHJCOuL1Amosr7ycVbXT5TipNyRiLDsYjZdI9yRKbrn/3g6ZIcxEzrLdRLGoxlahBoE0P1Qe6a
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: a44ae5b8-aad2-411f-a8ec-08d624439d0f
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534165)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:HE1PR07MB1659;
x-ms-traffictypediagnostic: HE1PR07MB1659:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-microsoft-antispam-prvs: <HE1PR07MB1659A6545BAD356D2868DB5E89140@HE1PR07MB1659.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(248295561703944)(37575265505322)(788757137089)(192374486261705)(269456686620040)(66011452539121)(21748063052155)(28532068793085)(190501279198761)(227612066756510);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3002001)(3231355)(944501410)(52105095)(149066)(150057)(6041310)(20161123562045)(20161123558120)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699051)(76991041); SRVR:HE1PR07MB1659; BCL:0; PCL:0; RULEID:; SRVR:HE1PR07MB1659;
x-forefront-prvs: 0808323E97
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(39860400002)(396003)(346002)(136003)(366004)(279900001)(189003)(199004)(93886005)(6506007)(76176011)(66066001)(606006)(229853002)(25786009)(83716004)(14444005)(6246003)(3846002)(71190400001)(14454004)(6116002)(256004)(71200400001)(6486002)(34290500001)(82746002)(2906002)(966005)(790700001)(478600001)(33656002)(6512007)(54896002)(53936002)(6306002)(36756003)(476003)(236005)(26005)(486006)(44832011)(11346002)(8936002)(53546011)(6436002)(2616005)(105586002)(97736004)(106356001)(446003)(316002)(99286004)(86362001)(58126008)(7736002)(5660300001)(561944003)(81166006)(2900100001)(102836004)(8676002)(68736007)(110136005)(19625305001)(186003)(2501003)(81156014)(5250100002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB1659; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: dNjORLZeUCTDY9tmkKuFutGbKHmz/Qt8dD8wTU4u4h96Jwcl952J2XvfwPhlD9LW7NkpuG9bGmND0VxUbwYdBH8mlXtNspcMxOZWsgDtmE/s9PIdbF0Ay0ExhzD81leKypnS8YbgFT4CGoioio5FIUwwbBbzKYDSKbfuZhmtZwBPMCBQ9XXuE+WtURKr3xdjuwN4EwAuTpwCp8yzVh2zn9JM6V5DksDfrqwBoFOO5eiXQTZNAXLYE/ajROl0xtw2XTT/eweNxIXR+K5rESFVgSI7+NCPs3oTIzt90xu6tE6sbQYs6ScH9Al9+kAtdbuzss/+qP5+R2TSsAGOSxhM7nGGbSeTIZtpdO9555vVa2c=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_3BB9195BF10E449791AA950B591DC61Bericssoncom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: a44ae5b8-aad2-411f-a8ec-08d624439d0f
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Sep 2018 06:36:53.4868 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB1659
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02SbUhTURjHOffebXfDwXW59qAWOjRU0KkJLZLUD5kRQR8kSpGaetGlU9ld loY0fEHdmAlpS9NUtGZzGb6g4pY2RcQoLP1QlkqmScugPjjtxbRtd4FfDr/n/7yc/3M4JC6y c/xJZYGGVhco8qVcAdF0cZiJ7Cy1pEdrv2By/U87Ju8xbnPl2s43RCKe0tdi5Kbc6Zt0HaOD 6DyeJojPpvOVxbRadvKKIHfo9xhe1G1HN5bmzIQWGW1Ih/gkUHHQ29uDuVlETSH45eDrkMDF WwhuP/qMs0EXBubqTswdEFQ9Dg9r1hGbacBge6vOW/YJgb3LyXEP41LR0GrTct3sR5XB7LKJ cPMBSg6Ts1avfhwqNz8gli9A+XODxwhBhcLk3jjPzUIqAapXl3HWYA0Otf1BbuZTiWB9Z/Lo iDoI2y8snl6cksD7tTaMXY6CLtsszrIYHKu7Hm9iSgZtH2s4rC6FAcc8j+VDMNem92wG1BgP LPZBLpuIhB+Njd5B52CxY9WrTyOoqD3NcgTorU6voQyoqjJ6L8iDFdNfLjv0FYLXI1Pe5sNg NqwQ9Si6eZ9xlrOg3PAWNXsewBdmmtaIZkS69HB4OipjS4KhQb/CYzkMqlpavZwCj5/dxfbX tCPSjMQMzWSqcmKPRtFqZRbDFBZEFdCafuT6WPbBP6EjaP5b0gSiSCT1EeryLOkijqKYKVFN ICBxqZ9QFeyShNmKklJaXXhZfS2fZiZQAElIJcKVYwNpIipHoaHzaLqIVv/PYiTfX4tUY5Eh PF8NP1pc/eBSZoY1tX/Hdt9EDJVeuFekW+jwl4VPVcjHc5PPHlnwkcwPhF1PWPUtSktN3sFF U0tnKtYrN5R98cuckaivocO7L78H7oXcmgmcPlGmXwqLN1Y6Ap4YYgTOus3FGaVzTHI11hm3 sZlk87vpG2TZ6G43nXJICSZXEROBqxnFP5/FMkRUAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/wLxQxpvBXgEIvTFcvCjvUEdW5-Y>
Subject: Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2018 06:37:30 -0000

>What I suggested was that we just switch to a new MGF function where we computed
>        SHAKE ( mfgSeed, maskLen)

That looks like a good idea.

From: Jim Schaad <ietf@augustcellars.com>
Date: Wednesday, 26 September 2018 at 16:55
To: John Mattsson <john.mattsson@ericsson.com>, "'Saqib A. Kakvi'" <saqib.kakvi@uni-paderborn.de>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: RE: [Cfrg] A new MGF for RSA-PSS based on SHAKE

The current proposal in the draft is to replace SHA-1 in MGF1 with SHAKE where the SHAKE output size is essentially infinite so that there is never a need to iterate on the counter.  This means that you compute
      SHAKE(  mfgSeed || I2OSP(counter = 0, 4) , maskLen)

What I suggested was that we just switch to a new MGF function where we computed
        SHAKE ( mfgSeed, maskLen)

Jim


From: Cfrg <cfrg-bounces@irtf.org> On Behalf Of John Mattsson
Sent: Tuesday, September 25, 2018 11:41 PM
To: Saqib A. Kakvi <saqib.kakvi@uni-paderborn.de>; cfrg@irtf.org
Subject: Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE

Hi,

I think an important aspect here is what we actually believe people will implement. Given that there is an ongoing (but slow) move to ECDSA/EdDSA and people are expecting to start implementing the outcome of the NIST PQC standardization in 5 years, I do not know how interested people are to implement something new based on RSA.

If FDH gives better security it should be discussed, but based on your comments it is only as secure as PSS. I feel like making small and easy to implement changes to RSA-PSS is the way to go.

Is the use of SHA-1 in RSA-PSS causing any known security problems, or is the idea to remove SHA-1 anyway (which makes sense)?

Cheers,
John

From: Cfrg <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> on behalf of "Saqib A. Kakvi" <saqib.kakvi@uni-paderborn.de<mailto:saqib.kakvi@uni-paderborn.de>>
Date: Wednesday, 19 September 2018 at 20:32
To: "cfrg@irtf.org<mailto:cfrg@irtf.org>" <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE


Hello Jim,

PSS was more secure than FDH in 1996, but that has since changed. Jean-Sebastian Coron showed an optimal proof (with proof of optimality) in 2001 (ia.cr/2001/062) and in 2012, Eike Kiltz and myself showed that one can get a better proof for FDH for small exponents. (http://www5.rz.rub.de:8032/mam/foc/content/publ/rsa-fdh_fullversion.pdf) In this case FDH is as secure as PSS.

Best,
Saqib

On 19/09/2018 19:53, Jim Schaad wrote:
I have to admit that I was thinking about using a Full Domain Hash for the signature, esp. because you could probably XOR in the ASN.1 hash algorithm identifier and get back the hash substitution attack.   However when I look at http://web.cs.ucdavis.edu/~rogaway/papers/exact.pdf<http://web.cs.ucdavis.edu/%7Erogaway/papers/exact.pdf> I see that they claim that PSS is more secure that Full Domain.  I have not done any sort of search to see if things are tighter now than they were back in ’96.

Jim


From: Cfrg <cfrg-bounces@irtf.org><mailto:cfrg-bounces@irtf.org> On Behalf Of Saqib A. Kakvi
Sent: Wednesday, September 19, 2018 8:58 AM
To: cfrg@irtf.org<mailto:cfrg@irtf.org>
Subject: Re: [Cfrg] A new MGF for RSA-PSS based on SHAKE


Hello Russ,

Replacing MGF1 with SHAKE should not present any problems that I can see. The Mask Generation Function was used to overcome the fact that hash functions have fixed length outputs. The fact that SHAKE is an eXtensible Output Function (XOF) means that one no longer needs to use an MGF.

On the other hand, since we do have an XOFs, I'm not sure that RSA-PSS should still be the algorithm of choice, but rather one might consider switching to the simpler RSA-Full Domain Hash or PKCS#1 v1.5 signature schemes.
Tibor Jager, Alexander May and myself have recently found a security proof for PKCS#1 v1.5 signatures, with the caveats that one must double their modulus length and use an XOF/MGF. I will be presenting this result will at CCS 18 next month, and would be glad to discuss it with anybody there. Additionally version should be appear in the IACR ePrint archive in the near future. I am also happy to send a copy of the paper to anybody who would like to have one.

Best
Saqib




From: Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>
Subject: [Cfrg] A new MGF for RSA-PSS based on SHAKE
Date: 17 September 2018 at 22:57:10 CEST
To: IRTF CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>>

Dear CFRG:

The IETF LAMPS WG is specifying the use of SHAKE with RSA-PSS for use with certificates and CMS signed objects.  The current drafts are:

              draft-ietf-lamps-cms-shakes-01.txt
              draft-ietf-lamps-pkix-shake-02.txt

In discussion of these drafts, it was suggested that instead of replacing SHA-1 in the RSA-PSS default mask generation function (MGF), one could replace the entire MGF with SHAKE.  While it does look like a simple substitution, I do not think the IETF LAMPS WG is the right group to make the assessment.  CFRG may have people with the right skills, so I would greatly appreciate you thoughts on this idea.

Russ

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org<mailto:Cfrg@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg

v2.29.0 | Report a Bug | By Email | System Status