Re: [CFRG] draft-irtf-cfrg-vrf-08 research group last call (RGLC)

Watson Ladd <watsonbladd@gmail.com> Wed, 10 February 2021 04:20 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F9FB3A1338 for <cfrg@ietfa.amsl.com>; Tue, 9 Feb 2021 20:20:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6jDkHgt0r1u8 for <cfrg@ietfa.amsl.com>; Tue, 9 Feb 2021 20:20:04 -0800 (PST)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51AB73A1333 for <cfrg@irtf.org>; Tue, 9 Feb 2021 20:20:03 -0800 (PST)
Received: by mail-ed1-x52a.google.com with SMTP id y18so1126323edw.13 for <cfrg@irtf.org>; Tue, 09 Feb 2021 20:20:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ecCLchk/s5eEPg0Gb3PC9ZP4DRYFPsmr+ksnHpqF04Y=; b=jaeasHAaMuHod+SeG74Nr+3J1yVH5l7JUP0mCmDIUIJatsDgtD+AvoiuY35PXLlF/v UnRKlpMvukBTFqcC1Unl33uns+2B19M3iljsiUWD0UuikBD5YMzxlJ/y0bTNzqQAuH9T COtlxLC4nXFehOhzhslqslsNvo/nbBmbQkQwdG4Ow6xGimkCI1iFv+ynrujitxs5+TcY 3TCaBd91lpPBuqgw6wB19hu/qEslwjf+g7FN3wwUbt4Bg/x0BB5dRLlCa+4oSGYYZpEU 6oO/fN0d4rfQ1mS9wpFffD6qMPhWMt1wjM6hRfO80Qtms16SKueyD+u3gsywe5CXKPhI kgAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ecCLchk/s5eEPg0Gb3PC9ZP4DRYFPsmr+ksnHpqF04Y=; b=MoqspvxWq8JWICMxOkKdDWbBymHI33NazdEkh754oQSssDQofrTqRtHOMYB/GfVYUV K5YecXaNgjG8v3eR2YthWmxQfYUOhM2D7ijz/aNNgbRIa8RoikXKYmJmeCsx9I2Tpnsy WKMXwtKJQTkbjiFoDUZQtp07NQu3lDmDO9tfHd9HWC8KzkFYZgEP5u+ekxPYbaUvtq2j kWvKztCrJPGTlHZe/K5lsJ1cb71byTcaZ2kIuHbiUYJebQx8/isC6HtZUWXGw+vn1cls Mn4kQyyFUL9AJa1IFGMvph8wzemcndY6IiGLO88TtKpfiVFdG1m66249EzRUhj6FV8Jl idnQ==
X-Gm-Message-State: AOAM5335PUKfBcemkvo71nb+tYDbnCBgTbX32QdQHbIvc8aQJwcCQgpH dXeS89XZqoDoi1Szm2AhLHN6S5ajx/MjA2PflxU=
X-Google-Smtp-Source: ABdhPJx1ZlmVzMKQJpL4aygRimRoLQzOOfKjmqN1FjKQ3WorGRIfYrfvdFK54F0XzXGqtiwjSHpd7gPLsOJrL3IpnPE=
X-Received: by 2002:aa7:d1da:: with SMTP id g26mr1352085edp.154.1612930801421; Tue, 09 Feb 2021 20:20:01 -0800 (PST)
MIME-Version: 1.0
References: <CAFDDyk9sGYePo=oyfF6++FjLsxksBQV9TgU0CwRU0vTRN-=D3Q@mail.gmail.com>
In-Reply-To: <CAFDDyk9sGYePo=oyfF6++FjLsxksBQV9TgU0CwRU0vTRN-=D3Q@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 9 Feb 2021 20:19:50 -0800
Message-ID: <CACsn0ckmHtAMfmduBBbA0HQ9uxh4sZSP0PBc+GZcW6P=z+EXxg@mail.gmail.com>
To: Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org>
Cc: CFRG <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/wu3Mu5qBvkRu6D6BMhW3iWvo5NM>
Subject: Re: [CFRG] draft-irtf-cfrg-vrf-08 research group last call (RGLC)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2021 04:20:06 -0000

On Tue, Feb 9, 2021 at 9:10 AM Nick Sullivan
<nick=40cloudflare.com@dmarc.ietf.org> wrote:
>
> Dear CFRG participants,
>
> The VRF draft has received significant reviews from the RG and the crypto panel and is ready for last call. This email commences a 2-week last call for this document that will end on Feburary 23, 2021:
>
> https://datatracker.ietf.org/doc/draft-irtf-cfrg-vrf/

I have read the document and support publication.

My one textual comment is that typically implementation status is in a
section that says "Note to RFC editor: Remove before publication".

My one trivial substantive comment is that forcing recomputation by
the verifier of the points hashed to produce the challenge, rather
than having them hash the commitments to obtain the challenge and
verify the equations, prevents batching of verification. In
applications where multiple proofs are verified at once this is a big
improvement.

My serious substantive comment is that the formation of the
distinguisher string imposes limitations on the hash2curve registry as
the encoding is not injective. The anachronist in me suggests RS as a
way to split the different parts of the distinguisher. Hash points
seems to assume that the point format will be self-delineating. I
think this can be fixed as part of the last call comments.

Sincerely,
Watson Ladd

-- 
Astra mortemque praestare gradatim