IETF Logo Mail Archive

Re: [CFRG] [irsg] IRSG review request: draft-irtf-cfrg-vrf-13

Mallory Knodel <mknodel@cdt.org> Fri, 15 July 2022 18:22 UTC

Return-Path: <mknodel@cdt.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F460C157B4C for <cfrg@ietfa.amsl.com>; Fri, 15 Jul 2022 11:22:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cdt.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NUz_fUwY8ix8 for <cfrg@ietfa.amsl.com>; Fri, 15 Jul 2022 11:22:09 -0700 (PDT)
Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93951C157B58 for <cfrg@irtf.org>; Fri, 15 Jul 2022 11:22:09 -0700 (PDT)
Received: by mail-qt1-x830.google.com with SMTP id g24so1653514qtu.2 for <cfrg@irtf.org>; Fri, 15 Jul 2022 11:22:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cdt.org; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=wNj99uTpqLmFPDGZSNRjAjN/feKm4+whtxu1JmH70d4=; b=dUslE3GN4YgzF4n4I4dyF6KCGLpUUlPj7ngSzlpl+hmHGjULBaHe0s1zlrlPrz23Nc +9J5kz2LaFFFjT4d5QyIlyIvuG0zL/acydL4KOn7gO8fBHQzRR8sN1BR1QNv7ci4cKkJ wkvO2jb4VCLU+ZRJCuJrV25GpwS7Bn53Nq0m8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=wNj99uTpqLmFPDGZSNRjAjN/feKm4+whtxu1JmH70d4=; b=i0YbEE7FO23YCaF59v3ycj948vGAdzAjayysPoh4LiHLoNYm34aAxM9ksPXLeL4WYG nsjaW3w98B5wv2QY6qmLRpwRuuCl7GJUpqowk7SPhcw94c+ZP9hk0zCGMpDFZ1IbVSjD /dMCRJ5+ToqUaqzecsEy+seo4hb1SiBupXwKrYfEp1JUVFU5HZDRrpau+Z8kLLGNXViQ UQMynJrJxw2+RtLNjlnwpr+LywiVKbbCsEoDWZo3Ru5gtaQD5EiHAsW+7bpHxzhA0bqu xwZJ86JMC+bqv34hAowkE063XlHkbZftGgAkGXdMjcZw6Y4GfrFMRXetdcQvFnOi3hVl PUUw==
X-Gm-Message-State: AJIora8wIylIAkUWZOXPEmHfq/MRgLrbvPdaV93jM9J4m6w/txeDFQS+ aTzOsg6nUC8LnpulXpEp7pYhTIalDuN7/Q==
X-Google-Smtp-Source: AGRyM1s3hq7VkOZwct41AHJMcYwQx+zDbgfwH0YweVe3fvpHCix8sY2F/OPSm7xwYpoQBlofx6846Q==
X-Received: by 2002:a05:622a:1789:b0:31e:a8ce:cb7 with SMTP id s9-20020a05622a178900b0031ea8ce0cb7mr13317907qtk.645.1657909328424; Fri, 15 Jul 2022 11:22:08 -0700 (PDT)
Received: from [10.200.230.50] (static-108-28-104-83.washdc.fios.verizon.net. [108.28.104.83]) by smtp.gmail.com with ESMTPSA id m1-20020a05620a24c100b006a6d7c3a82esm3764206qkn.15.2022.07.15.11.22.07 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 15 Jul 2022 11:22:08 -0700 (PDT)
Message-ID: <9625f922-fba2-c2fa-07f1-a297d2ffd5e2@cdt.org>
Date: Fri, 15 Jul 2022 14:22:06 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Thunderbird/103.0
Content-Language: en-US
To: Colin Perkins <csp@csperkins.org>, Internet Research Steering Group <irsg@irtf.org>, CFRG <cfrg@irtf.org>
References: <66620D79-509D-4036-95CB-8D8CEE1227D2@csperkins.org>
From: Mallory Knodel <mknodel@cdt.org>
In-Reply-To: <66620D79-509D-4036-95CB-8D8CEE1227D2@csperkins.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/z2mAXqo_DZgBpbzsffdoJtaAt6k>
Subject: Re: [CFRG] [irsg] IRSG review request: draft-irtf-cfrg-vrf-13
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jul 2022 18:22:13 -0000

Hi all,

I've done a review for the IRSG of this document. My comments are below. 
As a reminder I'm preserving the IRTF Chair's request for review that 
includes the purpose of the IRSG review stage:

On 6/16/22 7:41 AM, Colin Perkins wrote:
> ...at least one IRSG member to volunteer to provide a detailed review of the draft, as follows:
>> IRSG reviewers should look for clear, cogent, and consistent writing. An important aspect of the review is to gain a critical reading from reviewers who are not subject matter experts and, in the process, assure the document will be accessible to those beyond the authoring research group. Also, reviewers should assess whether sufficient editorial and technical review has been conducted and the requirements of this process document, such as those described in IRTF-RFCs have been met. Finally, reviewers should check that appropriate citations to related research literature have been made.
My review does not include sections 4. and 5. because they are primarily 
describing VRF constructions, the accuracy of which I cannot attest, and 
therefore I recommend an expert review of these if one has not already 
been done, though it seems from the shepherd write up that at least one 
has been done.
>> The IRSG review often results in the document being revised. Once the reviewer(s), authors, and shepherd have converged on review comments, the shepherd starts the IRSG Poll on whether the document should be published.

For what it's worth, I think even if none of the changes that I have 
suggested are accepted, though I hope they are helpful, that the draft 
be published. Please reach out if there are questions about my suggested 
changes; I would like to know which are not accepted.

Super interesting work. I learned a lot and was happy to conduct this 
review! First comments, then nits.

Comments:

  * It might be useful to readers to at some point in the document 
discuss why the two  VRFs were chosen to be described in depth, versus 
others. The shepherd writeup contains some of this information.

  * Since sections 4. and 5. are both VRF constructions, you might 
actually preserve the promise that you specify "several" VRFs by 
restructuring the table of contents by creating a section on VRF 
constructions and then make RSA-FDH-VRF and ECVRF sub-sections. You 
could give an introduction to the section that discusses why you chose 
these two but also gives the reader some overall sense of where to go to 
look at other documentation of comparable construction specifications.

  * Terminology section could be expanded to include definitions of: 
trustworthiness, adversarial, function, verifying among perhaps others.

  * Relatedly I get the sense that there are quite a few terms of art 
that are also regular words, like "bounded" that ideally should be 
formally defined somewhere or the nuanced meaning that they have (versus 
the regular, everyday word) can get lost on a reader who is not a 
subject matter expert. These could go in the terminology section or they 
can simply be described the first time they are used.

  * Sometimes when "an adversary" is invoked, I think what is meant is 
that anyone, including adversaries, could perform or not perform such 
feats, eg 3.2 para 2.

  * Question: in section 3.2 it's stated that trusted collision 
resistance VRFs MUST NOT be used if key generation process cannot be 
trusted, but it seems to me as a lay reader that whether the key 
generation process is trusted is the precise definition of full versus 
trusted collision resistance. I'm curious of the answer, but also this 
text really needs to be fixed to avoid confusion.

  * Is there an opportunity to expand on the type of attacks described 
in 3.3 para 3? "a variety of chosen inputs alpha'" is doing a lot of 
work and might not immediately be understood to represent the threat of 
brute force or rainbow table attacks, if that is indeed what is meant here.

  * I am missing something about "selective pseudorandomness" being a 
weaker security property when each time it is mentioned it seems to be a 
stronger security property, including the paragraph that immediately 
follows. Either the text it is incorrect or it is too opaque, either way 
should be fixed.

  * Would the "malicious key generation" discussed in 3.4 for 
unpredictability also have specific effects related to the other 
properties just described as well, eg collision, uniqueness, etc? It 
seems like a cross-cutting consideration and if so perhaps a restructure 
would help readers conceptualise that a bit better.

  * To that point, section 7.1.2 also discusses this and the 
relationship between the two sections is not entirely clear. Are they 
redundant?

Nits:

  * Abstract | All mentions of "elliptic curves" should be uncapitalized 
unless part of a title (this seems to be the convention and the only 
instance currently is in the abstract).

  * Abstract | doc specifies "several" VRF constructions, but actually 
only presents two.

  * 3.1 para 1 | fixed VRF public key instead of "fixed public VRF key"

  * 3.1 para 2 | the comma delimited list is hard to read and suggest 
instead you use alternative formatting like a indented list.

  * 3.2 para 1 | "need to be" probably should be "are", otherwise you're 
defining an aspect of the specification it would seem.

  * 3.3 para 2 | any word ending in -ly should never be hyphenated, eg 
"adversarially chosen".

  * 3.3 para 6 | "does not look" or "is not"? I get why randomness is 
merely an appearance to anyone but the Prover, but to the Prover it is a 
certainty, so it "is". Similarly in the following paragraph "does not 
look" could be "can be distinguished from a random value".

  * 3.4 title | Some VRFs might be taken out of the heading since it 
seems that all of the properties you are describing are for Some VRFs, 
not all. If there is an important distinction here it might need 
expanding in the text instead of the title.

  * 3.4 title | Is the word "malicious" important here or could any key 
generation experience this?

  * 7.1.1 para 1 | "stadnard" should be standard.

  * 7.4 para 1 | Isn't the "private VRF key" the secret key? Seems this 
might be an instance that departs from the uniform notation a bit.

  * 7.8 para 1 | Dislike extensive parentheticals, so suggest making the 
latter half of the first sentence its own sentence. (If the point is 
worth including, just include it).

  * 7.8 para 1 | "four queries" which four what?

  * 7.8 para final | the reference in square brackets needs link text.

  * 7.10 para 1 | Capitalise the first letter of the first sentence.

With thanks,

-Mallory

-- 
Mallory Knodel
CTO, Center for Democracy and Technology
gpg fingerprint :: E3EB 63E0 65A3 B240 BCD9 B071 0C32 A271 BD3C C780

v2.23.0 | Report a Bug | By Email