Re: [CFRG] [irsg] IRSG review request: draft-irtf-cfrg-vrf-13
Mallory Knodel <mknodel@cdt.org> Fri, 15 July 2022 18:22 UTC
Return-Path: <mknodel@cdt.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F460C157B4C for <cfrg@ietfa.amsl.com>; Fri, 15 Jul 2022 11:22:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cdt.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NUz_fUwY8ix8 for <cfrg@ietfa.amsl.com>; Fri, 15 Jul 2022 11:22:09 -0700 (PDT)
Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93951C157B58 for <cfrg@irtf.org>; Fri, 15 Jul 2022 11:22:09 -0700 (PDT)
Received: by mail-qt1-x830.google.com with SMTP id g24so1653514qtu.2 for <cfrg@irtf.org>; Fri, 15 Jul 2022 11:22:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cdt.org; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=wNj99uTpqLmFPDGZSNRjAjN/feKm4+whtxu1JmH70d4=; b=dUslE3GN4YgzF4n4I4dyF6KCGLpUUlPj7ngSzlpl+hmHGjULBaHe0s1zlrlPrz23Nc +9J5kz2LaFFFjT4d5QyIlyIvuG0zL/acydL4KOn7gO8fBHQzRR8sN1BR1QNv7ci4cKkJ wkvO2jb4VCLU+ZRJCuJrV25GpwS7Bn53Nq0m8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=wNj99uTpqLmFPDGZSNRjAjN/feKm4+whtxu1JmH70d4=; b=i0YbEE7FO23YCaF59v3ycj948vGAdzAjayysPoh4LiHLoNYm34aAxM9ksPXLeL4WYG nsjaW3w98B5wv2QY6qmLRpwRuuCl7GJUpqowk7SPhcw94c+ZP9hk0zCGMpDFZ1IbVSjD /dMCRJ5+ToqUaqzecsEy+seo4hb1SiBupXwKrYfEp1JUVFU5HZDRrpau+Z8kLLGNXViQ UQMynJrJxw2+RtLNjlnwpr+LywiVKbbCsEoDWZo3Ru5gtaQD5EiHAsW+7bpHxzhA0bqu xwZJ86JMC+bqv34hAowkE063XlHkbZftGgAkGXdMjcZw6Y4GfrFMRXetdcQvFnOi3hVl PUUw==
X-Gm-Message-State: AJIora8wIylIAkUWZOXPEmHfq/MRgLrbvPdaV93jM9J4m6w/txeDFQS+ aTzOsg6nUC8LnpulXpEp7pYhTIalDuN7/Q==
X-Google-Smtp-Source: AGRyM1s3hq7VkOZwct41AHJMcYwQx+zDbgfwH0YweVe3fvpHCix8sY2F/OPSm7xwYpoQBlofx6846Q==
X-Received: by 2002:a05:622a:1789:b0:31e:a8ce:cb7 with SMTP id s9-20020a05622a178900b0031ea8ce0cb7mr13317907qtk.645.1657909328424; Fri, 15 Jul 2022 11:22:08 -0700 (PDT)
Received: from [10.200.230.50] (static-108-28-104-83.washdc.fios.verizon.net. [108.28.104.83]) by smtp.gmail.com with ESMTPSA id m1-20020a05620a24c100b006a6d7c3a82esm3764206qkn.15.2022.07.15.11.22.07 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 15 Jul 2022 11:22:08 -0700 (PDT)
Message-ID: <9625f922-fba2-c2fa-07f1-a297d2ffd5e2@cdt.org>
Date: Fri, 15 Jul 2022 14:22:06 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Thunderbird/103.0
Content-Language: en-US
To: Colin Perkins <csp@csperkins.org>, Internet Research Steering Group <irsg@irtf.org>, CFRG <cfrg@irtf.org>
References: <66620D79-509D-4036-95CB-8D8CEE1227D2@csperkins.org>
From: Mallory Knodel <mknodel@cdt.org>
In-Reply-To: <66620D79-509D-4036-95CB-8D8CEE1227D2@csperkins.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/z2mAXqo_DZgBpbzsffdoJtaAt6k>
Subject: Re: [CFRG] [irsg] IRSG review request: draft-irtf-cfrg-vrf-13
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jul 2022 18:22:13 -0000
Hi all, I've done a review for the IRSG of this document. My comments are below. As a reminder I'm preserving the IRTF Chair's request for review that includes the purpose of the IRSG review stage: On 6/16/22 7:41 AM, Colin Perkins wrote: > ...at least one IRSG member to volunteer to provide a detailed review of the draft, as follows: >> IRSG reviewers should look for clear, cogent, and consistent writing. An important aspect of the review is to gain a critical reading from reviewers who are not subject matter experts and, in the process, assure the document will be accessible to those beyond the authoring research group. Also, reviewers should assess whether sufficient editorial and technical review has been conducted and the requirements of this process document, such as those described in IRTF-RFCs have been met. Finally, reviewers should check that appropriate citations to related research literature have been made. My review does not include sections 4. and 5. because they are primarily describing VRF constructions, the accuracy of which I cannot attest, and therefore I recommend an expert review of these if one has not already been done, though it seems from the shepherd write up that at least one has been done. >> The IRSG review often results in the document being revised. Once the reviewer(s), authors, and shepherd have converged on review comments, the shepherd starts the IRSG Poll on whether the document should be published. For what it's worth, I think even if none of the changes that I have suggested are accepted, though I hope they are helpful, that the draft be published. Please reach out if there are questions about my suggested changes; I would like to know which are not accepted. Super interesting work. I learned a lot and was happy to conduct this review! First comments, then nits. Comments: * It might be useful to readers to at some point in the document discuss why the two VRFs were chosen to be described in depth, versus others. The shepherd writeup contains some of this information. * Since sections 4. and 5. are both VRF constructions, you might actually preserve the promise that you specify "several" VRFs by restructuring the table of contents by creating a section on VRF constructions and then make RSA-FDH-VRF and ECVRF sub-sections. You could give an introduction to the section that discusses why you chose these two but also gives the reader some overall sense of where to go to look at other documentation of comparable construction specifications. * Terminology section could be expanded to include definitions of: trustworthiness, adversarial, function, verifying among perhaps others. * Relatedly I get the sense that there are quite a few terms of art that are also regular words, like "bounded" that ideally should be formally defined somewhere or the nuanced meaning that they have (versus the regular, everyday word) can get lost on a reader who is not a subject matter expert. These could go in the terminology section or they can simply be described the first time they are used. * Sometimes when "an adversary" is invoked, I think what is meant is that anyone, including adversaries, could perform or not perform such feats, eg 3.2 para 2. * Question: in section 3.2 it's stated that trusted collision resistance VRFs MUST NOT be used if key generation process cannot be trusted, but it seems to me as a lay reader that whether the key generation process is trusted is the precise definition of full versus trusted collision resistance. I'm curious of the answer, but also this text really needs to be fixed to avoid confusion. * Is there an opportunity to expand on the type of attacks described in 3.3 para 3? "a variety of chosen inputs alpha'" is doing a lot of work and might not immediately be understood to represent the threat of brute force or rainbow table attacks, if that is indeed what is meant here. * I am missing something about "selective pseudorandomness" being a weaker security property when each time it is mentioned it seems to be a stronger security property, including the paragraph that immediately follows. Either the text it is incorrect or it is too opaque, either way should be fixed. * Would the "malicious key generation" discussed in 3.4 for unpredictability also have specific effects related to the other properties just described as well, eg collision, uniqueness, etc? It seems like a cross-cutting consideration and if so perhaps a restructure would help readers conceptualise that a bit better. * To that point, section 7.1.2 also discusses this and the relationship between the two sections is not entirely clear. Are they redundant? Nits: * Abstract | All mentions of "elliptic curves" should be uncapitalized unless part of a title (this seems to be the convention and the only instance currently is in the abstract). * Abstract | doc specifies "several" VRF constructions, but actually only presents two. * 3.1 para 1 | fixed VRF public key instead of "fixed public VRF key" * 3.1 para 2 | the comma delimited list is hard to read and suggest instead you use alternative formatting like a indented list. * 3.2 para 1 | "need to be" probably should be "are", otherwise you're defining an aspect of the specification it would seem. * 3.3 para 2 | any word ending in -ly should never be hyphenated, eg "adversarially chosen". * 3.3 para 6 | "does not look" or "is not"? I get why randomness is merely an appearance to anyone but the Prover, but to the Prover it is a certainty, so it "is". Similarly in the following paragraph "does not look" could be "can be distinguished from a random value". * 3.4 title | Some VRFs might be taken out of the heading since it seems that all of the properties you are describing are for Some VRFs, not all. If there is an important distinction here it might need expanding in the text instead of the title. * 3.4 title | Is the word "malicious" important here or could any key generation experience this? * 7.1.1 para 1 | "stadnard" should be standard. * 7.4 para 1 | Isn't the "private VRF key" the secret key? Seems this might be an instance that departs from the uniform notation a bit. * 7.8 para 1 | Dislike extensive parentheticals, so suggest making the latter half of the first sentence its own sentence. (If the point is worth including, just include it). * 7.8 para 1 | "four queries" which four what? * 7.8 para final | the reference in square brackets needs link text. * 7.10 para 1 | Capitalise the first letter of the first sentence. With thanks, -Mallory -- Mallory Knodel CTO, Center for Democracy and Technology gpg fingerprint :: E3EB 63E0 65A3 B240 BCD9 B071 0C32 A271 BD3C C780
- Re: [CFRG] [irsg] IRSG review request: draft-irtf… Mallory Knodel
- Re: [CFRG] [irsg] IRSG review request: draft-irtf… Leonid Reyzin
- Re: [CFRG] [irsg] IRSG review request: draft-irtf… Colin Perkins
- Re: [CFRG] [irsg] IRSG review request: draft-irtf… Mallory Knodel
- Re: [CFRG] [irsg] IRSG review request: draft-irtf… Colin Perkins
- Re: [CFRG] [irsg] IRSG review request: draft-irtf… Leonid Reyzin
- Re: [CFRG] [irsg] IRSG review request: draft-irtf… Colin Perkins