Re: [lamps] WGLC comments draft-ietf-lamps-cms-shakes-01

Jim Schaad <> Mon, 17 September 2018 15:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0139F130DE9 for <>; Mon, 17 Sep 2018 08:39:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NSeeH8N3-489 for <>; Mon, 17 Sep 2018 08:39:09 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B48DF130E4B for <>; Mon, 17 Sep 2018 08:39:07 -0700 (PDT)
Received: from Jude ( by ( with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 17 Sep 2018 08:34:41 -0700
From: Jim Schaad <>
To: 'Russ Housley' <>, 'Quynh Dang' <>, 'Panos Kampanakis' <>
CC: 'SPASM' <>
References: <00be01d42b65$b8452ee0$28cf8ca0$> <> <086101d44538$2c0d47e0$8427d7a0$> <> <087301d44543$390807e0$ab1817a0$> <> <>
In-Reply-To: <>
Date: Mon, 17 Sep 2018 08:38:37 -0700
Message-ID: <019201d44e9c$827ad620$87708260$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0193_01D44E61.D61D5DB0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJBlyy+liKglkq7u8zG/FAVp0RX2gG+MegMAc2kTZ4B9RaUkwI16IbrAf6+i+YC1J79LaO1uNOA
Content-Language: en-us
X-Originating-IP: []
Archived-At: <>
Subject: Re: [lamps] WGLC comments draft-ietf-lamps-cms-shakes-01
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 17 Sep 2018 15:39:12 -0000



That is not the question that I was asking.  I think that replacing SHA-1 with SHAKE in the MFG function is correct.  I was proposing replacing the MFG function in its entirety with a new MFG function.





From: Spasm <> On Behalf Of Russ Housley
Sent: Monday, September 17, 2018 2:53 AM
To: Quynh Dang <>ov>; Panos Kampanakis <>
Cc: SPASM <>
Subject: Re: [lamps] WGLC comments draft-ietf-lamps-cms-shakes-01


Here is a part of a message to resolve the WG Last Call comments on draft-ietf-lamps-cms-shakes-01 ...

* Message Digests - are the limits on the size only for CMS or do they apply
everywhere that the algorithm is used.  If it is everywhere how do we
reconcile with the usage in RSA-PSS? 


Comment 5: Only in CMS, when a message digest is generated. For RSA-PSS,  a SHAKE has 2 different output sizes for 2 different uses: hashing a message to be signed and generating a masking value in MGF 1. 

[JLS] After looking at this a second time, I propose that this problem be solved by creation of a new mask generation function MGF-V.   We can eliminate the counter from the operation as being un-needed and just compute the mask length and generate that many bits of input from a SHAKE function.


I thought about that. But that would be another standard function which have not been defined  yet. How could we go from here ? And this route would take time. Using the existing MGF 1 would waste only 1 division: to figure out counter number is zero: so there is only one hash function execution. 

[JLS2] No it is more than that.  It takes both the one division AND a concatenation AND the strangeness for trying to decide how long the SHAKE output is if one is placing it into an existing MGF1 piece of code.  If you define a new MGF-V then there is a new function that is called – which code should potentially be setup for – and zero extra work beyond that.  The size of the mask is the size of the output, no concatenation.  It is much cleaner in my opinion.


Does anyone think that using SHAKE in the RSA-PSS mask generation function is the wrong approach?