Re: [lamps] WGLC comments draft-ietf-lamps-cms-shakes-01

Russ Housley <> Mon, 17 September 2018 09:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E91951277D2 for <>; Mon, 17 Sep 2018 02:53:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id u8JTxIjQECBZ for <>; Mon, 17 Sep 2018 02:53:18 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 20412130DEA for <>; Mon, 17 Sep 2018 02:53:18 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id D9C7A300A9C for <>; Mon, 17 Sep 2018 05:53:15 -0400 (EDT)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10026) with ESMTP id dK-FcQpKp8pD for <>; Mon, 17 Sep 2018 05:53:14 -0400 (EDT)
Received: from new-host-6.home ( []) by (Postfix) with ESMTPSA id 3F9C530025D; Mon, 17 Sep 2018 05:53:14 -0400 (EDT)
From: Russ Housley <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_525DE166-C0F3-4BC4-8BF3-ADF8ABC3CB02"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Mon, 17 Sep 2018 05:53:14 -0400
In-Reply-To: <>
Cc: SPASM <>
To: Quynh Dang <>, Panos Kampanakis <>
References: <00be01d42b65$b8452ee0$28cf8ca0$> <> <086101d44538$2c0d47e0$8427d7a0$> <> <087301d44543$390807e0$ab1817a0$> <>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <>
Subject: Re: [lamps] WGLC comments draft-ietf-lamps-cms-shakes-01
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 17 Sep 2018 09:53:20 -0000

Here is a part of a message to resolve the WG Last Call comments on draft-ietf-lamps-cms-shakes-01 ...

> * Message Digests - are the limits on the size only for CMS or do they apply
> everywhere that the algorithm is used.  If it is everywhere how do we
> reconcile with the usage in RSA-PSS? 
> Comment 5: Only in CMS, when a message digest is generated. For RSA-PSS,  a SHAKE has 2 different output sizes for 2 different uses: hashing a message to be signed and generating a masking value in MGF 1. 
> [JLS] After looking at this a second time, I propose that this problem be solved by creation of a new mask generation function MGF-V.   We can eliminate the counter from the operation as being un-needed and just compute the mask length and generate that many bits of input from a SHAKE function.
> I thought about that. But that would be another standard function which have not been defined  yet. How could we go from here ? And this route would take time. Using the existing MGF 1 would waste only 1 division: to figure out counter number is zero: so there is only one hash function execution. 
> [JLS2] No it is more than that.  It takes both the one division AND a concatenation AND the strangeness for trying to decide how long the SHAKE output is if one is placing it into an existing MGF1 piece of code.  If you define a new MGF-V then there is a new function that is called – which code should potentially be setup for – and zero extra work beyond that.  The size of the mask is the size of the output, no concatenation.  It is much cleaner in my opinion.

Does anyone think that using SHAKE in the RSA-PSS mask generation function is the wrong approach?