Re: [lamps] WGLC comments draft-ietf-lamps-cms-shakes-01

Jim Schaad <> Mon, 17 September 2018 19:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 70FCC130EDA for <>; Mon, 17 Sep 2018 12:49:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QPWkMHQ-ypBS for <>; Mon, 17 Sep 2018 12:49:30 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8BCC4130ED1 for <>; Mon, 17 Sep 2018 12:49:29 -0700 (PDT)
Received: from Jude ( by ( with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 17 Sep 2018 12:45:20 -0700
From: Jim Schaad <>
To: 'Russ Housley' <>, 'panos Kampanakis' <>, 'Quynh Dang' <>
CC: 'SPASM' <>
References: <00be01d42b65$b8452ee0$28cf8ca0$> <> <086101d44538$2c0d47e0$8427d7a0$> <> <087301d44543$390807e0$ab1817a0$> <> <> <019201d44e9c$827ad620$87708260$> <> <>
In-Reply-To: <>
Date: Mon, 17 Sep 2018 12:49:16 -0700
Message-ID: <01ca01d44ebf$86141490$923c3db0$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_01CB_01D44E84.D9B78680"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJBlyy+liKglkq7u8zG/FAVp0RX2gG+MegMAc2kTZ4B9RaUkwI16IbrAf6+i+YC1J79LQGzGmg8AfF/2fgB7tOBVKOJY2rA
Content-Language: en-us
X-Originating-IP: []
Archived-At: <>
Subject: Re: [lamps] WGLC comments draft-ietf-lamps-cms-shakes-01
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 17 Sep 2018 19:49:34 -0000

Ok – then lets send a request to CFRG to look at this and tell us if I am crazy to want to do this.  





From: Spasm <> On Behalf Of Russ Housley
Sent: Monday, September 17, 2018 11:52 AM
To: panos Kampanakis <>om>; Jim Schaad <>om>; Quynh Dang <>
Cc: SPASM <>
Subject: Re: [lamps] WGLC comments draft-ietf-lamps-cms-shakes-01


Quynh, Panos, and Jim:


While it does look like a simple substitution, I do not think the LAMPS is the right group to make the assessment.  CFRG may have people with the right skills.





On Sep 17, 2018, at 2:08 PM, Panos Kampanakis (pkampana) < <> > wrote:


I think that falls outside the scope of this spec and the LAMPS charter to be honest.

I mean, introducing a new MFG should not be taken lightly even if it is straightforward.



From: Jim Schaad [ <>] 
Sent: Monday, September 17, 2018 11:39 AM
To: 'Russ Housley' < <>>gt;; 'Quynh Dang' < <>>gt;; Panos Kampanakis (pkampana) < <>>
Cc: 'SPASM' < <>>
Subject: RE: [lamps] WGLC comments draft-ietf-lamps-cms-shakes-01




That is not the question that I was asking.  I think that replacing SHA-1 with SHAKE in the MFG function is correct.  I was proposing replacing the MFG function in its entirety with a new MFG function.





From: Spasm < <>> On Behalf Of Russ Housley
Sent: Monday, September 17, 2018 2:53 AM
To: Quynh Dang < <>>gt;; Panos Kampanakis < <>>
Cc: SPASM < <>>
Subject: Re: [lamps] WGLC comments draft-ietf-lamps-cms-shakes-01


Here is a part of a message to resolve the WG Last Call comments on draft-ietf-lamps-cms-shakes-01 ...


* Message Digests - are the limits on the size only for CMS or do they apply
everywhere that the algorithm is used.  If it is everywhere how do we
reconcile with the usage in RSA-PSS? 


Comment 5: Only in CMS, when a message digest is generated. For RSA-PSS,  a SHAKE has 2 different output sizes for 2 different uses: hashing a message to be signed and generating a masking value in MGF 1. 

[JLS] After looking at this a second time, I propose that this problem be solved by creation of a new mask generation function MGF-V.   We can eliminate the counter from the operation as being un-needed and just compute the mask length and generate that many bits of input from a SHAKE function.


I thought about that. But that would be another standard function which have not been defined  yet. How could we go from here ? And this route would take time. Using the existing MGF 1 would waste only 1 division: to figure out counter number is zero: so there is only one hash function execution. 

[JLS2] No it is more than that.  It takes both the one division AND a concatenation AND the strangeness for trying to decide how long the SHAKE output is if one is placing it into an existing MGF1 piece of code.  If you define a new MGF-V then there is a new function that is called – which code should potentially be setup for – and zero extra work beyond that.  The size of the mask is the size of the output, no concatenation.  It is much cleaner in my opinion.


Does anyone think that using SHAKE in the RSA-PSS mask generation function is the wrong approach?