I support adoption of this draft.

Mike

I also support the adoption of this draft. If needed, once adopted I will review it and may be able to produce testvectors.

Marek.

Dear CFRG,

(This is the second of two adoption calls today.)

This email starts a 2-week adoption call for:

https://tools.ietf.org/html/draft-boneh-bls-signature-00

BLS Signature Scheme

Please give your views on whether this document should be adopted as a CFRG draft, and if so, whether you'd be willing to help work on it/review it.

Thanks,

Kenny (for the chairs)

Tony Arcieri

Hello Shoko,

ing on here with the BN462 curve..

QNR as 1+sqrt(-1), the curve is M type, and F_p^2 arithmetic will be quite
fast, but M type twists require a bit more work.

By choosing the QNR as 2+sqrt(-1) (as in your draft), the curve is D type,
with slower F_p^2 arithmetic, but faster twisting.

So its depends on which optimization is regarded as more important. I would
d still prefer to go with the M type, but really it makes little difference
. A common approach seems to be to support all QNRs of the form 2^i+sqrt(-1
), with minimal i.

So basically I am withdrawing m
y objection to the way in which BN462 has been presented in your draft.

Mike

Hello Shoko,

And thanks for your reply. I am OK with the choice of parameters for the BLS381 curve.

For the BN462 curve it would be a pity to use a suboptimal representation, when a better representation is possible. For example in https://eprint.iacr.org/2017/334.pdf, all the suggested curves use the simpler form, as it offers "the best possible arithmetic", including the original BN462 suggested curve.

Maybe, as you suggest, a choice of parameters would be a solution (or some guidance on how to switch between representations)

I'm sorry for being late for responding to your comments,

all of which are important and valuable.

Please allow me to reply to all of your comments in this single mail.

Thank you for your suggestions of the curve parameters.

As you mentioned, there are the curve parameters which provide more

efficient computation than we described,

but we emphasize the implementation status, that is,

whether the curves have been already available.

As for BN462, we refer to the parameters implemented in mcl

(https://github.com/herumi/mcl).

In this implementation, the twisted curve is set to E':y^2=x^3-u+2

and the tower of extension field is F_p6 = F_p2[v] / (v^3 - u - 2).

Their implementation of BLS12-381 has been adopted to Zcash

and we cannot ignore the curve parameters chosen in mcl.

Therefore, we would like to choose the existing curve parameters in our

draft in order for interoperability.

We understand that the parameters you suggested can indeed improve the

efficiency.

We can add these parameters to our draft if it is accepted to describe

multiple parameters.

I would be grateful if my answers could make sense.

Best,

Shoko

Hello Shoko,

Yes, that is another good =
reason. So please proceed...

Mike

Thank you for your consideration.

Another reason why we chose BN462 with 2+sqrt(-1)

is that most of the former BN curves were D type

and we would like to follow them.

We would be grateful if we could proceed with BN462

described in the current version of our draft.

Best,

Shoko

I also support the adoption of this draft.

Marek.

On Tue, Apr 30, 2019 at 5:28 PM mcgrew <mcgrew@cisco.com> wrote:

Hi Kenny and Richard,

I support the adoption of draft-barnes-cfrg-hpke, and I have some comments below.

I like the goal of an RFC that provides a self-contained normative description of "hybrid public key encryption."

It should be an explicit goal that an implementation can conform to this RFC and also conform to [keyagreement], for the NIST approved algorithms, because NIST validation is important in the industry. I suggest adding a subsection somewhere that details how this conformance is possible. Please note that I'm not asking that every possible option/ciphersuite in this document be in the NIST-approved category; rather, I'm asking that for the NIST-approved algorithms, the details such as key generation, domain parameters, and symmetric key derivation don't have any incompatibilities.

I suggest changing the name from hybrid public key encryption to something from the existing literature. According to Boyd and Mathuria, for instance, this is a key transport scheme, and the term "hybrid" has a different meaning. Something like "Key Transport for AEAD Using Discrete Log Cryptography" seems accurate, since this draft only covers DL, there is no need to have a name that would be generic to RSA and McEliece. "Asymmetric Key Transport for AEAD" would be appropriate if there is a need to be more generic.

The phrase "Hybrid public-key encryption (HPKE) is a substantially more efficient solution than traditional public key encryption techniques such as those based on RSA or ElGamal" is confusing, because combined asymmetric/symmetric crypto systems have been the preferred solution since Kohnfelder's 1978 thesis. Someone without domain expertise might mistakenly think that this draft is claiming to be an improvement over current public key algorithms. I suggest motivating this draft with something like "While there are well accepted standards for public key encryption [RFC7748][keyagreement], in several scenarios these techniques must be combined with symmetric authenticated encryption."

There should be some discussion about replay attacks and their prevention.

If there is not a strong mechanism protecting against replays, would it make sense to use an AEAD that is robust against nonce misuse, like GCM-SIV?

"A given context SHOULD be used either only for encryption or only for decryption." Why not a MUST?

It seems that there is no citation given for P-256 and P-521.

A nit: KEM is used before it is defined.

thanks

David

> On Apr 26, 2019, at 4:09 AM, Paterson Kenneth <kenny.paterson@inf.ethz.ch> wrote:

>

> Dear CFRG,

>

> (This is the first of two adoption calls today.)

>

> This email starts a 2-week adoption call for:

>

> https://tools.ietf.org/html/draft-barnes-cfrg-hpke-01

>

> Hybrid Public Key Encryption

>

> Please give your views on whether this document should be adopted as a CFRG draft, and if so, whether you'd be willing to help work on it/review it.

>

> Thanks,

>

> Kenny (for the chairs)

>

>

Hi Dan:

The paper [1] may be of interest to
your problem.

Best regards, Rene

Ref: [1] DLP - Small Generic Hardcore
Subset for DLP, Short Secret DL Keys (Claus Schnorr, Inform. Proc.
Letters, 2001)

On 5/2/2019 11:41 AM, Dan Brown wrote:

Dear CFRG, Is there a multi-user attack (e.g., see below) on _any_ 128-bit-secure public keys (e.g. 256-bit ECC keys) if they are generated by hashing 128-bit uniformly random seed? I will call this key generation method "bottleneck key generation". To be clear, all user users share the same 128-bit bottleneck, and that may be the problem. If there is indeed an multi-user attack here, is the multi-user attack (against 2^N users) prevented by using a (128+N)-bit seed, OR by using a unique-per-public-key salt/nonce/tag/personalization value? The very notion of multi-user security has always puzzled me: I question its merit as a goal. This might be why I forget how it works so easily. (Over the last day, I tried to remember/search for existing write-ups on this, see further below.) On the issue of naivety of the bottleneck key generation above, I think it very plausible that many would consider it reasonably secure. This topic touches a couple CFRG items, but seems to be question of general crypto interest. *** For completeness, here is what I think the multi-user attack on bottleneck key generation: Each of 2^32 users does the following. - User j chooses a uniformly random 128-bit seed s[j], independently of all other users. - User j computes a secret key a[j] by hashing s[j], e.g., using SHA-256 (or some other deterministic, collision-resistant function). - User j computes a public key A[j] from a[j], e.g. in ECC A[j]=a[j]*G. The attacker does the following. - Obtain all 2^32 values A[j], and sorts them, or stores in a hash-table. - Does the following up to 2^96 times: - compute a 128-bit seed, s', - compute secret key a', the same way as the user, e.g. a' = SHA256(s'), - compute public key A', the same way as the user, e.g. A' = a' * G, - check if A' in is list of A[j], via table-lookup. - If A' in A[j] is found, then attacker outputs a' as the guess for a[j]. The attacker wins the multi-user game. Success rate: The attack is expected to work with probability near 1/e (e~2.7?), essentially finding a collision at the level of seeds with s[j]=s', being a variation of the birthday paradox. (Proof sketch? Each s' has prob 2^32/2^128 of hitting an s[j], assuming all user seed distinct. This is 1/M for M=2^96. The prob of all M independent s' missing is (1-1/M)^M ~ 1/e. This ignore the prob of s[j] collisions, and SHA256 collisions, etc.) Attack cost: The attacker uses 2^96 steps (each step matching the user's cost). Hmm ... is this somehow an "optimal" multi-user attack, in the sense the cost reduction factor equals the number of users? If the seeds above are increased to 160 bits, then the multi-user attack (against 2^32 users) seems to take 2^128 steps. In this case, the multi-user security is optimal (matching single-user security). If we put a max of 2^64 users, then a 192-seed may be good enough for maximal multi-user security. Why do I question multi-user security? The cost of resisting multi-user attacks seems to be nonzero for the single user. It seems to me that the single-user should only pay for this cost if there is a common interest with other users. If there is a common interest, then maybe so formalized communal crypto is needed instead? E.g. group/ring/whatever signature? *** Relevant past work on multi-user security, in approximate chronological order: [1] Salting password hashes. Not sure what the best reference is for this. I think the oldest work is salting the password hashes. Is "salt" the usual word here? The numbers for larger seeds and keys correspond to higher security levels then passwords and hashes, but the logic is otherwise similar, isn't it? (In other words, not sure why new words would be used instead of salt.) [2] Hastad-style security analysis: I lump MANY works together, perhaps originating from Hastad, which all I eventually clued about the generality of this issue, leading me to this email.) [5] Zaverucha, https://ia.cr/2012/159, "Hybrid encryption in the multi-user setting" perhaps goes a little further than the Hastad-type attacks that I lumped together in [3], since it describes 128-bottlenecks in key derivation more generally, including the key generation and HKDF. As with [3], I have forgotten the details, and would need re-read the paper very carefully to see if it really should be lumped together with [3]. [6] NIST Special publication 800-90Ar1, specifies a "DRBG". A DRBG can be interpreted as a deterministic function mapping a 128-bit secret seed to a pseudorandom 256-key. The NIST SP 800-90Ar1 requires a "nonce" or a "personalization string", unique to each user. Is this not just another example of the "salt" solution? Is the purpose of this "multi-user" security? I find the NIST document very long, and find it difficult to be certain if the multi-user security is resolved. [7] RFC 8032 has a comment about a few missing bits of entropy (in the EdDSA key) missing not being disastrous. This claim sounds correct (see the attack where I talk about 192-bit seeds). Is the justification for this claim quantified somewhere? There was also some discussion of multi-user security surrounding EdDSA variants, so maybe bottleneck key generation is an issue for EdDSA too. [8] The randomness improvement draft https://datatracker.ietf.org/doc/draft-irtf-cfrg-randomness-improvements/ uses the term "tag", which should be user-specific (?). Another example of a "salt", if I understand it. See also https://ia.cr/2018/1057 A digression: best practice password-hashing involves costly hashes, e.g. Argon2, not just per-user salts. Costly hashes may be re-usable for public key seeding, no? Dan Brown Phone: +1 (289) 261-4157 BlackBerry, Security in Motion

