[Cfrg] Review of draft-mcgrew-hash-sigs-08
"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Sun, 12 November 2017 03:56 UTC
Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46FAD1270AE for <cfrg@ietfa.amsl.com>; Sat, 11 Nov 2017 19:56:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u1uJHLDeFwZO for <cfrg@ietfa.amsl.com>; Sat, 11 Nov 2017 19:56:02 -0800 (PST)
Received: from mail-qt0-x236.google.com (mail-qt0-x236.google.com [IPv6:2607:f8b0:400d:c0d::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69BA31201FA for <cfrg@irtf.org>; Sat, 11 Nov 2017 19:56:02 -0800 (PST)
Received: by mail-qt0-x236.google.com with SMTP id j58so16134538qtj.0 for <cfrg@irtf.org>; Sat, 11 Nov 2017 19:56:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=j3/Zcq8nt/7plJ21DTxUlhpZbH1nfNxC6mTXOAHBm8s=; b=OfjW6UGrvl3gOFUatKs3WWPZzmIXkJ6JDbecjAdM4tZy8fsP9cJAGw5U2d/KTtA/ma 0sU074M80XHPAUlkjlYVplwxR9Zbl5U1Zfb1ZhJwjZ3Su2DCGxTs57jtS4h3zwGn8wPU xMnbx6vrskLCb4Zqvx79haQ8pRyifgC6YvK5nUfiFK3bQFOKf0/UdD4JK4+hx4brCxjx JmozOwA+yyWvyJjEFn0wlK0T7k8XS3+tgfX8SpUCSSjFA07kd2DT/Z6MXsFYLi+tsXDt WWuqMkwZ8MWcrxKeAigJzGrlmhgg4D7n913kHEAAeMEgLaEbLfpL6e+BV9ri6ZbQRQqO eVGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=j3/Zcq8nt/7plJ21DTxUlhpZbH1nfNxC6mTXOAHBm8s=; b=Y0k0lnTJNn4d7/Zhx6suafC0lh5gint9f5aHtfshFXgNIMFPsDSlQS509jyXD74Hti Ln7bX/DvkwcUa3OhBAsMDjl3pfIP75qKiGI6q05ql8PcErSFpi+AyGJbJRuLWN757OYs 2hONpSO6cYcHNLONum6vfS98w4eBoyW6yPxW+aiYtjYKR8Sws4AxGZ5WX4wlbcrLxlTA 3qLqKiaH++CthGidBwN8LjmmZ5iV+o0EBsoAGvZCzgBv2LHzVl83hqqQqBv64NprKgDx b9bdDbdF+lRaAhMaDEeczZEgE5X1a4LM3EzxoNmoXWichz1+Kv+GO8+wM1RPSk8Ltc6J N49g==
X-Gm-Message-State: AJaThX4OZI6aWgI+rLvhvxSycOb5shxTtN/W6mGJCCtHCKjwY6ocIWVs nRxQupuv51sJttypj96wdpUN/pRfcMgVhJ5NjJo=
X-Google-Smtp-Source: AGs4zMbSMebYNIa9XmVswFPXiI1no0C90/Wor/C66syCDAxnKXB40+aBu/NenT3eZ6ZD4oQIsFvK8H9A67k6F3k1Pow=
X-Received: by 10.200.42.104 with SMTP id l37mr8020244qtl.73.1510458961368; Sat, 11 Nov 2017 19:56:01 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.142.67 with HTTP; Sat, 11 Nov 2017 19:56:00 -0800 (PST)
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Sun, 12 Nov 2017 06:56:00 +0300
Message-ID: <CAMr0u6k5j36f4d9m3h8t987kw34Ww=0cLwbkYGD-AQXSTkQXsw@mail.gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>, "David McGrew (mcgrew)" <mcgrew@cisco.com>
Content-Type: multipart/alternative; boundary="001a113ff480d71afc055dc121eb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/6ngCNs_CuiHSjemOJBfLi0pfiAM>
Subject: [Cfrg] Review of draft-mcgrew-hash-sigs-08
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Nov 2017 03:56:05 -0000
Document: draft-mcgrew-hash-sigs-08 Reviewer: Stanislav Smyshlyaev Review Date: 2017-11-11 Summary: Minor revision needed The hash-based signature scheme described in the I-D provides message authentication algorithms that remain secure after introduction of effective full-scale quantum computers. This scheme is based on the Merkle tree scheme and employs specific variant of Winternitz one-time signature. The scheme requires a small set of fixed domain parameters and can be easily adopted for the use with national-specific cryptographic primitives. A particularly important feature of the scheme is the fact that each invocation of a fixed hash function H outputs a unique byte string (except a negligible of identifiers collision). The proposed scheme was proven to be existentially unforgeable under adaptive chosen message attack (GMR-secure) in random oracle model when using second preimage resistant hash function ([F17]). It seems also not to be vulnerable against so called duplicate signature key selection attack (which is out of GMR-security definition and was firstly introduced in [BM99] since an attacker who wants to create his own key pair which can be used for successful verification of a target signature has to find a second preimage of a used hash function. The current version of the document lacks, however, comments on the post-quantum security. It would be great if such a comment appears. Since the proposed signature scheme is stateful, it is extremely important to manage its states in a secure way. The I-D proposes helpful technical implementation notes that cover synchronization issues when storing key in non-volatile memory. The document is very important, well-written and fully defines the proposed algorithms. I particularly like that there are very helpful sections that give an overview of the design rationale. There is a number of concerns, that should be addressed before the publication. Once the comments are resolved, I think that the document can be published. Formulae and algorithms to be checked for correctness: The second paragraph of Section 4.2 states that length of LM-OTS signature equals np, while it seems to be equal to 4 + n(p+1) The description of the algorithm 6 lacks parsing of parameter otstype The description of the algorithm 6b supposes that otssigtype is set directly after q, while the informal description in Section 5.4 states that otssigtype follows after the OTS value Other comments: Throughout the text: consider replacing 'signature system' with a commonly used 'signature scheme' Chapter 1: "moderatley" -> "moderately" Chapter 2: "A message/signature pair are valid" -> "... is valid" "the signature and message pair are not valid" -> "... is not valid" Section 3.1: "a four byte string S " -> "a four-byte string S" Section 3.1.1: The i^th element in an array A is denoted as A[i] -> the i-th element... The same change should be done throughout the text to avoid confusion with powers of i. Section 3.2: "I - a 16 byte identifier" -> "I - a 16-byte identifier" "i = a value between 0 and 264" -> "i - a value between 0 and 264" Function H is used in the definition of parameter i, but that function is not yet defined at that point. "a two byte identifier " -> "a two-byte identifier" Chapter 4: "a diversification parameter q (which is used as part of the security string, as listed in Section 3.2" - ")" should be added Section 4.1: Definitions of n, w, p, ls and H: last three definifons end with ".", while the first two do not. The definition or reference should be given for the notion of Winternitz coefficient. Also the same should be done with the notions Winternitz tree, Winternitz chain and LMS tree. Section 4.2: "Here SHA256 denotes the NIST standard hash function [FIPS180]." - since SHA-256 is defined together with SHA-1, SHA-384 etc., it seems better to say something like "Here SHA256 denotes the SHA-256 hash function, defined in NIST standard [FIPS180]." Section 4.5: "A checksum is used to ensure that any forgery attempt that manipulates the elements of an existing signature will be detected." - the sentence is too general and seem to not add any real information to the reader. In my opinion, it would be better to say explicitly about the vulnerability that appears if we do not use the checksum. Section 4.7: "Signature Typecode Type ," -> "Signature Typecode Type," Chapter 5: There is "Leighton Micali Signatures", but in the introduction this notion was mentioned as "Leighton-Micali Signatures". Also, the abbreviation LMS was already given in Section 1. Section 5.1: "h : the height (number of levels - 1) in the tree, and" - 1) "of" instead of "in", 2) it seems that "and" should be omitted. There are two sentences about possible usage of different hash functions - I'd prefer to seem them combined in a one, they look quite confusing in the current version. Consider adding in the end of Section 5.1 a paragraph, which explicitly defines the sizes of private key, public key and signature in terms of the used parameters. It can be useful for a reader, who first opens the document and wants to understand the overall properties of the scheme. Section 5.4: Line 3 “an LM-OTS signature, and” - it seems that “and” should be omitted. Section 5.4.1: It seems strange that the section for "LMS Signature Verification" has the number "5.5" and the "LMS Signature Generation" has "5.4.1" - maybe use "5.6" and "5.5" instead? Section 5.5: It seems more reasonable to use "Algorithm 6a" instead of "Algorithm 6" Chapter 6: In the first paragraph a general description is given for HSS with 2 levels, and in the I-D it is defined for up to 8 levels. It seems more helpful to modify the first paragraph for the case of arbitrary number of levels, not only for two. Chapter 8: "Other hash functions may be used in future specifications; all the ones that we will be likely to support (SHA-512/256 and the various SHA-3 hashes) would work well with a 16 byte I value." - mentioning SHA-256 here among "other hash functions" looks confusing, given the whole I-D defines schemes for SHA-256. Chapter 12: "an attacker who does not know the private key associated with a public key can find a message and signature that are valid with that public key" - maybe "a new message" or "a message which is different from all previously signed ones". There is a very helpful text about formatted inputs of a hash - I'd recommend to add a subtitle before it (use 12.1 before "The format of the inputs to..."). "pseuddorandom" -> "pseudorandom" "This can be shown (in [Fluhrer17]) ..." -> "This is shown (in [Fluhrer17]) ..." Section 12.1 "It is essential for security that the application ensure" -> "ensures" "until the data has been to the underlying hardware" - maybe add "stored" or "written" after "has been"? In your IETF 97 slides there was a slide with "Anti-Copying Token in Private Key Files" (slide 19 in https://datatracker.ietf.org/ meeting/97/materials/slides-97-cfrg-hash-based-signatures- update-and-batch-message-signing/) - won't it be helpful to add those recommendation in Chapter 12 also? Chapter 12: "where HSS need only perform one" -> "needs only to perform one" "HSS is somewhat simpler" - this looks quite vague and uncertain - maybe it would be better to get rid of this phrase?.. References: "Buchmann, J., Dahmen, E., and . Andreas Hulsing," - remove "." before "Andreas" Appendix A: "however any other cryptographical secure method of generating private keys would also be safe." - formally, this is not true: if the previously mentioned formula is used with, say, 254 instead of 255, it would be generally "cryptographically secure", but won't be very good for the considered case. Maybe just get rid of this (quite vague) sentence at all? "cryptographical secure method" -> " cryptographically secure method" [BM99]: Blake-Wilson S., Menezes A., "Unknown key-share attacks on the station-to-station (STS) protocol", Lect. Notes Comput. Sci., 1560, 1999, 156?170. [F17]: Fluhrer S., "Further analysis of a proposed hash-based signature standard", EPrint IACR Archieve, http://eprint.iacr.org/2017/553.pdf.
- [Cfrg] Review of draft-mcgrew-hash-sigs-08 Stanislav V. Smyshlyaev