Probing - BU
Transcript of Probing - BU
![Page 1: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/1.jpg)
![Page 2: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/2.jpg)
![Page 3: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/3.jpg)
![Page 4: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/4.jpg)
![Page 5: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/5.jpg)
•
•
•
•
![Page 6: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/6.jpg)
![Page 7: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/7.jpg)
![Page 8: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/8.jpg)
![Page 9: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/9.jpg)
![Page 10: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/10.jpg)
![Page 11: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/11.jpg)
![Page 12: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/12.jpg)
![Page 13: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/13.jpg)
![Page 14: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/14.jpg)
![Page 15: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/15.jpg)
![Page 16: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/16.jpg)
![Page 17: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/17.jpg)
![Page 18: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/18.jpg)
![Page 19: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/19.jpg)
![Page 20: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/20.jpg)
![Page 21: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/21.jpg)
✔ ✔
✔ ✔ ✔
✔ ✔
✔ ✔ ✔
![Page 22: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/22.jpg)
✔ ✔
✔ ✔ ✔
✔ ✔
✔ ✔ ✔
![Page 23: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/23.jpg)
![Page 24: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/24.jpg)
![Page 25: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/25.jpg)
![Page 26: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/26.jpg)
![Page 27: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/27.jpg)
![Page 28: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/28.jpg)
•
•
•
![Page 29: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/29.jpg)
![Page 30: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/30.jpg)
![Page 31: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/31.jpg)
![Page 32: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/32.jpg)
![Page 33: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/33.jpg)
![Page 34: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/34.jpg)
![Page 35: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/35.jpg)
✔ ✔
✔ ✔ ✔
✔ ✔
✔ ✔ ✔
![Page 36: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/36.jpg)
•
•
![Page 37: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/37.jpg)
![Page 38: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/38.jpg)
8000
16000
32000
64000
128000
8000 28000 48000 68000 88000 108000 128000
NSEC3-ECDSAP256
NSEC3-RSA2048
NSEC5-ECC
NSEC5-RSA2048
PowerDNS-WhiteLies-ECDSAP256
![Page 39: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/39.jpg)
![Page 40: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/40.jpg)
![Page 41: Probing - BU](https://reader030.fdocuments.net/reader030/viewer/2022032410/6232e860287f771acd78fba9/html5/thumbnails/41.jpg)
Public parameters. Let q be a prime number, Zq bethe integers modulo q, Z∗q = Zq−{0}, and let G a cyclicgroup of prime order q with generator g. We assumethat q, g and G are public parameters of our scheme.Let H1 be a hash function (modeled as a random ora-cle) mapping arbitrary-length bitstrings onto the cyclicgroup G. (See Appendix A for a suggested instantia-tion of H1.) Let H3 be a hash function (modeled as arandom oracle) mapping arbitrary-length bitstrings tofixed-length bitstrings. We can use any secure crypto-graphic function for H3; in fact, we need only the first` bits of its output for `-bit security. Let H2 be a func-tion that takes the bit representation of an element ofG and truncates it to the appropriate length; we needa 256 bit output for 128-bit security.
Keys. The secret VRF key x ∈ Zq is chosen uni-formly at random. The public VRF key is gx.
Hashing. Given the secret VRF key x and input α,compute the proof π as:
1. Obtain the group element h = H1(α) and raise itto the power of the secret key to get γ = hx.
2. Choose a nonce k ∈ Zq.3. Compute c = H3(g, h, gx, hx, gk, hk).4. Let s = k − cx mod q.
The proof π is the group element γ and the two expo-nent values c, s. (Note that c may be shorter than afull-length exponent, because its length is determinedby the choice of H3). The VRF output β = FSK (α) iscomputed by truncating γ with H2. Thus
π = (γ, c, s) β = H2(γ)
Notice that anyone can compute β given π.
Verifying. Given public key gx , verify that proof πcorresponds to the input α and output β as follows:
1. Given public key gx, and exponent values c and sfrom the proof π, compute u = (gx)c · gs.Note that if everything is correct then u = gk.
2. Given input α, hash it to obtain h = H1(α). Makesure that γ ∈ G. Use h and the values (γ, c, s) fromthe proof to compute v = (γ)c · hs. Note that ifeverything is correct then v = hk.
3. Check that hashing all these values together givesus c from the proof. That is, given the values uand v that we just computed, the group element γfrom the proof, the input α, the public key gx andthe public generator g, check that:
c = H3(g,H1(α), gx, γ, u, v)
Finally, given γ from the proof π, check that β = H2(γ).
Figure 2: An EC-based VRF for NSEC5. We use amultiplicative group notation. This VRF adapts theChaum-Pederson protocol [28] for proving that twocyclic group elements gx and hx have the same discretelogarithm x base g and h, respectively.
tion, which roughly says that hx looks random giventhe tuple (g, gx, h). Also, because [32,37] did not provethat this construction is a VRF, we provide new formalproofs that this VRF satisfies selective pseudorandom-ness and trusted uniqueness in Appendix B.
The construction is in Figure 2 and can be instanti-ated over any group where the decisional Diffie-Hellman(DDH) problem is hard, including the elliptic curvescurrently standardized in DNSSEC (NIST P-256 [45,Sec. 3]), and Curve25519 [50] which has recentlybeen proposed for use with DNSSEC [47, 67]. Each ofthese curves achieves an approximately 128-bit securitylevel [21,45]. Both of these curves operate in finite fieldFq, where q is a 256-bit prime.
Instantiation. What response lengths do we getwhen we instantiate NSEC5 with the VRF in Figure 2over 256-bit elliptic curves?
Each NSEC5 record will once again contain two hashoutputs (each corresponding to β in Figure 2) alongwith a DNSSEC signature. We instantiate H2 in Fig-ure 2 with the function that outputs the x coordinate(abscissa) of a point (x, y) on the elliptic curve (wherex, y ∈ Fq). Thus, each β will be 256-bits long.
We instantiate H1 per Appendix A.Next, observe that each NSEC5PROOF record will
contain the proof value π = (γ, c, s) from Figure 2. Howlong is π? If we instantiate the VRF using a 256-bitelliptic curve (e.g., NIST P-256 or Ed25519), then s is256 bits long. Meanwhile, γ is a point on the ellipticcurve, which can be represented with 256 + 1 bits usingpoint compression.6 Finally, we show (in Appendix B)c must be `-bits long for an `-bit security level. Wetherefore instantiate H3 as the first 128 bits output bythe SHA-256 hash function.
It follows that proof π will be p = 256+1 + `+256 =513 + ` bits for a `-bit security level; thus, p = 641 fora 128-bit security level. Achieving the same securitylevel with RSA requires 3072-bit RSA, which results inNSEC5PROOFS that are about 5 times longer!
6The idea behind point compression is to represent a pointwith coordinates (x, y) using only its abscissa x (whichis 256 bits long) and a single bit that indicates whichsquare root (positive or negative) should be used for theordinate y. Without point compression, both coordinatesmust be transmitted, for a total length of 256+256 bits.(Thus, without point compression our proof π would be2 ∗ 256 + 128 + 256 = 896 bits long.) There has been somecontroversy over whether or not point compression is coveredby a patent, and whether its use in DNSSEC correspondsto patent infringement [71]. However, as Bernstein [20] ar-gues: “a patent cannot cover compression mechanisms [ap-pearing in the paper by Miller in 1986 [54] that was] pub-lished seven years before the patent was filed.” Moreover,new IETF specifications for elliptic curve digital signaturesusing Ed25519 also use point compression [47].
6