Re: [CFRG] How to construct a hybrid signature combiner?
Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 31 March 2024 16:19 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43777C14F5FD for <cfrg@ietfa.amsl.com>; Sun, 31 Mar 2024 09:19:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GclFOIQh_Kq8 for <cfrg@ietfa.amsl.com>; Sun, 31 Mar 2024 09:19:31 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00DF4C14F5E4 for <cfrg@irtf.org>; Sun, 31 Mar 2024 09:19:29 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 2CDAB1DBFA for <cfrg@irtf.org>; Sun, 31 Mar 2024 19:19:27 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id 2m8jsJ4Lulr6 for <cfrg@irtf.org>; Sun, 31 Mar 2024 19:19:27 +0300 (EEST)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id F3A327A for <cfrg@irtf.org>; Sun, 31 Mar 2024 19:19:25 +0300 (EEST)
Date: Sun, 31 Mar 2024 19:19:25 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: cfrg@irtf.org
Message-ID: <ZgmNDS1g9GLNl_FB@LK-Perkele-VII2.locald>
References: <ZgF_KMBHX-q5Ogyk@LK-Perkele-VII2.locald> <20240325145257.981419.qmail@cr.yp.to>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <20240325145257.981419.qmail@cr.yp.to>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/JIkMfCeWFONFHbNOS49vsfSG6g4>
Subject: Re: [CFRG] How to construct a hybrid signature combiner?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2024 16:19:33 -0000
On Mon, Mar 25, 2024 at 02:52:57PM -0000, D. J. Bernstein wrote: > Ilari Liusvaara writes: > > The end result of only having message signatures would be hybrid > > signatures not getting deployed at all, or protocol designers coming > > up with their own ways, completely incompatible and with all sorts of > > exciting problems. > > Please clarify. What does "only having message signatures" mean here? Is > this supposed to be a property that isn't achieved by the signed > messages "(s2,s1,r,h,m)" from my previous email? "only having message signatures" means not having the raw message (m) in the tuple. If one has m in the tuple, it is trivial to split it out for detached signatures. > Signed-message APIs reduce errors. Consequently, it's good for a > combiner to be designed so that a signed-message API for the combiner is > easy to build from such APIs for the internal signature schemes. This is > compatible with the same combiner _also_ allowing a detached-signature > API, such as sending (s2,s1,r,h) detached from the original message m. Reduce errors, yes. Unfortunately most stuff has been designed in a way that requires detached-signature API. Another API consideration: That (s2,s1,r,h) needs to be packed as a byte string. Not doing so would cause a lot of completely unnecessary complexity. A fairly minor example can be seen with ECDSA: Some stuff uses whatever that ASN.1 based signature format is (blech) and others use the simpler concatenated format. (And I would worry less if there was no feasible way to come up with any (message, signature) pairs valid under the component keys from the hybrid signature. However, no generic combiner can have this property (there is a trivial attack), but I do not see any theoretical blocker for non-generic hybrids.) -Ilari
- [CFRG] How to construct a hybrid signature combin… Simon Josefsson
- Re: [CFRG] [EXTERNAL] How to construct a hybrid s… Mike Ounsworth
- Re: [CFRG] How to construct a hybrid signature co… D. J. Bernstein
- Re: [CFRG] How to construct a hybrid signature co… Ilari Liusvaara
- Re: [CFRG] How to construct a hybrid signature co… D. J. Bernstein
- Re: [CFRG] How to construct a hybrid signature co… Simon Josefsson
- Re: [CFRG] How to construct a hybrid signature co… Ilari Liusvaara
- Re: [CFRG] How to construct a hybrid signature co… D. J. Bernstein
- Re: [CFRG] How to construct a hybrid signature co… Loganaden Velvindron