[CFRG] Re: Request for adoption: Signature modes guidance / draft-harvey-cfrg-mtl-mode-03

"Kaliski, Burt" <bkaliski@verisign.com> Fri, 09 August 2024 15:21 UTC

Return-Path: <bkaliski@verisign.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AF8FC14F702 for <cfrg@ietfa.amsl.com>; Fri, 9 Aug 2024 08:21:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.407
X-Spam-Level:
X-Spam-Status: No, score=-4.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7gN_UDkQ8nq4 for <cfrg@ietfa.amsl.com>; Fri, 9 Aug 2024 08:21:38 -0700 (PDT)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) by ietfa.amsl.com (Postfix) with ESMTP id 3759DC14F6F4 for <cfrg@irtf.org>; Fri, 9 Aug 2024 08:21:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=9586; q=dns/txt; s=VRSN; t=1723216898; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=i74J8ebG1iY7HVMXLxv87n96Y9iPYNL9CF5HxVXVBLQ=; b=gSuZBIWaFPmtnQqPeVGQ273Wlzw6E5FbOV/hz8r2YBrC0VsibuldvhIv jwQQJEcQkh3TO+uMIikp4O5UcNzYvkFr3TPrWGQ++xJQ5QSFzi7JBYt+P ip4fW6V8BEEDvr77UYKzrfUvOcYwAAhjR+L2w5EX6VjAAvEEhhxa7Q1vm 54t7xxN8W/wjHIdAyAl0dKKuDfSULbq2GBzfS5LySvX/hJRUsMIFYF8Pd 8hGWYM16PqjvkRnoLk+7S+hf8gdwhdzAXlyjiZNryoQuWDwaVo80buJ6n YagmXzlJVDMHap5CZWUoF3pf1meAOqEllAdAHnWcPEuA+eoy2vRe0gxFT w==;
X-CSE-ConnectionGUID: nWDwo6ClTrGas9UjI9vIRQ==
X-CSE-MsgGUID: v6DFS6FASW6MmUDjbATzQQ==
X-ThreatScanner-Verdict: Negative
IronPort-Data: A9a23:kEunnaP+ZBwzDdbvrR3JlsFynXyQoLVcMsEvi/4bfWQNrUp2hjcFm GQXXGvVb/aCZWPyLosiO4yypBwD6MXWzd43GQZtpSBmQkwRpJueD7x1DKtS0wC6dZSfER09v 63yTvGacajYm1eF/k/F3oDJ9CQ6iOfRAOKhVYYoAwgpLSd8UiAtlBl/rOAwh49skLCRDhiE0 T/Ii5S31GSNhXgsYwr414rZ8Ekz5KSq6WtC1rADTasjUGH2xiF94K03ePnZw0vQGuF8AuO8T uDf+7C1lkux1wstEN6sjoHgeUQMRLPIVSDW4paBc/H/6vTqjnVaPpcTbJLwW28O49m6t4kZJ OF2iHCFYVxB0pvkw71BDkYCQ0mSCoUdkFPPCSDXXcW7kRWaIyO0qxlkJBle0YYwoo6bDYzSn BCxxf9kgh2r3oqLLLyHpuZEgPsPM861F4cjoF5p1mDkD9d3X7H5evCfjTNY9G9YasFmPNLxP vU/RAo3NlLeaBpVIhEeBNQghvyuwHL4dlW0qnrM/extvzaVlVErluKzWDbWUoXiqcF9lEWRo mPd/GXRHBwANceexjzD+XWp7gPKtXimBNpMTuXinhJsqEPN6kIoVjM/bmTlhPyEpky0cu5NE nVBr0LCqoB3riRHVOLVVBOir1aFpAISHd1KHIUHBBqly67buhmfC3hcFHtadsZgsc4tADYtk F6NkIqvGyZ0tvueTnf1GqqokA5e8BM9dQcqDRLohyNcizU/iOnfVi7yc+s=
IronPort-HdrOrdr: A9a23:Won6J69M1AP+0hCUTKpuk+AFI+orL9Y04lQ7vn2ZLiYlF/Bw9v re/sjzuiWVtN98Yh8dcLO7V5VoKEm0naKdirNhXotKMjOGhEKYaK9v6of4yyDtFmnU5odmuZ tIQuxbBMfrBVZ3yeT38GCDeeoI8Z2i/LqzjenTi01xSxpnApsM0y5iBh2FHlZNSA5KOJo8GP OnjfZ6mw==
X-Talos-CUID: 9a23:xBjx8m/kpcoOIHjouJ+Vv0grNt8iLFbZ8G3/KlTpNGRIGaO0c2bFrQ==
X-Talos-MUID: 9a23:RUzhWAYmLiUIN+BTqWHAqgo8Gu5T3PqLDX0hk58vh9u9DHkl
X-IronPort-AV: E=Sophos;i="6.09,276,1716249600"; d="scan'208";a="35406202"
Received: from ILG1WNEX01.vcorp.ad.vrsn.com (10.246.152.25) by ILG1WNEX02.vcorp.ad.vrsn.com (10.246.152.26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.37; Fri, 9 Aug 2024 11:21:36 -0400
Received: from ILG1WNEX01.vcorp.ad.vrsn.com ([10.246.152.25]) by ILG1WNEX01.vcorp.ad.vrsn.com ([10.246.152.25]) with mapi id 15.01.2507.037; Fri, 9 Aug 2024 11:21:36 -0400
From: "Kaliski, Burt" <bkaliski@verisign.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: Request for adoption: Signature modes guidance / draft-harvey-cfrg-mtl-mode-03
Thread-Index: AdrnPT76cphfzukXQ+q85fcbW10/RQDJLKQg
Date: Fri, 09 Aug 2024 15:21:36 +0000
Message-ID: <1303edf5a027444ca135ba36a579e186@verisign.com>
References: <43f8434f68c144f38b4a4a3933841899@verisign.com>
In-Reply-To: <43f8434f68c144f38b4a4a3933841899@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Message-ID-Hash: MNLBJKBIKNDN344553PLQ6YXL6MLOGBO
X-Message-ID-Hash: MNLBJKBIKNDN344553PLQ6YXL6MLOGBO
X-MailFrom: bkaliski@verisign.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: Request for adoption: Signature modes guidance / draft-harvey-cfrg-mtl-mode-03
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/KM_qiaK3VN-BZ5OPkm1cZQkg_bI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Thanks all for the thoughtful feedback to my request.

I've included responses to the technical comments below.

Note that although draft-harvey-cfrg-mtl-mode-03 is the document under discussion, the proposal I'm making is broader. I am asking that CFRG provide guidance to protocol designers on signature modes of operation more generally.  In particular, how to combine hash functions and other techniques with an underlying signature algorithm to obtain additional security and operational properties.

> [Watson Ladd] I don't understand why this is in the CFRG: it seems to be squarely in the line of decisions WGs have made outside CFRG such as keytrans or CT.

WGs have made decisions on using pre-hashing and Merkle tree constructions in various ways, and they could continue to do so for MTL mode and other techniques. However, while WGs may have built on one another's experiences in deciding on their cryptographic constructions, the specifications of these constructions have generally been made within the applications themselves.

Having common specifications for these kinds of constructions would be helpful not only for interoperability but also for addressing security questions such as:

(a) which hash functions to use in combination with particular signature algorithms (discussions along these lines are underway in LAMPS for composite signatures); 
(b) how to handle the case that an application uses the same key pair in two different modes (e.g. "pure" and "pre-hashing" -- should there be a "domain separator");
(c) whether and when to include other inputs to the hash functions (randomizer, public key, etc.) to achieve additional security properties;
(d) how to model interactions between the use of hash and other functions in the construction, and in the underlying signature algorithms, as they mayaffect security proofs.

Questions like these are more squarely in the line of CFRG than in the WGs integrating the constructions into their applications.

> [Watson Ladd] Separately while I think the idea is interesting, there's a lot of operational and structural questions to actually apply it very closely ingrained with application and protocol level considerations. CFRG isn't really suited to determine if this will work. This is not to say it shouldn't be pursued, but I just have a lot of questions about how it would work fro DNSSEC for instance.

Agreed. We expect that specifications for integrating MTL mode into a given application, e.g., DNSSEC (see draft-fregly-dnsop-slh-dsa-mtl-dnssec-02) will give further detail specific to the application. The focus for CFRG would be the cryptographic constructions.

> [Richard Barnes] I tend to agree with Watson here. It's not clear to me why this is a new signing mode vs. just another data structure that gets signed.  Plenty of other signed hash-based data structures have been defined by Certificate Transparency, the various flavors of Key Transparency, and others. As Watson says, and as these examples illustrate, the details of these data structures tend to be pretty application-specific. So it seems like this work might be better done in a venue with more DNSSEC expertise, even if it might be reusable elsewhere.

As noted, the focus for CFRG would be on the cryptographic constructions. These reusable parts would benefit from CFRG expertise on the state of the art in cryptographic design. For example, draft-harvey-cfrg-mtl-mode-03 adopts techniques from SPHINCS+ to reduce the size of the internal hash values and to move to security properties such as multi-function, multi-target second-preimage resistance. These kinds of changes are much more within CFRG expertise than DNSSEC.

> [Mike Ounsworth] But CT doesn't externalize data needed to validate the signature into the CT data. I think that's what makes it a "signature mode" rather than a "protocol".

> I also think that the authors are trying to get cryptographic review of the crypto and show that this mode could be used beyond DNSSEC, hence bringing it to CFRG.

Yes, in MTL mode, signatures can be distributed in two parts, a short "condensed signature" for a specific message, and a longer "signed ladder" that can authenticate multiple messages. The two parts of the signature for a given message can also vary over time as additional messages are signed. We see this approach as a signature mode because the parts are cryptographic constructions and agree that it could be used beyond DNSSEC.

-- Burt

(Note:  Reference [10] in my initial email refers to draft-ietf-lamps-pq-composite-kem-04.  It should have referred to draft-ietf-lamps-pq-composite-sigs-02.)


-----Original Message-----
From: Kaliski, Burt
Sent: Monday, August 5, 2024 9:43 AM
To: 'cfrg@irtf.org' <cfrg@irtf.org>
Cc: Fregly, Andrew <afregly@verisign.com>; Harvey, Joseph
<jsharvey@verisign.com>; Sheth, Swapneel <ssheth@verisign.com>
Subject: Request for adoption: Signature modes guidance /
draft-harvey-cfrg-mtl-mode-03

CFRG,

Following up on my presentation at IETF 120, I would like to request that
CFRG adopt draft-harvey-cfrg-mtl-mode-03 [1] as part of a broader research
effort to provide guidance on modes of operation for digital signature
schemes in applications.  The authors' rationale is as follows:

* NIST is in the process of standardizing what are effectively two modes of
operation for FIPS 204 and 205 - "pure signing" where the message is signed
directly with the underlying signature scheme and "pre-hash signing" where
the hash of the message is signed.  NIST has also introduced a "domain
separator" format to distinguish the two modes [2].
(draft-harvey-cfrg-mtl-mode-03 adopts the domain separator format to
distinguish MTL mode from others.)

* There are discussions underway on these topics on NIST's pqc-forum mailing
list [3].  It seems prudent that CFRG advance guidance to applications on
how and when to use pure signing vs. pre-hash signing, how to use domain
separators and context strings in inputs to signature schemes, and how to
approach other modes of operation.

* The initial use case for MTL mode is DNSSEC, as described in
draft-fregly-dnsop-slh-dsa-mtl-dnssec-02 [4].  The current draft includes an
example zone file signed with SPHINCS+ (SLH-DSA) in MTL mode.  The authors
hosted a hackathon session [5] on the draft at IETF 120 and also presented
[6] at HotRFC.  In addition, following the PQ DNSSEC side meeting [7], a new
non-WG mailing list, pq-dnssec [8], was formed in the Security Area.  The
mailing list will be used for discussions of
draft-fregly-research-agenda-for-pqc-dnssec-01 [9].  MTL mode is one of
several approaches for reducing the operational impact of post-quantum
signatures identified in the draft.

* Another example of a signature mode where CFRG guidance would be helpful
is composite signatures [10].  For instance, if the composite signature
construction is applied to FIPS 204/205, does this mean that FIPS 204/205 is
operated in "pure" mode (because the pre-hashing has already been done)?
And how should an application use the optional context string provided by
FIPS 204/205 in a composite construction?

* Verisign announced a public, royalty-free license to certain intellectual
property related to draft-harvey-cfrg-mtl-mode-03.  IPR declarations
6174-6176 [11] give the official language.

Thanks -- Burt

[1] J. Harvey, B. Kaliski, A. Fregly, S. Sheth.  Merkle Tree Ladder (MTL)
Mode Signatures.  draft-harvey-cfrg-mtl-mode-03, June 12, 2024,
https://datatracker.ietf.org/doc/draft-harvey-cfrg-mtl-mode/03/
[2] D. Moody. Updates on pre-hash for FIPS 204 and 205.
pqc-forum@list.nist.gov mailing list, April 19, 2024,
https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/JKMh0D0pa30/m/vbflXo
lxAQAJ.
[3] pqc-forum mailing list,
https://groups.google.com/a/list.nist.gov/g/pqc-forum
[4] A.M. Fregly, B. Kaliski. J. Harvey, D. Wessels.  Stateless Hash-Based
Signatures in Merkle Tree Ladder Mode (SLH-DSA-MTL) for DNSSEC.
draft-fregly-dnsop-slh-dsa-mtl-dnssec-02, July 8, 2024,
https://datatracker.ietf.org/doc/draft-fregly-dnsop-slh-dsa-mtl-dnssec/02/
[5] Exploring Implementation Approaches for Merkle Tree Ladder Mode
Signatures for DNSSEC, IETF 120 Hackathon,
https://wiki.ietf.org/en/meeting/120/hackathon
[6] A. Fregly, Stateless Hash-Based Signatures in Merkle Tree Ladder Mode
(SLH-DSA-MTL) for DNSSEC, IETF 120 HotRFC,
https://datatracker.ietf.org/meeting/120/materials/slides-120-hotrfc-sessa-0
4-stateless-hash-based-signatures-in-merkle-tree-ladder-mode-01
[7] Side Meetings at IETF 120,
https://wiki.ietf.org/en/meeting/120/sidemeetings
[8] pq-dnssec mailing list,
https://mailarchive.ietf.org/arch/browse/pq-dnssec/
[9] A.M. Fregly et al., Research Agenda for a Post-Quantum DNSSEC.
draft-fregly-research-agenda-for-pqc-dnssec-01, June 26, 2024,
https://datatracker.ietf.org/doc/draft-fregly-research-agenda-for-pqc-dnssec
/01/
[10] M. Ounsworth et al., Composite ML-KEM for Use in the Internet X.509
Public Key Infrastructure and CMS.  draft-ietf-lamps-pq-composite-kem-04,
July 8, 2024,
https://datatracker.ietf.org/doc/draft-ietf-lamps-pq-composite-kem/04/
[11]
https://datatracker.ietf.org/ipr/search/?draft=draft-harvey-cfrg-mtl-mode&rf
c=&doctitle=&group=&holder=VeriSign%2C+Inc.&iprtitle=&patent=&submit=draft