Re: [CFRG] [EXTERNAL] How to construct a hybrid signature combiner?
Mike Ounsworth <Mike.Ounsworth@entrust.com> Fri, 22 March 2024 22:36 UTC
Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91C15C17C88A; Fri, 22 Mar 2024 15:36:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xp6Z79AX5yPd; Fri, 22 Mar 2024 15:36:09 -0700 (PDT)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AAAFC151091; Fri, 22 Mar 2024 15:36:09 -0700 (PDT)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 42MICM8e001611; Fri, 22 Mar 2024 17:36:07 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h= from:to:subject:date:message-id:references:in-reply-to :content-type:mime-version; s=mail1; bh=T9RsADg8dJr3kawfpkvJJ8Kg IPf6wJPYK38rt3GYxYc=; b=aWnzsdPZ6SfzHS2xzOqmldoSH4Sw+p+Of5+Hg9oU 28jNNJnf3saLWd7Bk4TDqIW4a024BqbSB+yhgB+CZAMvqcjUhQHUSTzIvQToWrD5 x6a4tXunfaBXvHAR3zR/NJG+ZpM1PYaS9209dWxLVfT23TLUjT11pUV12rMuDYKd W+KgIm4WsMSzDEgiR8qIz6tEyeQlINDJ3twfK1TNjhza11LY3QPpJfI/J7aq/CfS 7ebnrpJWpDLXHaO2JrIIq6vqg3himMJFvQP3ncDq0T+1b2wF2oXBkmDHKN8xFsLT Zef3kzBzZe7y1tMRR6OkKnAwicEbgwTrqe1F7VfEVCwzpw==
Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2168.outbound.protection.outlook.com [104.47.59.168]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3x0wyrfrru-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 22 Mar 2024 17:36:06 -0500 (CDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kMo1016xZGNaNMEqTp8i2m+pr5Ug1q6191jW4b6MOo2XSV1HunQK0NXzfdDVxgMMUY8QeV4+dNXpsfqCEhzTsSEipJEkU+BttE5/Y7njLmFkTwKELURWDP7iCteludkcCwDbAfJHoayMbtnMGjpyTKObhKcrnin5tQYpe/Dtg5wXhMhH+XC2UpiJ+9utD4WAjoJ9ZzUintYv9M37vZX0ylEijkHyNbtdaj5dF8OaXyOj3wb+qu8WEcEuHyDwEY4yy3vI4EpKX8yDYASn3G2He9apSsjQpbN4SDpGnDVkJAgBlpP9Em1blpNrn38uPxkseBqytaoZQAKZZ66hxdd0pg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=T9RsADg8dJr3kawfpkvJJ8KgIPf6wJPYK38rt3GYxYc=; b=EoPD+E4QUvBUb1N6JRc6irmxFHSQjcagKHL4GLAG6+PkhegGmaB+BaSjpqAkUzvPmR7E3d9Qmv9etIDSTNYG4sqF6roaplrJv0IPeE/oXHkixH0yopvVh1LBviK4dEjwskzHX6ZCiMRKke0FHjUjHqhHF8G18ElnqPJXzHIBiA7vie/j/i/pRr/kRwtyoRLZCdkqusV1PVbUK45xkO4cig832Ffj1yPBEbFYyQ3MR5Ky0nkBFB+PJh6zlkTzKHvRHcr56GlBOTVwGfIZdu/icSD86Qx8j9mKcxg933CiXnPvXC0bjcTTWSzKD+jUYTdMecPq6az/6mZCyq64Qf6oQQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by CY5PR11MB6257.namprd11.prod.outlook.com (2603:10b6:930:26::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.24; Fri, 22 Mar 2024 22:36:01 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::11f2:792f:10c4:f173]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::11f2:792f:10c4:f173%5]) with mapi id 15.20.7409.023; Fri, 22 Mar 2024 22:36:01 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [EXTERNAL] [CFRG] How to construct a hybrid signature combiner?
Thread-Index: AQHafKPLNchpoTU0y0+ukVDdeiL7PbFEWUmh
Date: Fri, 22 Mar 2024 22:36:01 +0000
Message-ID: <CH0PR11MB5739111D52169235309807069F312@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <87o7b6szhh.fsf@kaka.sjd.se>
In-Reply-To: <87o7b6szhh.fsf@kaka.sjd.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|CY5PR11MB6257:EE_
x-ms-office365-filtering-correlation-id: c84daef6-e7a9-4b46-3ab3-08dc4ac073a4
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: l7pxhiqmoyA+cvK6VmqdF3HDoPKWaPYMiqNa7mVZtc3EkJtkHgf27OhVMPyUyZeyGTcnUiIJIbQ9iauyYkIlpnH6usWpX34S8QxlvVBhh7r40XlkUoKTE5QiLB9S+xhH3rs1VWkgUIHkAoH2sg4JS3a4hunQ3Bd01KJ+Yv+StpOZ0BlRBW+V96VjwiYIhcIBTGeJapS6IzDIn3ElpmWgRzhrs3C639wNySwQH3sTzBN7/XwaPOvVmAJhTUDNT53aAn5bY0HKd7UWMPWB4g6WKN3KPuZIIWwQeViua7pmoHDLES2hhVLYXPG1pDYmXfyT35m9G7910d2faHney4jHNxqYsLEsvktINaYPN6oMQ3GlrJmBRSCIxMfxgIkst12PX/sVrMtVQRcAgbvbnXhAKf13r5vuw1rAPpJYiOZ8RfHzr63Ly3e8EYsXeO5RmgEtLLhVMUoCYXsdiX66me0WP716AS5edaEervtfdOFMM7wabjje4zihHt5W72/YduB+1VpGva6ajo2cmAJtel0goDyVOP5ATXS1pAb2Le+sJvShZNJytmyfjWOtypoJu2SMBzRc14ZGmvLCHJPXyY9z9mnPg3meZ9sX5NQgt7km+C0eLLIfoAMaeBTJ7eHoDwXXOUF8KzRajvZ8Q3zS/PeF5TCN3ovvB3K800lm5UPJwh0=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(1800799015)(376005)(366007)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: fbuHqZ7m94ZU14VcByjx8qyTY6r7fIZ89jajIXtxHMx9i2oqzGRbQ2guVry7/NB+imIRYTP3ZhjhTNKIUNejk22aKmex5Q9IXNdagcMtdFPuedFv5UbCgfnMMdWDeq4aaT29QEiYSY9UlzVOZkMaNxEMSqLbvEWhWUfCYcn7KA/irGMoAPLpxL8ELKOrq35w/L+NhjHNPHASjA2rx4//GTf6M8+1j22qZKw39kq1gbaaBregS7Xc1cVcATWMtFAu4X21Ie1ud3Rds8oAXIv0QAnQo+cYz8sh68br/JLQsQIG87vyqQaDAo+8pMiCFpIrJvi+l8MltvYlve/4S6+r6Kr3QYHhUpE3eilIWRy2QibKKXVSTHj62JtPAopc5DlArJ8f/g2j9hulGX4FjGQommEQGNrqCzWayFNatY+TUhHEfRN/stL9gwjY+fbIeHeftyf/YuxknHk1NV/E8Kkx9sOTkVjJ2AlBntWiE01P/0hAk5EnbGp0NXZ6+V5kqxCFiDgKnZn/0JB+dqugY9vOzOyuCQfc08l1LbuMU5FCx79VV4mZSsC0+YxW2qyo3XHZ9BT/XdLd8QY6TFRZbo2TMU4GG699ki68qBqszK5gZLdUxtALYAjhxtiiTJTVqjE/KayDXMOrX50b/t/UARhCXN4/TMfi6PeGnk/PgQLXAV9FIoZRbulJcbpMtZkVGdXdE3SMW5n8A5fhZsOYekNb3r32u5eZmvZy+jWAAVAFkxkrXl8PQFfnuMcN0qw9u599TZ3p5Xizrf880B8nXR1LOqyhnK9bU+fRn7cJbtPkGFIRbmKcKo0+bsqBz8eZLfmGBoxQ+ahfU8NMka8CQf7eMnTXl74nzQ860699w0bSfnwEqZ/GSRC4US8yuirXdtLQzobRaNMMEV8hm449bG1Njw6BG4xne2WjNxhzWn1Zn5QFYmSpeKCK1vajKUGmPMLyqpuH1lz5eZ1k42XQSR6yCuNfNJVoiY9qUUZdAYyRqw40fB58OaUU2rBDwC5NTtKoBNYs2hvareE/4JtOERN+EISn46zgLyRLXtE4hg51D3hE+888pYd0niVK79GJB7XwqVnrvoq9j8IpkFGCO6XbYAo5kTPdOX45tNlJOw92CPKrQmsEL6CxZ2Atb5/UYrpMqtUv3JR4Rf8kQ9GTu9gAjqA3v4ASbjTAua9J996tIK1phn1L4iuHVupxXAdtA19X7UJBJtc3NIQtkYZpHgrkOQaZcVL8GjG5Os+xzWk1Xt3rLZFNMt2GqhApA+vvpX+I+WIgmmUk4zt2aHfiVgdsvwzgmkJjWmcWlbhVkRM5RddH6GQzjbTi0f9Dse9IoP9pIX3l6kkKt6zaMHejqOm+hw7RmCv7ST7ZbWeXNDoCcABj38iYzowlOpC6Ja9cb0rdvpfrPxP89YhQV9khgssglDxY8xqEbDu7DvUcCNPWYurW70AAY9TKQMF+cYsRgvUTBiZ6XzR62MtPcFnDjXBlmEIC+g4MK9cpYFejjYZCuRV8QpOAhswU+fqYJmp1aGw4TFgMBlS7QSoG06pmpb/ieTjmZNVcqdKIn4xl+UNg9rJUixkbW+LWSnuywNAkFNSEzY5ZTkb33DLHtmXFFADkkw==
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB5739111D52169235309807069F312CH0PR11MB5739namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c84daef6-e7a9-4b46-3ab3-08dc4ac073a4
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Mar 2024 22:36:01.3579 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: eMn2w+IO4nv/hFlk52r7AuapmidQG3xeH9YqL+0eQGOV8exjaKGnGcuyQ5qjsZs3VVEGUnN93Vl1VBY2L49THpE5M34bjnOlRHgWegiDi7Q=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY5PR11MB6257
X-Proofpoint-ORIG-GUID: kPKfyK0RdjN5xP6rtJNC7Kr4kE8RY6vu
X-Proofpoint-GUID: kPKfyK0RdjN5xP6rtJNC7Kr4kE8RY6vu
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-22_14,2024-03-21_02,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 mlxlogscore=999 lowpriorityscore=0 suspectscore=0 adultscore=0 spamscore=0 impostorscore=0 phishscore=0 malwarescore=0 clxscore=1011 priorityscore=1501 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2403210001 definitions=main-2403220164
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Smbfvk91FIgui3iBzz4r7_plvc4>
Subject: Re: [CFRG] [EXTERNAL] How to construct a hybrid signature combiner?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2024 22:36:13 -0000
Hi Simon, For more work on this topic, see: https://datatracker.ietf.org/doc/draft-hale-pquip-hybrid-signature-spectrums/ - Mike Ounsworth ________________________________ From: CFRG <cfrg-bounces@irtf.org> on behalf of Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org> Sent: Saturday, March 23, 2024 7:55:38 AM To: cfrg@irtf.org <cfrg@irtf.org> Subject: [EXTERNAL] [CFRG] How to construct a hybrid signature combiner? All, Prompted by discussions in the OpenPGP WG etc, it would help to establish one hybrid signature construct that combine one traditional signature scheme (e.g., EdDSA) and one post-quantum signature scheme (e.g., robust SPHINCS+) into one instantiated hybrid signature scheme. It should be a single identified algorithm that could be dropped into any place we use, e.g., Ed25519 today. Some people dislike hybrid signature schemes, dismissing them as unnecessary, but without any concrete hybrid signature scheme to compare with, it feels like comparing apples with imaginary oranges and dismissing the latter because we already have apples. For hybrid KEM, we know how to create optimized hybrids (X-Wing) and how to safely create generic instances using Chempat -- https://datatracker.ietf.org/doc/html/draft-josefsson-chempat-00 -- however understanding the requirements took some time. What to recommend for hybrid signature schemes? Let's start with an example: OpenPGP consider a composite signature scheme using ML-DSA + EdDSA like this: 6.2.3. Signature Generation To sign a message M with ML-DSA + EdDSA the following sequence of operations has to be performed: 1. Generate dataDigest according to [I-D.ietf-openpgp-crypto-refresh] Section 5.2.4 2. Create the EdDSA signature over dataDigest with EdDSA.Sign() from Section 6.1.1 3. Create the ML-DSA signature over dataDigest with ML-DSA.Sign() from Section 6.1.3 4. Encode the EdDSA and ML-DSA signatures according to the packet structure given in Section 6.3.1. 6.2.4. Signature Verification To verify a ML-DSA + EdDSA signature the following sequence of operations has to be performed: 1. Verify the EdDSA signature with EdDSA.Verify() from Section 6.1.1 2. Verify the ML-DSA signature with ML-DSA.Verify() from Section 6.1.3 As specified in Section 4.3 an implementation MUST validate both signatures, i.e. EdDSA/ECDSA and ML-DSA, successfully to state that a composite ML-DSA + ECC signature is valid. https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#name-signature-generation This is a naive approach. I'm not saying it is bad, but it opens up for questions. Should verification fail early if one signature fails, or should both signatures be verified and the return be A AND B? There are interesting oracles in here. You could equally well consider a scheme like this: s1 := EdDSA(m) s2 := ML-DSA(s1||m) return s1 || s2 However this doesn't bind public keys. Do we need to bind public keys to avoid some attacks? Some properties of hybrid signature schemes are discussed here: https://datatracker.ietf.org/doc/html/draft-ietf-pquip-pqt-hybrid-terminology-02#name-properties The Simultaneous Verification property seems nice and strong, but is it sufficient to generally offer good composability of two arbitrary algorithms? Finally: What properties should a good generic hybrid signature combiner have? Can we describe one example? Can we give some examples of bad hybrid signature schemes, to better understand the failure modes of signature combiners? /Simon Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
- [CFRG] How to construct a hybrid signature combin… Simon Josefsson
- Re: [CFRG] [EXTERNAL] How to construct a hybrid s… Mike Ounsworth
- Re: [CFRG] How to construct a hybrid signature co… D. J. Bernstein
- Re: [CFRG] How to construct a hybrid signature co… Ilari Liusvaara
- Re: [CFRG] How to construct a hybrid signature co… D. J. Bernstein
- Re: [CFRG] How to construct a hybrid signature co… Simon Josefsson
- Re: [CFRG] How to construct a hybrid signature co… Ilari Liusvaara
- Re: [CFRG] How to construct a hybrid signature co… D. J. Bernstein
- Re: [CFRG] How to construct a hybrid signature co… Loganaden Velvindron