IETF Logo Mail Archive

[CFRG] Do we have unsafe uses of Ed448 and Ed25519? Fix, Ed448?

Dan Brown <dan.brown.cryptographer@gmail.com> Wed, 11 September 2024 18:48 UTC

Return-Path: <dan.brown.cryptographer@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAE8CC169439 for <cfrg@ietfa.amsl.com>; Wed, 11 Sep 2024 11:48:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uvBD4kcQpdz6 for <cfrg@ietfa.amsl.com>; Wed, 11 Sep 2024 11:48:35 -0700 (PDT)
Received: from mail-ua1-x92e.google.com (mail-ua1-x92e.google.com [IPv6:2607:f8b0:4864:20::92e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19058C14CE29 for <cfrg@irtf.org>; Wed, 11 Sep 2024 11:48:35 -0700 (PDT)
Received: by mail-ua1-x92e.google.com with SMTP id a1e0cc1a2514c-846cdfbb153so58466241.0 for <cfrg@irtf.org>; Wed, 11 Sep 2024 11:48:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1726080514; x=1726685314; darn=irtf.org; h=cc:autocrypt:subject:from:content-language:to:user-agent :mime-version:date:message-id:from:to:cc:subject:date:message-id :reply-to; bh=0xqDOktMVVXgiimOnkyj7D2H/jF/XRnwlvcdiI6Re+g=; b=dbYBzflsmeq/N9WwrSAyu6VS8QE1+EHRick6CYEKdxFhyyk+QeGPeteO5ILkn+1zFK +X1UOnIEjA5etfFGoJgrwQdIAVPx0o08tTSms8F6lfDQJ+j5I3RSZ256E4qg8+ngSmTT m9vbH/J0+QQBAUwBIAovOPNHE6SiM8gJ/UkEf/OYxrLIx431IYgu0RfwyVkoNvN4eI7q +siWbMgMFTmaxW7IkXl9DKKVjqzsXAsik8fLiQvWzZ0xKolq/QP9xJgG4buSHhbJUtCE KXg7vkJh82GRNpMkYbDQtOfeze/4llsWMQNrhdmqzp1YYb9HrIYROKncVdPJmC7iTUI4 tPrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726080514; x=1726685314; h=cc:autocrypt:subject:from:content-language:to:user-agent :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=0xqDOktMVVXgiimOnkyj7D2H/jF/XRnwlvcdiI6Re+g=; b=C3NJyidgUztZhh19pcQvhYYo7+VajXRSu3dumw3AA9Q9t2pCL4OjHz3IgAn5ERhKsb fY6Gzv7G75+F7+VcwwgsJ2a8sFDgB3o/dYi7ehY+tw6+tgi7eTGK6XusKpvUcpizRVIl hChowvuQWslsQIZ2Q5uHZnxbdNKcZbYQGL8EaBmOGSiQ9XNei48Flarv5xTs9xz1e+F3 YWA3HnIJCTZjJqJ8USA5/p8ThZZtolhg3s9F20cXFaAWsZ9DBS2REgHIjQ4zOAGTTacV tEA2oLclI1/c+Cz+OAH4V9zGo3JyMGsDd1ICEehhW7kLyIk72Xg9UKmBCMbnmUQev9Yj JEUg==
X-Gm-Message-State: AOJu0YzD/fkLUrKfvLrBFtm55LcsyBkncCZ6wUmxzXueV2odr9EvZdNZ s1nde+pcvYB3bsblmm+V034GxRbt9VH1W9p1B+Yn+O11JunAeIzaNIDhdA==
X-Google-Smtp-Source: AGHT+IHsq5mLRlHWV9vYv0k+DTWyT0N2ewYD0E6Jsf93i2V34dV9o0kmN91kujSXy8peWlAJApmWJQ==
X-Received: by 2002:a05:6102:3a12:b0:49b:bf66:90e4 with SMTP id ada2fe7eead31-49d414b763amr733748137.16.1726080513554; Wed, 11 Sep 2024 11:48:33 -0700 (PDT)
Received: from ?IPV6:2607:fea8:4adf:2e00:3f87:8368:fa86:dafa? ([2607:fea8:4adf:2e00:3f87:8368:fa86:dafa]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6c5343470d3sm44694356d6.67.2024.09.11.11.48.32 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 11 Sep 2024 11:48:32 -0700 (PDT)
Message-ID: <f49bcf97-1612-4252-b682-60b7a868f500@gmail.com>
Date: Wed, 11 Sep 2024 14:48:31 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: cfrg@irtf.org
Content-Language: en-US
From: Dan Brown <dan.brown.cryptographer@gmail.com>
Autocrypt: addr=dan.brown.cryptographer@gmail.com; keydata= xjMEZg3u8hYJKwYBBAHaRw8BAQdA9JwUIsM+jBSlY7ip3cvHx6eaaHWL+lFMyu1ht1whIsDN LURhbiBCcm93biA8ZGFuLmJyb3duLmNyeXB0b2dyYXBoZXJAZ21haWwuY29tPsKJBBMWCAAx FiEEAh4EHnTUZAPLmcUf5xIFHhctF80FAmYN7vICGwMECwkIBwUVCAkKCwUWAgMBAAAKCRDn EgUeFy0XzV0kAP9nhiujHJ2PYkvWcNMn4V73x72lRYhkOGIwwYVJVpBQBAD8DMInZjPoDRZ8 lbwTjiuZxujNgYkhNQzvPyKDoxzVZgjOOARmDe7yEgorBgEEAZdVAQUBAQdAiU/KbLXXI52v Qj70v5dbr5O3ZDgz9g0ffllsplDiaggDAQgHwngEGBYIACAWIQQCHgQedNRkA8uZxR/nEgUe Fy0XzQUCZg3u8gIbDAAKCRDnEgUeFy0XzVWtAQDjGfrpJFHhVTy1dCxJqyf+HvGK2YfgMeVS 6hdeJFgiIgEAzjWqxJ3pz0uRSeKDynaHZCmJmFjXExnKHClUS628ewc=
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------J4LR9wawmNOtaOu751xEffWh"
Message-ID-Hash: SHYRDKS4WBXWX6J4IKK57ENN7CLBHABC
X-Message-ID-Hash: SHYRDKS4WBXWX6J4IKK57ENN7CLBHABC
X-MailFrom: dan.brown.cryptographer@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Do we have unsafe uses of Ed448 and Ed25519? Fix, Ed448?
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/bG8uGU5SitnUoFBtgt0AOoaAOdQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Kaliski argued (AFAICR) that hash firewalls in signatures were ineffective:

Kaliski, B.S. (2002). On Hash Function Firewalls in Signature Schemes. 
In: Preneel, B. (eds) Topics in Cryptology — CT-RSA 2002. CT-RSA 2002. 
Lecture Notes in Computer Science, vol 2271. Springer, Berlin, 
Heidelberg. https://doi.org/10.1007/3-540-45760-7_1

What has changed since 2002 to support effectiveness of a hash firewall, 
such as the proposal below?  Was this hash firewall in HashML-DSA deemed 
effective?   If the HashML-DSA hash firewall is effective, then what is 
the new distinction, perhaps about lattices, that made Kaliski's 
observations inapplicable?  (No rush: I can scan PQC-forum to find out, 
re-read Kaliski 2002, etc.)

Date: Tue, 10 Sep 2024 14:02:57 -0400
From: Phillip Hallam-Baker<phill@hallambaker.com>
...
The concern is a downgrade attack where the attacker substitutes a weak
digest for a strong one. Some people seem to think this is an implausible
attack but it really is not because there is no way for the signer to
control the set of digests accepted by the verifier.

For example, Alice signs a PDF document and sends it to Bob who checks it
using an application that Mallet has added his own digest verifier to. Yes,
this assumes a degree of platform compromise but so does every
privilege escalation attack and those are something we worry about A LOT.
The reason we spent so much time over RSA signature modes was precisely
because this is a critical security concern and the RSA padding matters.

So the rule is that when you have a signature over a digest value, you MUST
always sign the data itself or a manifest that includes the digest value
and the digest algorithm.
...
So what I propose is we specify a proper prehash mode for Ed25519 and Ed448
and any other algorithm that doesn't provide binding of a chosen digest to
the algorithm used to produce it by specifying a manifest format that can
be applied generically.

Does not have to be fancy, in fact I would just take the ML-DSA
construction:

𝑀′ ← BytesToBits(IntegerToBytes(1, 1) ∥ IntegerToBytes(|𝑐𝑡𝑥|, 1) ∥
𝑐𝑡𝑥 ∥ OID ∥ PH𝑀)

And the only thing I would change there is to replace the ML-DSA version
identifier with an OID off an IETF arc to denote the manifest construction.

v2.39.1 | Report a Bug | By Email | System Status