IETF Logo Mail Archive

[CFRG] Re: Prehashing in EdDSA vs ML-DSA

Daniel Huigens <daniel.huigens@proton.ch> Mon, 02 September 2024 11:37 UTC

Return-Path: <daniel.huigens@proton.ch>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA47DC180B44 for <cfrg@ietfa.amsl.com>; Mon, 2 Sep 2024 04:37:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=proton.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sFT9KQv760K8 for <cfrg@ietfa.amsl.com>; Mon, 2 Sep 2024 04:37:14 -0700 (PDT)
Received: from mail-4018.proton.ch (mail-4018.proton.ch [185.70.40.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5538BC17C8A5 for <cfrg@irtf.org>; Mon, 2 Sep 2024 04:37:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.ch; s=mcho7qkupzcuhduecs6d43ijmq.protonmail; t=1725277030; x=1725536230; bh=zAAWzMMiKpOTTH+hqZciOdULDViai2Vp/N+nYWqhNzc=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=TfiqszZSUAFv98HXo6fpEGSphB9C2Usw6fbNI3ooJQg1db5OB7m7TRLXV2ZXTpWYF OH+zUEDHQRPALjMBmrJpa1qn1AIshGc6j0UiDWAmYjH/DW8Q1sJeDWPMssOBxlevci dbV8fD7r9C7TRThTgIDEc6X9PdzpFst8El3j+jcSxqxT2P5NbzvxvghIFuGl4B/2JK lLDagLQlHA/RAqF/vD+u6+DX9DwTysnZ9sADMJZXuYbU3o7V/jDhr+WJSTx5t/vV2h J7yM2rfrYl9Xt08qyE01kKxGUGxAYySKoTBOexgmwTBweTVOwIJXRbbMBEw0wShWwV 5QxOBLLiB8AUw==
Date: Mon, 02 Sep 2024 11:37:07 +0000
To: Phillip Hallam-Baker <phill@hallambaker.com>
From: Daniel Huigens <daniel.huigens@proton.ch>
Message-ID: <tB3-qv9s-8TF9KAZTsNtvLlhF3ZQ2u42UbZK7x9gm1xfuzflfBPIkjqiNgZWCGuEaXovyxv7-uLjdhlsiMfvpPLf6oZzLFeOknQhFNhTWJw=@proton.ch>
In-Reply-To: <CAMm+LwjvYL1vxNQi7y+WT4hyv0vts-=2YR=hvRBkyLLpLWQFQQ@mail.gmail.com>
References: <CAMm+LwjEgPEVViySRY1HRe2EOHSAvQsfSetvpJko7ORzcDX2BQ@mail.gmail.com> <6G17q5T00hEi3vAiSOJs5qKpkTAlaEfN3apVelFbTLKSQbXkqa-CSIa1w-HWK93gZSE3V25G_zPODhhw455OYqQmgIMk00rbYSztouk2dYg=@proton.ch> <CAMm+LwjvYL1vxNQi7y+WT4hyv0vts-=2YR=hvRBkyLLpLWQFQQ@mail.gmail.com>
Feedback-ID: 37000915:user:proton
X-Pm-Message-ID: 9b7eb3c647284965daa278e8151cf20eacdf78b7
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="b1_iIBiXEBMywrc2T9pK4Bs3vATjFzOVpIAGompWF7dA"
Message-ID-Hash: MJW4K6VNYNOJ6LCGI2D7JCLVND7EOT2A
X-Message-ID-Hash: MJW4K6VNYNOJ6LCGI2D7JCLVND7EOT2A
X-MailFrom: daniel.huigens@proton.ch
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF SAAG <saag@ietf.org>, IRTF CFRG <cfrg@irtf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: Prehashing in EdDSA vs ML-DSA
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/hoBP7YohA_cnkCNKGNDqrL66PAA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Hi Phillip,

On Saturday, August 31st, 2024 at 04:45, Phillip Hallam-Baker wrote:

> So given content <content> there are three options. (...)
> C) Signature = MLDSApre (sk, Digest(content), DigestAlg)
> (...)
> For EdDSA, the choices are (...)
> C) Signature = EdDSApre (sk, Digest(content)) WHERE Digest MUST be the one specified.

FIPS 204 and RFC 8032 don't describe the prehash variants in terms of passing a digest, they describe it in terms of passing a message and having the signing function hash it an extra time (before passing it to the "internal" signing function).

And, when implemented that way, there's no risk of using the wrong hash algorithm (in the case of HashEdDSA), or having a mismatch between the hash algorithm used and the OID passed to the internal signing function (in the case of HashML-DSA).

> I don't think C is remotely practical. I think implementations will end up picking their own content digest. So either they use a manifest format or it will end up failing.

Most implementations of HashEdDSA I've seen either accept a message (as specified), or explicitly mention that a SHA-512 hash digest should be passed. So hopefully most callers do this correctly.

Additionally, for ML-DSA and Ed448, there's another option, as you also mentioned before:

D) Signature = {ML-DSA,Ed448}(sk, SHA3-512(content), context = "SHA3-512 hash of <content> for MyAwesomeProtocol")

... and that could work not only for OpenPGP, but seems like a sensible solution to me in general.

The theoretical downside of option B (signing a manifest without a context parameter) is that you could reuse the manifest as a message if you have another context where a message is signed directly with the same key (which I think is usually unlikely, but is the only situation where any of this matters much in the first place).

Best,
Daniel

v2.46.0 | Report a Bug | By Email | System Status