Re: [CFRG] How to construct a hybrid signature combiner?
Simon Josefsson <simon@josefsson.org> Mon, 25 March 2024 16:51 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E631C15199A for <cfrg@ietfa.amsl.com>; Mon, 25 Mar 2024 09:51:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b="wXSPm+2a"; dkim=pass (2736-bit key) header.d=josefsson.org header.b="P1H70Qtn"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rXesCBFTabFt for <cfrg@ietfa.amsl.com>; Mon, 25 Mar 2024 09:51:40 -0700 (PDT)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0D7CC151998 for <cfrg@irtf.org>; Mon, 25 Mar 2024 09:51:38 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2303; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding :Content-ID:Content-Description; bh=ZKuphxZ80LmYjfTqHdIg32Sne7C7+ThJ6VKII4uukx4=; t=1711385490; x=1712595090; b=wXSPm+2aM2wb64YhU12kojpEzkxwyaIzaa2Dsz0IRws7gRJ8oSvnCEHUT7DwTCc7DrXuNo3S5qi vMnvVVtIhBQ==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2303; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:To:From:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description; bh=ZKuphxZ80LmYjfTqHdIg32Sne7C7+ThJ6VKII4uukx4=; t=1711385490; x=1712595090; b=P1H70QtnxtjKXI26SlMsZHagu8RF+aRiBbLvSmlI8mGr0YTGk6FiY5GP6OsZmye21ViFr2fYZLG O2jcsctm2zAFoUdTev2FctTnzWWMxfvd2HMTcaDjdEUrv1Vv3CNoKMvec5IeHCX/RouYppWJKYXz3 i+8M2E30/SXZoqf2pKLZchcL81B20oDTvl2WnG5WhcCvaL7M5Uws0/NRQydyidn/bNQDPcmgkRY+5 w2vbPElLngJnrGdz/n0T3b5l+DvIgEwd69xnlvoAEwPcktUQOAFlz1JeXHvL1mBQbIFoen7ghBEcl b76KxmHZCgwT47kev7+W38/Fi+pc2+exNgUhgYeL626BWKc52hndfFTeL57Xk8x1iiP/1SUsEpfPZ 4hRwERyWeffZJPkSGQAgO5+UjXDJoKw7vE71JFjIrBxp06QvPWs2G6aehGoWV6+Pu1zhF1x57;
Received: from [2001:9b1:41ac:ff00:823f:5dff:fe09:16ac] (port=57264 helo=kaka) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <simon@josefsson.org>) id 1ronXi-005Oll-5I for cfrg@irtf.org; Mon, 25 Mar 2024 16:51:26 +0000
From: Simon Josefsson <simon@josefsson.org>
To: cfrg@irtf.org
References: <87o7b6szhh.fsf@kaka.sjd.se> <20240325092711.964864.qmail@cr.yp.to>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:23:240325:cfrg@irtf.org::Y8LCV9gvw3tflMHG:ckr6
Date: Mon, 25 Mar 2024 17:51:20 +0100
In-Reply-To: <20240325092711.964864.qmail@cr.yp.to> (D. J. Bernstein's message of "25 Mar 2024 09:27:11 -0000")
Message-ID: <87le66w8zb.fsf@kaka.sjd.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/jUiI8oyysA50nXqPWLdfx7jXcv4>
Subject: Re: [CFRG] How to construct a hybrid signature combiner?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2024 16:51:46 -0000
"D. J. Bernstein" <djb@cr.yp.to> writes: > A combiner proposal that combines (ahem) all of the above is for a > signed message to be (s2,s1,r,h,m) where > > m = the message being signed, > r = H(fresh randomness chosen during signing), > h = H(r,H(hybridpk),hybridsigname,appname,appcontext,m), > s1 = Ed25519 signature of (r,h), > s2 = post-quantum signature of (s1,r,h), > H = SHA3-256. Thanks, this was exactly what I was hoping to see -- this looks reasonable easy to describe and implement, assuming its security holds if Ed25519 is replaced with RSA or ECDSA? And doesn't require anything from not normally assumed from the post-quantum signature scheme. Now all we need is a name... Ilari Liusvaara <ilariliusvaara@welho.com> writes: >> One more recommendation is to include the signature-system name and >> application name as extra hash inputs (along with any context specified >> by the application), in a way that can be uniquely parsed across >> applications, so that signatures can't be moved across protocols. > > That has been tried. Turned out to be a major mistake. There are good arguments on both sides here -- however what I haven't seen proposed is a compromise solution: allow protocols to provide a context name but have the signature combiner provide a default one if the application protocol doesn't supply it. This solves the API problem of libraries/applications not knowing what to put in that field when it is not specified, but still offers domain-separation for the situations that care about it. Would this address these concerns? What other disadvantages have we learned about context strings? /Simon
- [CFRG] How to construct a hybrid signature combin… Simon Josefsson
- Re: [CFRG] [EXTERNAL] How to construct a hybrid s… Mike Ounsworth
- Re: [CFRG] How to construct a hybrid signature co… D. J. Bernstein
- Re: [CFRG] How to construct a hybrid signature co… Ilari Liusvaara
- Re: [CFRG] How to construct a hybrid signature co… D. J. Bernstein
- Re: [CFRG] How to construct a hybrid signature co… Simon Josefsson
- Re: [CFRG] How to construct a hybrid signature co… Ilari Liusvaara
- Re: [CFRG] How to construct a hybrid signature co… D. J. Bernstein
- Re: [CFRG] How to construct a hybrid signature co… Loganaden Velvindron