[CFRG] Re: Prehashing in EdDSA vs ML-KEM
Daniel Huigens <daniel.huigens@proton.ch> Fri, 30 August 2024 08:10 UTC
Return-Path: <daniel.huigens@proton.ch>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DDFAC14F6A9 for <cfrg@ietfa.amsl.com>; Fri, 30 Aug 2024 01:10:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=proton.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VoirjXxqbza2 for <cfrg@ietfa.amsl.com>; Fri, 30 Aug 2024 01:10:27 -0700 (PDT)
Received: from mail-4317.proton.ch (mail-4317.proton.ch [185.70.43.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90DBEC15155A for <cfrg@irtf.org>; Fri, 30 Aug 2024 01:10:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.ch; s=5ds6xbuowncwnltghmhgsu25re.protonmail; t=1725005424; x=1725264624; bh=HnOeuOacOzsoZSLjk43bAHE+nwDwCQoSSnOmyETWm/w=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=UnMcPd480wZbGg7ibOYZZZSHUvo6szyjZHxjmzB0YEkLj9JYuTfDYTYDGRGRH6qMF frUFP2aVzZU+5h3sGqzXcXS9JTR++bz5m3W929QECuOg4ZTBKfaDjjiKwHfz63vjJ+ cWnpOx74eo5dNebGCr+aUjN0zhuokeMqfcAZJd62eWa8SvG8ajxjcMJUPbyAEVVb7D CohFVqAFGe49EouW8IpLpbG61HChoJcMsDLa4ZJ53U8GFxoyhXy7ZTnRJJqf//n0qr oywVn04hvPKmvriRHoIBnxtYNakT18g0OmWV9XAxX95O6m/OqgtKsNY5VIL98jGqti JXrORN0yoE1Wg==
Date: Fri, 30 Aug 2024 08:10:19 +0000
To: Phillip Hallam-Baker <phill@hallambaker.com>
From: Daniel Huigens <daniel.huigens@proton.ch>
Message-ID: <6G17q5T00hEi3vAiSOJs5qKpkTAlaEfN3apVelFbTLKSQbXkqa-CSIa1w-HWK93gZSE3V25G_zPODhhw455OYqQmgIMk00rbYSztouk2dYg=@proton.ch>
In-Reply-To: <CAMm+LwjEgPEVViySRY1HRe2EOHSAvQsfSetvpJko7ORzcDX2BQ@mail.gmail.com>
References: <CAMm+LwjEgPEVViySRY1HRe2EOHSAvQsfSetvpJko7ORzcDX2BQ@mail.gmail.com>
Feedback-ID: 37000915:user:proton
X-Pm-Message-ID: 7d5597a7cb710618c87b4dc40e23cb8b35b279dd
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="b1_ps9IkHkjAlQZZzBwwRN6rZuMsRK4RxCxovFdtPw1an4"
Message-ID-Hash: MOKLK47VY655QJNUGKN2VUDPRDIERJRD
X-Message-ID-Hash: MOKLK47VY655QJNUGKN2VUDPRDIERJRD
X-MailFrom: daniel.huigens@proton.ch
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF SAAG <saag@ietf.org>, IRTF CFRG <cfrg@irtf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: Prehashing in EdDSA vs ML-KEM
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/mlTA-elukj8jftwagqHyx0_294U>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
Hi Phillip, On Thursday, August 29th, 2024 at 18:55, Phillip Hallam-Baker wrote: > There is a lot of confusion among implementers of [ML-DSA] and the difference between the 'pure' and 'prehash' versions. While working on my implementation, I am now convinced we just got it wrong in Ed25519 and Ed448 which do things differently. I personally think a lot of the confusion comes from assumptions people are making about what the pure and prehash versions are meant to be used for, that contradict what's actually stated in the specs (both FIPS 204 and RFC 8032). > The objective of [HashML-DSA] is to prevent a digest substitution attack by binding the digest algorithm to the message digest. What it is doing in effect is to create a manifest, prefixing a flag saying 'manifest' and signing that with ML-DSA-Internal. > > The objective of ML-DSA PURE is to allow direct access to ML-DSA-Internal to sign messages when the content hasn't been prehashed already. That's not quite what FIPS 204 says, in fact it almost says the opposite: > If the content is not hashed at the application level, the pre-hash version of ML-DSA signing may be used. which also implies that if the content has been hashed at the application level, the pure version of ML-DSA should (or must?) be used. For binding the hash algorithm that was used to the (pure) ML-DSA signature, the context parameter could be used as you suggested in the OpenPGP thread, so using HashML-DSA isn't actually necessary for that. And the spec also says: > In general, the “pure” ML-DSA version is preferred. This is similar to RFC 8032, by the way, which says: > The Ed25519ph and Ed448ph variants are prehashed. This is mainly > useful for interoperation with legacy APIs, since in most of the > cases, either the amount of data signed is not large or the protocol > is in the position to do digesting in ways better than just > prehashing (e.g., tree hashing or splitting the data). The > prehashing also makes the functions greatly more vulnerable to > weaknesses in hash functions used. These variants SHOULD NOT be > used. > (...) > In summary, if a high 128-bit security level is enough, use of > Ed25519 is RECOMMENDED; otherwise, Ed448 is RECOMMENDED. In other words, it is recommended that the protocol preprocesses the data in some way if necessary (although preferably by tree hashing or chunking, in the eyes of this text) and then uses PureEdDSA, rather than using HashEdDSA. For Ed448, the context parameter can be used to prevent domain confusion, same as for ML-DSA. Pure Ed25519 unfortunately doesn't have a context parameter, so in that case protocols/applications need to be careful not to reuse a key for signing both content and hash digests, but that's usually not a huge ask. So, even though I think it's a bit confusing that both FIPS 204 and RFC 8032 introduce variants that they then recommend not to be used, I don't think there's any huge issue here that needs fixing. Best, Daniel --- Daniel Huigens Cryptography Team LeadProton AG
- [CFRG] Prehashing in EdDSA vs ML-KEM Phillip Hallam-Baker
- [CFRG] Re: Prehashing in EdDSA vs ML-KEM Deirdre Connolly
- [CFRG] Re: Prehashing in EdDSA vs ML-KEM Phillip Hallam-Baker
- [CFRG] Re: Prehashing in EdDSA vs ML-KEM Daniel Huigens
- [CFRG] Re: Prehashing in EdDSA vs ML-DSA Phillip Hallam-Baker
- [CFRG] Re: Prehashing in EdDSA vs ML-DSA Daniel Huigens
- [CFRG] Re: Prehashing in EdDSA vs ML-DSA Daniel Huigens