IETF Logo Mail Archive

Re: [CFRG] How to construct a hybrid signature combiner?

"D. J. Bernstein" <djb@cr.yp.to> Sun, 31 March 2024 19:07 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4834C14F604 for <cfrg@ietfa.amsl.com>; Sun, 31 Mar 2024 12:07:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W1dKFB7VQSy0 for <cfrg@ietfa.amsl.com>; Sun, 31 Mar 2024 12:07:19 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id BE9FEC14F5FD for <cfrg@irtf.org>; Sun, 31 Mar 2024 12:07:19 -0700 (PDT)
Received: (qmail 32511 invoked by uid 1010); 31 Mar 2024 19:07:18 -0000
Received: from unknown (unknown) by unknown with QMTP; 31 Mar 2024 19:07:18 -0000
Received: (qmail 1438474 invoked by uid 1000); 31 Mar 2024 19:07:07 -0000
Date: Sun, 31 Mar 2024 19:07:07 -0000
Message-ID: <20240331190707.1438472.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <ZgmNDS1g9GLNl_FB@LK-Perkele-VII2.locald>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/xv7V8WdxHgjk8AANjvp4pik-Aeo>
Subject: Re: [CFRG] How to construct a hybrid signature combiner?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2024 19:07:20 -0000

Ilari Liusvaara writes:
> "only having message signatures" means not having the raw message (m)
> in the tuple.

Thanks for the clarification. All of the hybrid-signature proposals that
I've seen have m in the tuple when the input signature systems do, and
I'm happy skipping things like RSA-with-message-recovery as an option.

But let me emphasize that the API considerations still put a constraint
on how the combiner works. Here are two simple examples (no extra
hashing) to illustrate this.

Example 1: Suppose we apply the SUPERCOP-et-al. crypto_sign() interface
first for Ed25519 and then for whichever post-quantum system:

   * Ed25519 signs the original message m, producing a signed message.

   * The post-quantum system signs the result, producing a double-signed
     message.

Verification works the same way in reverse, applying crypto_sign_open()
first for the post-quantum system and then for Ed25519.

What happens if people want to use the same double-signature system but
with detached-signature interfaces?

   * Ed25519 is compatible with that: a signed message looks like
     (s1,m), and a detached-signature interface returns s1 separately.

   * Let's assume the post-quantum system has the same form: starting
     from the input (s1,m), it produces a signed message (s2,s1,m); a
     detached-signature interface returns s2 separately.

The combiner then looks like this: first obtain a detached signature s1
of m, and then obtain a detached signature s2 of (s1,m), and then return
(s2,s1).

In short, Example 1 is compatible with both types of interfaces.

Example 2: Suppose you instead ask for detached signatures s1 and s2 of
m under Ed25519 and the post-quantum system respectively, and return
(s2,s1) as a signature.

There's one critical difference from Example 1: in Example 2, s2 is a
signature on m rather than on (s1,m).

Now what happens if people want to use safer signed-message interfaces?
Well, let's see:

   * Calling an Ed25519 signed-message interface produces a signed
     version of m. Easy.

   * Calling a signed-message interface for the post-quantum system
     produces a signed version of m. Also easy.

   * But, hmmm, how does the combiner put the two signed messages
     together? It has to break the signed-message encapsulation,
     extracting s2 from the second signed message (s2,m), so that it
     can return (s2,s1,m).

The difficulty here is directly connected to the reason that signed
messages are a safer interface than detached signatures. Sure, having a
signature as a separate object next to an unchanged message makes
Example 2 work straightforwardly, but that's also exactly what makes it
trivial for people to forget to verify the signature.

In short, Example 2 is compatible with a detached-signature interface
but not compatible with a safer signed-message interface.

A separate advantage of Example 1, as I mentioned before, is that the
attacker has to break the outer signature system before being able to
feed forgeries to the inner signature system. I think we're on the verge
of having everyone suddenly using formally verified Ed25519 software,
but that's not the current situation; why give the attacker extra
flexibility?

> Another API consideration: That (s2,s1,r,h) needs to be packed as a
> byte string.

Definitely. We managed to get all the post-quantum signature systems
providing a wire-format interface already. A few systems have
variable-length signatures, but I think that it's just fine for a
combiner to insist on fixed-length signatures.

---D. J. Bernstein

v2.23.0 | Report a Bug | By Email