Re: [CFRG] How to construct a hybrid signature combiner?
"D. J. Bernstein" <djb@cr.yp.to> Sun, 31 March 2024 19:07 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4834C14F604 for <cfrg@ietfa.amsl.com>; Sun, 31 Mar 2024 12:07:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W1dKFB7VQSy0 for <cfrg@ietfa.amsl.com>; Sun, 31 Mar 2024 12:07:19 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id BE9FEC14F5FD for <cfrg@irtf.org>; Sun, 31 Mar 2024 12:07:19 -0700 (PDT)
Received: (qmail 32511 invoked by uid 1010); 31 Mar 2024 19:07:18 -0000
Received: from unknown (unknown) by unknown with QMTP; 31 Mar 2024 19:07:18 -0000
Received: (qmail 1438474 invoked by uid 1000); 31 Mar 2024 19:07:07 -0000
Date: Sun, 31 Mar 2024 19:07:07 -0000
Message-ID: <20240331190707.1438472.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <ZgmNDS1g9GLNl_FB@LK-Perkele-VII2.locald>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/xv7V8WdxHgjk8AANjvp4pik-Aeo>
Subject: Re: [CFRG] How to construct a hybrid signature combiner?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2024 19:07:20 -0000
Ilari Liusvaara writes: > "only having message signatures" means not having the raw message (m) > in the tuple. Thanks for the clarification. All of the hybrid-signature proposals that I've seen have m in the tuple when the input signature systems do, and I'm happy skipping things like RSA-with-message-recovery as an option. But let me emphasize that the API considerations still put a constraint on how the combiner works. Here are two simple examples (no extra hashing) to illustrate this. Example 1: Suppose we apply the SUPERCOP-et-al. crypto_sign() interface first for Ed25519 and then for whichever post-quantum system: * Ed25519 signs the original message m, producing a signed message. * The post-quantum system signs the result, producing a double-signed message. Verification works the same way in reverse, applying crypto_sign_open() first for the post-quantum system and then for Ed25519. What happens if people want to use the same double-signature system but with detached-signature interfaces? * Ed25519 is compatible with that: a signed message looks like (s1,m), and a detached-signature interface returns s1 separately. * Let's assume the post-quantum system has the same form: starting from the input (s1,m), it produces a signed message (s2,s1,m); a detached-signature interface returns s2 separately. The combiner then looks like this: first obtain a detached signature s1 of m, and then obtain a detached signature s2 of (s1,m), and then return (s2,s1). In short, Example 1 is compatible with both types of interfaces. Example 2: Suppose you instead ask for detached signatures s1 and s2 of m under Ed25519 and the post-quantum system respectively, and return (s2,s1) as a signature. There's one critical difference from Example 1: in Example 2, s2 is a signature on m rather than on (s1,m). Now what happens if people want to use safer signed-message interfaces? Well, let's see: * Calling an Ed25519 signed-message interface produces a signed version of m. Easy. * Calling a signed-message interface for the post-quantum system produces a signed version of m. Also easy. * But, hmmm, how does the combiner put the two signed messages together? It has to break the signed-message encapsulation, extracting s2 from the second signed message (s2,m), so that it can return (s2,s1,m). The difficulty here is directly connected to the reason that signed messages are a safer interface than detached signatures. Sure, having a signature as a separate object next to an unchanged message makes Example 2 work straightforwardly, but that's also exactly what makes it trivial for people to forget to verify the signature. In short, Example 2 is compatible with a detached-signature interface but not compatible with a safer signed-message interface. A separate advantage of Example 1, as I mentioned before, is that the attacker has to break the outer signature system before being able to feed forgeries to the inner signature system. I think we're on the verge of having everyone suddenly using formally verified Ed25519 software, but that's not the current situation; why give the attacker extra flexibility? > Another API consideration: That (s2,s1,r,h) needs to be packed as a > byte string. Definitely. We managed to get all the post-quantum signature systems providing a wire-format interface already. A few systems have variable-length signatures, but I think that it's just fine for a combiner to insist on fixed-length signatures. ---D. J. Bernstein
- [CFRG] How to construct a hybrid signature combin… Simon Josefsson
- Re: [CFRG] [EXTERNAL] How to construct a hybrid s… Mike Ounsworth
- Re: [CFRG] How to construct a hybrid signature co… D. J. Bernstein
- Re: [CFRG] How to construct a hybrid signature co… Ilari Liusvaara
- Re: [CFRG] How to construct a hybrid signature co… D. J. Bernstein
- Re: [CFRG] How to construct a hybrid signature co… Simon Josefsson
- Re: [CFRG] How to construct a hybrid signature co… Ilari Liusvaara
- Re: [CFRG] How to construct a hybrid signature co… D. J. Bernstein
- Re: [CFRG] How to construct a hybrid signature co… Loganaden Velvindron