[CFRG] Re: Prehashing in EdDSA vs ML-DSA
Phillip Hallam-Baker <phill@hallambaker.com> Sat, 31 August 2024 02:45 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BC18C14F694 for <cfrg@ietfa.amsl.com>; Fri, 30 Aug 2024 19:45:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.654
X-Spam-Level:
X-Spam-Status: No, score=-1.654 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id meLkJDt34OJ3 for <cfrg@ietfa.amsl.com>; Fri, 30 Aug 2024 19:45:57 -0700 (PDT)
Received: from mail-oo1-f48.google.com (mail-oo1-f48.google.com [209.85.161.48]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F69BC14F5F8 for <cfrg@irtf.org>; Fri, 30 Aug 2024 19:45:57 -0700 (PDT)
Received: by mail-oo1-f48.google.com with SMTP id 006d021491bc7-5df9343b5b8so1548510eaf.0 for <cfrg@irtf.org>; Fri, 30 Aug 2024 19:45:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725072356; x=1725677156; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ROS9/Vx8Ke3pImN0MRtFMbS/jVBaDExoNoFXlvvl5bY=; b=hvGKZ5/P/8jIaUv5Ml8jstx6HQRqrgtKyfgQRCIZswSaYB/Y/e7lTv14pQFikU+LDg B2q0P9Q2aWs3B8f9EPvXIp7AcoSON5E+Lv68onVytXHzJIuNl6c9vbNz6N49A+ENEzN8 sfePYIWuevyohnA7k+Zsfs5TYBKt6KiIMUGEwtjYpq1wGyt3QUiTT3BvMpLvxgJTl9kX JdRUrcRJkCmMsCuWFQdbnfxWD0LsSLIvlhyqI3TvrvuM9uLGKPiQssBFvgLBXhimXcw1 CYOqrTk1iWZ48kG845wAHmY2Y6FhVQQ8ZIF2dCCSQ/rug8xpwNZnDIZNBars8dMDsYvf OTPQ==
X-Forwarded-Encrypted: i=1; AJvYcCVm3j9rmykRftTvLcMk0g4vuiUYyEgsZRlFmNKNxN01HKw5SylyIB1MKZc0vSDtiX4lczJA@irtf.org
X-Gm-Message-State: AOJu0Yww7R127/0I5ECvGdbbKZnwSoRFXvizSUrXsBs7yR8VI/4XUhGz f1z+t7lLRStwsVSH/PTtyMS1V0oHPNL8ZBLapNXFWgxs8K1y7N4VyNxqzulPLS7BplE4MyKt7HG of9EkIcyYL8hX0vtaTt8p32btaVE=
X-Google-Smtp-Source: AGHT+IFGz+n1gPcNcy32EQoqKvR8GINCfddAf2csgeEPoKA01I5xWDFtJJ9ez3TSQ+JacN5S0Q15OlwdnKD3wF3MZiU=
X-Received: by 2002:a05:6820:2292:b0:5df:9279:b0a3 with SMTP id 006d021491bc7-5dfacfc068amr4994495eaf.5.1725072356188; Fri, 30 Aug 2024 19:45:56 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+LwjEgPEVViySRY1HRe2EOHSAvQsfSetvpJko7ORzcDX2BQ@mail.gmail.com> <6G17q5T00hEi3vAiSOJs5qKpkTAlaEfN3apVelFbTLKSQbXkqa-CSIa1w-HWK93gZSE3V25G_zPODhhw455OYqQmgIMk00rbYSztouk2dYg=@proton.ch>
In-Reply-To: <6G17q5T00hEi3vAiSOJs5qKpkTAlaEfN3apVelFbTLKSQbXkqa-CSIa1w-HWK93gZSE3V25G_zPODhhw455OYqQmgIMk00rbYSztouk2dYg=@proton.ch>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 30 Aug 2024 22:45:45 -0400
Message-ID: <CAMm+LwjvYL1vxNQi7y+WT4hyv0vts-=2YR=hvRBkyLLpLWQFQQ@mail.gmail.com>
To: Daniel Huigens <daniel.huigens@proton.ch>
Content-Type: multipart/alternative; boundary="00000000000000ae1f0620f1b57b"
Message-ID-Hash: BMMOR5ESJVT6SRB5E35FTGQICEVIJ2FF
X-Message-ID-Hash: BMMOR5ESJVT6SRB5E35FTGQICEVIJ2FF
X-MailFrom: hallam@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF SAAG <saag@ietf.org>, IRTF CFRG <cfrg@irtf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: Prehashing in EdDSA vs ML-DSA
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/z93eaVsA3c8G_Q4lcN20FAevKt0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
The reason pure works for OpenPGP is that they don't sign the digest, they sign a manifest (aka trailer) binding the digest to the digest algorithm. So the rule is that IF you prehash your data, you MUST use a manifest. ML-DSApre is one option for a manifest format, XML Signature JOSE and COSE also define ways to specify manifests. If you are not using ML-DSApre for the manifest, you should use ML-DSA Pure. So given content <content> there are three options. A) Signature = MLDSA (sk, content) B) Signature = MLDSA (sk, Manifest (Digest(content), DigestAlg)) C) Signature = MLDSApre (sk, Digest(content), DigestAlg) What you must not do is D) MLDS (sk, Digest(content)). If people think they need to worry about Quantum Cryptanalysis and not worry about downgrade attacks, well... For EdDSA, the choices are A) Signature = EdDSA (sk, content) B) Signature = EdDSA (sk, Manifest (Digest(content), DigestAlg)) C) Signature = EdDSApre (sk, Digest(content)) WHERE Digest MUST be the one specified. I don't think C is remotely practical. I think implementations will end up picking their own content digest. So either they use a manifest format or it will end up failing. This is probably an error that has been caught and avoided. But while we are upgrading systems to ML-DSA, we should take the time to make sure EdDSA was done right. On Fri, Aug 30, 2024 at 4:10 AM Daniel Huigens <daniel.huigens@proton.ch> wrote: > Hi Phillip, > > On Thursday, August 29th, 2024 at 18:55, Phillip Hallam-Baker wrote: > > There is a lot of confusion among implementers of [ML-DSA] and the > difference between the 'pure' and 'prehash' versions. While working on my > implementation, I am now convinced we just got it wrong in Ed25519 and > Ed448 which do things differently. > > > I personally think a lot of the confusion comes from assumptions people > are making about what the pure and prehash versions are meant to be used > for, that contradict what's actually stated in the specs (both FIPS 204 and > RFC 8032). > > The objective of [HashML-DSA] is to prevent a digest substitution attack > by binding the digest algorithm to the message digest. What it is doing in > effect is to create a manifest, prefixing a flag saying 'manifest' and > signing that with ML-DSA-Internal. > > The objective of ML-DSA PURE is to allow direct access to ML-DSA-Internal > to sign messages when the content hasn't been prehashed already. > > > That's not quite what FIPS 204 says, in fact it almost says the opposite: > > > If the content is not hashed at the application level, the pre-hash > version of ML-DSA signing may be used. > > which also implies that if the content *has* been hashed at the > application level, the pure version of ML-DSA should (or must?) be used. > > For binding the hash algorithm that was used to the (pure) ML-DSA > signature, the context parameter could be used as you suggested in the > OpenPGP thread, so using HashML-DSA isn't actually necessary for that. And > the spec also says: > > > In general, the “pure” ML-DSA version is preferred. > > This is similar to RFC 8032, by the way, which says: > > > The Ed25519ph and Ed448ph variants are prehashed. This is mainly > > useful for interoperation with legacy APIs, since in most of the > > cases, either the amount of data signed is not large or the protocol > > is in the position to do digesting in ways better than just > > prehashing (e.g., tree hashing or splitting the data). The > > prehashing also makes the functions greatly more vulnerable to > > weaknesses in hash functions used. These variants SHOULD NOT be > > used. > > (...) > > In summary, if a high 128-bit security level is enough, use of > > Ed25519 is RECOMMENDED; otherwise, Ed448 is RECOMMENDED. > > In other words, it is recommended that the protocol preprocesses the data > in some way if necessary (although preferably by tree hashing or chunking, > in the eyes of this text) and then uses PureEdDSA, rather than using > HashEdDSA. > > For Ed448, the context parameter can be used to prevent domain confusion, > same as for ML-DSA. Pure Ed25519 unfortunately doesn't have a context > parameter, so in that case protocols/applications need to be careful not to > reuse a key for signing both content and hash digests, but that's usually > not a huge ask. > > > So, even though I think it's a bit confusing that both FIPS 204 and RFC > 8032 introduce variants that they then recommend not to be used, I don't > think there's any huge issue here that needs fixing. > > Best, > Daniel > > > --- > > Daniel Huigens > Cryptography Team Lead > Proton AG > >
- [CFRG] Prehashing in EdDSA vs ML-KEM Phillip Hallam-Baker
- [CFRG] Re: Prehashing in EdDSA vs ML-KEM Deirdre Connolly
- [CFRG] Re: Prehashing in EdDSA vs ML-KEM Phillip Hallam-Baker
- [CFRG] Re: Prehashing in EdDSA vs ML-KEM Daniel Huigens
- [CFRG] Re: Prehashing in EdDSA vs ML-DSA Phillip Hallam-Baker
- [CFRG] Re: Prehashing in EdDSA vs ML-DSA Daniel Huigens
- [CFRG] Re: Prehashing in EdDSA vs ML-DSA Daniel Huigens