[jose] Re: [lamps] Re: [CFRG] Do we have unsafe uses of Ed448 and Ed25519? Fix Ed448?
"Markku-Juhani O. Saarinen" <mjos.crypto@gmail.com> Thu, 12 September 2024 19:20 UTC
Return-Path: <mjos.crypto@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC05DC14F6B5; Thu, 12 Sep 2024 12:20:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eiCj9MXwBsSS; Thu, 12 Sep 2024 12:20:13 -0700 (PDT)
Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49017C14F61D; Thu, 12 Sep 2024 12:20:13 -0700 (PDT)
Received: by mail-pf1-x435.google.com with SMTP id d2e1a72fcca58-718a3b8a2dcso163459b3a.2; Thu, 12 Sep 2024 12:20:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1726168813; x=1726773613; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ToSz4ksq5uEuJNQ0JrGfe54hn4oISzPfr33k2IWI/BE=; b=MDbaP1GwlPtTflRJ5X9mdVRdDsUHgakGjFmmkHc4hVneHwsf8EEucuPsLC2bpL6mLV bhbdl4HKK+IuUK+1jkUE94zTmVb307WaSJkdd5hEIOm3P2aOUbnOkzuQa7/ScrkMaVg7 Q/oBNZf1tbj4TCBNRnzATsHxzWiBIHqQBI3MpmYMAPVrN1+4V9EZ1MfOac9yyvdg1V7l u4r2qMZAMOebd8DHbYwLyqC+MxNmI/murs1tJlsImwV5oML/B2v59BgA+iLEotmgqElm EpkFpmRLhusa2UwGGDymhyfFlKS3aa0MK5Vn5BHvML7V6u5DbJ7pWQtWAAgtwQp/iSQA 522A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726168813; x=1726773613; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ToSz4ksq5uEuJNQ0JrGfe54hn4oISzPfr33k2IWI/BE=; b=ZJps8Z62KD7pHsPGdJ+J0S/LUdY7MpNiV7QDyo6NN5FC/guxO0FFj6utNffU7ITzPf y5v4f+VuRTE9r4FFwhhaR+neQ08kppmQ/yacxQtHzGXmRr10Ee/dxxnWk1OcncHLnYyU grMhKvUnAv/b4R3do5V4R74XhSLLLMn2/2USRVtTelPYDkz77bARJQq5tO5aNyxQ/PXn xySSKV+hp49AXLTomxJqmXoxDqXCF9bbFr4uP5tI+/OBBo34XmAQ/pFWFmZgDnevypbT LRuzbIx2t46SwKUhZWT4GAvyG6s2Gv2dxa/owAncJxI1hv0OoarR7tuWohCDDtMiajXJ R/ig==
X-Forwarded-Encrypted: i=1; AJvYcCUDdY73AKqKlOjBMZ8XCFwnD8ZMAkRxOyufwtXeqfWCjRhiacT+p4FX+VF4YStTzwziOf6HVw==@ietf.org, AJvYcCVaHkBFofVvz6QGEary+5IFx6+WXNQDPOXrH0KGWPglvPJgThRxxd3NG9DfrKN/aclt8hvZPQ==@ietf.org, AJvYcCXXdpJgj7nNwlqViubMRZjp1DUvx516nXkffhzvG5j8mFge/B1iUtmUw4aR22rAYiSfIyKK7A==@ietf.org
X-Gm-Message-State: AOJu0Yz/N1kVYJHGY3rcHq6HBeV+lbhqrb9qI0yVMrvPfX5JmsWnd2cm E21TiDDK/iEl2uv5XqtU3CgbJXOg+i4DEbmW9zK/qvk5VHkNW/uMWPHwh4LLpIHajNxStxCB7Dn 3GPIPMoDaQorAOEn++kZX6VAKV4aaVu+spQQ=
X-Google-Smtp-Source: AGHT+IFH19lLP7BlD3onxNyvqws4ZvHKpU7wlmhA83qUpEwb9+zzn6ZDy0MQUML8sNwb4otgcqpXEBe/4d/g1lggrBo=
X-Received: by 2002:a05:6a00:997:b0:719:20b0:d041 with SMTP id d2e1a72fcca58-71936a49390mr412782b3a.10.1726168812622; Thu, 12 Sep 2024 12:20:12 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+Lwhqn4Jb6+ngpn7XgewMPhp_m30sVmHHWpGOzgQL-Jb-Gg@mail.gmail.com> <7UBoaC8dyojecRBPaTY-ox4-kUc97lmYVs7CCbK1-pSSOGciGEGpMDrmbtcvXaVwck_g450IA1NkMmeu4drw-TsIJbANOyNJTk85HTRSgLA=@proton.ch> <CAMm+LwgWerSbRAg01jYbRDEbcD5U1tzmLJFS0SQ-BhYRt3zEHA@mail.gmail.com> <EFRK10NjF9PY9HVQWEHtO59GMQTpUu2nJ1bFb3_DLRzAwo6Wr-tiWMqXmsZbCQHeYzQ9lsqDzNWf_vjndqDseaexeBLAnbpy0WsfRFMAONE=@proton.ch>
In-Reply-To: <EFRK10NjF9PY9HVQWEHtO59GMQTpUu2nJ1bFb3_DLRzAwo6Wr-tiWMqXmsZbCQHeYzQ9lsqDzNWf_vjndqDseaexeBLAnbpy0WsfRFMAONE=@proton.ch>
From: "Markku-Juhani O. Saarinen" <mjos.crypto@gmail.com>
Message-ID: <CA+iU_qnb6xhqrFOoB3nxxCPqTrrJh7xLOPwPAg8yTsaSEbaEUg@mail.gmail.com>
To: Daniel Huigens <daniel.huigens=40proton.ch@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e6203a0621f0fe16"
X-MailFrom: mjos.crypto@gmail.com
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0
Message-ID-Hash: WPCAOSCCACEPLYHS74J7YOWAGV2QBNV3
X-Message-ID-Hash: WPCAOSCCACEPLYHS74J7YOWAGV2QBNV3
X-Mailman-Approved-At: Sat, 14 Sep 2024 12:49:15 -0700
CC: Phillip Hallam-Baker <phill@hallambaker.com>, IRTF CFRG <cfrg@irtf.org>, jose@ietf.org, cose WG <cose@ietf.org>, SPASM <SPASM@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: [lamps] Re: [CFRG] Do we have unsafe uses of Ed448 and Ed25519? Fix Ed448?
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/3M-8GcwoI56tMwohVeN1PxmfQC8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>
Date: Thu, 12 Sep 2024 19:20:14 -0000
X-Original-Date: Thu, 12 Sep 2024 19:20:01 +0000
Hi Daniel, Note the FIPS 204 comment *"message representative that may optionally be computed in a different cryptographic module"* on line #6 of ML-DSA.Sign_internal (Alg 7.) and on line #7 of ML-DSA.Verify_internal (Alg. 8). If the "mu" hash (message representative) can be computed in a different module, so can the hashes that are used to build "mu" in both prehash and pure versions. I've asked NIST for little clarification on this bit, as it indeed somewhat violates some other language in the spec wrt allowed interfaces. But -- If you're signing a hash from an another module within your security boundary, you should be okay. If I'm using a private key on a smart card to sign a 10-gig firmware update, I'm not going to pump the entire thing through the smart card it to hash it, but compute the hash on a PC that has a secure link with the smart card. (This is a very real-life use case.) Cheers, -markku Dr. Markku-Juhani O. Saarinen <mjos@iki.fi> On Thu, Sep 12, 2024 at 6:43 PM Daniel Huigens <daniel.huigens= 40proton.ch@dmarc.ietf.org> wrote: > Hi Phillip, > > On Thursday, September 12th, 2024 at 19:48, Phillip Hallam-Baker wrote: > > The underlying problem here and the one that I think is causing the > confusion is that Ed448 or ML-DSA both specify a mode that is being refered > to as 'prehashed' but they are not the same thing. ML-DSA is a mode that > turns ML-DSA into a drop in replacement for RSA with the exact same > affordances: bring your existing hash and it gets signed. Ed448 is 'hash > your data with SHAKE256 and give me that digest'. > > > That is not what the specs say. Both FIPS 204 and RFC 8032 say that the > pre-hash variant accepts a *message* (not a hash of a message) and hashes > the message (inside the function) before passing it to the internal signing > function. The only difference is that HashML-DSA also has a parameter to > say which hash function should be used, whereas in HashEdDSA it's hardcoded. > > Of course, you *could* reinterpret the functions that the specs define as > ones that accept a hash digest, and implement it that way, but then *that* is > what introduces the risk of using the wrong hash function, not the way > they're defined in the specs. > > And note that strictly speaking, this risk exists for both algorithms, if > you implement it like that: it's then equally possible in HashML-DSA to > pass a hash digest generated using a hash function that doesn't match the > one you say you used, as it is in HashEdDSA to use a hash function > different than the one that the documentation says to use. > > --- > > I actually think a lot of this confusion comes from naming: if they had > called HashML-DSA and HashEdDSA the "additional hash variants", or > "one-pass/streaming variants", rather than the "pre-hash variants", it > would have been clearer; and the term "pre-hash*ed* variants" could then > be used for the variant where you pass a hash digest rather than a message > (if we need such a construct at all, that is - as again I'd argue that in > that case you can just use the pure variant with a context string). > > Best, > Daniel > > _______________________________________________ > Spasm mailing list -- spasm@ietf.org > To unsubscribe send an email to spasm-leave@ietf.org >
- [jose] Do we have unsafe uses of Ed448 and Ed2551… Phillip Hallam-Baker
- [jose] Re: [CFRG] Do we have unsafe uses of Ed448… Daniel Huigens
- [jose] Re: [CFRG] Do we have unsafe uses of Ed448… Phillip Hallam-Baker
- [jose] Re: [CFRG] Do we have unsafe uses of Ed448… Daniel Huigens
- [jose] Re: [lamps] Re: [CFRG] Do we have unsafe u… Markku-Juhani O. Saarinen
- [jose] Re: [lamps] Re: [CFRG] Do we have unsafe u… Daniel Huigens