[jose] Re: [CFRG] Do we have unsafe uses of Ed448 and Ed25519? Fix Ed448?

Phillip Hallam-Baker <phill@hallambaker.com> Thu, 12 September 2024 17:49 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CD8BC14F701; Thu, 12 Sep 2024 10:49:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.654
X-Spam-Level:
X-Spam-Status: No, score=-1.654 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LZ8BzmRiDW0g; Thu, 12 Sep 2024 10:49:03 -0700 (PDT)
Received: from mail-oa1-f46.google.com (mail-oa1-f46.google.com [209.85.160.46]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A967CC14F6E1; Thu, 12 Sep 2024 10:49:03 -0700 (PDT)
Received: by mail-oa1-f46.google.com with SMTP id 586e51a60fabf-277c742307fso513439fac.2; Thu, 12 Sep 2024 10:49:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726163343; x=1726768143; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=HHDHt53ChWJ/BJ/7/UCEEBnpi8SZSkYeXqfPr+0n7+s=; b=K+UYo0+tgVrv3f75NSBC9SdkZXQNU14mC7gIWtt/9l5ThS4k/ImasZlxyvhnuwBR5o ezinkE7Nk5VTUuD/J1qrAZZtzFSC6nNtnjLYLguyKQ8TFbdBqIf6QDXJxFi2nmYUVHog K33MAv/rXhxF55WD0WDFYc1mVtxbR2hAj3o1sikanXSA0b2XH+VlkTx8HSpi37zAuePJ dlAZMMMIZc01qya7YzN+VuHdCelmNf3KdGnccJC6iG7Q9J6OGq3iqcuFxDRaLESb7N6V fZw8HKwhl8v2s5DaNzXVZGwvGd4TiFreXjExx0lcwnwJaf6x2EstsvwZENpBueUBRlgx VPLQ==
X-Forwarded-Encrypted: i=1; AJvYcCUqz4WQ1g4exp8WFurxvd00bewf3bc8UhgmI6obLH4NJwU15+GQBH9jz+HqcAV4ba6fCCuNIQ==@ietf.org, AJvYcCXDQcSNR3uSR44GxIh16YH1QDvP47WXWCBDJNVFHavsfkS4scCWoa17TV+/3r+niVFbmSCaRg==@ietf.org, AJvYcCXrJArazEOYnI419DFyYaYShR+IApekcJL/kC5a0IQUmPzIQFWpLz1TID6163rYG+NqO0se+Q==@ietf.org
X-Gm-Message-State: AOJu0YydV8tst4esfc8MpAejgrbQ+Z4x6mwdm+GUyx2e50J8SDXG8u4C LkksOpeHDu6FOmITR8yvBql3P+hUsiHE+4A8bTezPgggCkF3cx214VXiBEzuqVsqn3TvJ/+c2IZ V0oZxkuNLjEMoPlZkeQKsVEmNVl8F1MXs
X-Google-Smtp-Source: AGHT+IHl9r7KCuxE3jbKZnEsbY/RrZpSrOZtvz6xffkDB7L+OxKt8lwf9Efbuz/KmUIaHKB72WqO0HmY8230baYlB4A=
X-Received: by 2002:a05:6870:f702:b0:277:e35a:d2d5 with SMTP id 586e51a60fabf-27c3f6a6e8dmr2167742fac.47.1726163342732; Thu, 12 Sep 2024 10:49:02 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+Lwhqn4Jb6+ngpn7XgewMPhp_m30sVmHHWpGOzgQL-Jb-Gg@mail.gmail.com> <7UBoaC8dyojecRBPaTY-ox4-kUc97lmYVs7CCbK1-pSSOGciGEGpMDrmbtcvXaVwck_g450IA1NkMmeu4drw-TsIJbANOyNJTk85HTRSgLA=@proton.ch>
In-Reply-To: <7UBoaC8dyojecRBPaTY-ox4-kUc97lmYVs7CCbK1-pSSOGciGEGpMDrmbtcvXaVwck_g450IA1NkMmeu4drw-TsIJbANOyNJTk85HTRSgLA=@proton.ch>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 12 Sep 2024 13:48:51 -0400
Message-ID: <CAMm+LwgWerSbRAg01jYbRDEbcD5U1tzmLJFS0SQ-BhYRt3zEHA@mail.gmail.com>
To: Daniel Huigens <daniel.huigens@proton.ch>
Content-Type: multipart/alternative; boundary="000000000000de35080621efb8fc"
Message-ID-Hash: 56O2USBBELUEFQVMJZUUFKQYXQ3QKTNL
X-Message-ID-Hash: 56O2USBBELUEFQVMJZUUFKQYXQ3QKTNL
X-MailFrom: hallam@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IRTF CFRG <cfrg@irtf.org>, jose@ietf.org, cose WG <cose@ietf.org>, SPASM <SPASM@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: [CFRG] Do we have unsafe uses of Ed448 and Ed25519? Fix Ed448?
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/QE_GHtSe3A6p8MR6ch85AVmop1U>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>

On Wed, Sep 11, 2024 at 3:59 AM Daniel Huigens <daniel.huigens@proton.ch>
wrote:

> Hi Phillip,
>
> I know you said you'd write a separate email about the context parameter
> but as I wrote before I think it can be used to solve the issue you're
> describing here too.
>
> In particular, if you call Ed448(sk, SHA3-512(content), context =
> "SHA3-512 hash of <content type> for MyAwesomeApplication") then there's
> no risk of reusing the same signature with a different hash algorithm, or a
> different type of content, or an entirely different application (although
> as you said we shouldn't be sharing keys between applications anyway).
>
> The same is possible with ML-DSA and Ed25519ctx. So, I don't think there's
> a need to introduce new variants.
>
> The pre-hash variants of EdDSA are also already more poorly supported than
> the pure variants, and any new variants are even less likely to be
> well-supported (and thus be used to solve this problem).
>
> Of course, this doesn't answer the question of whether there are unsafe
> uses of Ed448 and Ed25519, but if there are, I think it's easier to tell
> applications to add a context parameter than to use an entirely new variant.
>

At the code level, all these various digest modes all come down to the same
thing

SignInner (  Digest ( <preamble> T<thingsigned> <postamble>))

Where 'preamble' and 'postamble' are specified by the signature algorithm
and  T<thingsigned>  is some serialization of some stuff and either the
data itself or the digest of the data.

If we go down to the bytes of Ed448 or ML-DSA, these arguments turn into
arguments over whether to shift bytes a slot to the left or the right and
whether to use <data> or { H<data>, id(H)) to bind to the thing signed.


And I came up with the exact construct you did and it works fine for Ed448.
But it does not provide for a consistent use of the context slot across all
signature algorithms. My theory of the context parameter is really the
rationale for rejecting that approach.

The underlying problem here and the one that I think is causing the
confusion is that Ed448 or ML-DSA both specify a mode that is being
refered to as 'prehashed' but they are not the same thing. ML-DSA is a mode
that turns ML-DSA into a drop in replacement for RSA with the exact same
affordances: bring your existing hash and it gets signed. Ed448 is 'hash
your data with SHAKE256 and give me that digest'.

And the problem that confusion leads to is people who have a SHA-2-256
digest are likely to end up using the 'prehash' mode thinking it gives them
an assurance it does not.

This hasn't been a problem up to now because Ed25519/Ed448 haven't been
getting a lot of use in situations where the distinction matters and
Ed448ph/Ed25519ph were the only things of their kind. Now we are going to
have people writing code that supports ML-DSA/KEM, I think it very likely
we are going to see increased takeup of Ed/X448 at the same time.