[openpgp] Re: pure vs. pre-hash in FIPS 204 and 205
Simo Sorce <simo@redhat.com> Fri, 30 August 2024 18:58 UTC
Return-Path: <simo@redhat.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFF5CC14F70B for <openpgp@ietfa.amsl.com>; Fri, 30 Aug 2024 11:58:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.253
X-Spam-Level:
X-Spam-Status: No, score=-7.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wy6AByjHHhvP for <openpgp@ietfa.amsl.com>; Fri, 30 Aug 2024 11:58:06 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31505C14F6FB for <openpgp@ietf.org>; Fri, 30 Aug 2024 11:58:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1725044285; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=cn2E/txlnIvqwcuHjTxWdlQumJKmEe4dTj07VQL00vo=; b=DWwgei6SQlv29HIQJKbOyZAlQdYviP1etYWVL7Zl0WpJU/1K0GzU7hXZp2Tr60t2KZ+lXT 4C6mH2liUlrXM8BHnINzmmFptI+932aYZ4A9mufCZXRyCm4f9TmMKGAg1SxBI1IIKlGFTV oO9mSRlWR1+qY6nEmfCuwx0eREvuDhU=
Received: from mail-qk1-f197.google.com (mail-qk1-f197.google.com [209.85.222.197]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-614-6q9ctcIpMKKJ0zXhPS5AUg-1; Fri, 30 Aug 2024 14:58:04 -0400
X-MC-Unique: 6q9ctcIpMKKJ0zXhPS5AUg-1
Received: by mail-qk1-f197.google.com with SMTP id af79cd13be357-7a8196f41cdso78149585a.2 for <openpgp@ietf.org>; Fri, 30 Aug 2024 11:58:04 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725044283; x=1725649083; h=mime-version:user-agent:content-transfer-encoding:organization :references:in-reply-to:date:cc:to:from:subject:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=cn2E/txlnIvqwcuHjTxWdlQumJKmEe4dTj07VQL00vo=; b=fHkBkXS6KHab8phHdCnvhJ/L0ims0mP/I6kLerbtyltJlXauSlJfFbvYVgyynMR6Ks rfodZJorKfZy6ib+7etpXVQzik0H+l7BM0gbX9MBIjNSqzR6sDP9GtmkGeq2PKlFfTmd a0ydFhKs+6kLXTNs1By2J+F4m158cVqbr54AutuirpI20ZX+B5eRB91VAI528Go1fHvv /vi4la5tG0zYSCRUjN9PtneSgqUb7gL1QR3f8ORGbKW47j3tw5cNM2E6Re2j7niHnQv8 aG8LiSA6u3m5tOXsMzvDxjEQ6cYAEcJ23Q3o92HOhiWUb8mD+9DprD61AAD1yhhONDcx OObw==
X-Forwarded-Encrypted: i=1; AJvYcCVvtIOABhdWs1E6DfaP+FBxsEbTfm0ITsEyTRh4n2n0IK90W3+zrjDc/VYm3Teyy1mduM5L6u7l@ietf.org
X-Gm-Message-State: AOJu0YyKilsrJjd4Uc/ARa+s0kuzS5kX7uteo1e15SR1+Apd39KHyEdQ 513ZEm+Xp1QP3/QgN88CKruf4HCR6FcyVf4TrK/JtXa0KoeY0fDtHn3I8BVTNeboAsq7cDMi4AU dyXjHVBAsLOpGpwDeXeZ/mRURgSkoyPTfAsTdjhdtT+W0iA==
X-Received: by 2002:a05:620a:450a:b0:79f:90:7d50 with SMTP id af79cd13be357-7a8f6bcbb48mr28412485a.32.1725044283600; Fri, 30 Aug 2024 11:58:03 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGNrkzRaMMqAQOVA59OWWR4y+kfUyYApnqjjlJAQgmWU6btiOpJ1um+lOgffrFDUc3RS3Jeag==
X-Received: by 2002:a05:620a:450a:b0:79f:90:7d50 with SMTP id af79cd13be357-7a8f6bcbb48mr28410785a.32.1725044283220; Fri, 30 Aug 2024 11:58:03 -0700 (PDT)
Received: from m8.users.ipa.redhat.com ([2603:7000:9400:fe80::318]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7a806d83ec6sm169634585a.129.2024.08.30.11.58.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Aug 2024 11:58:02 -0700 (PDT)
Message-ID: <e9cf410d76da7001d41c2c4f9a9a5769bcbcb9ac.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Daniel Huigens <d.huigens@protonmail.com>
Date: Fri, 30 Aug 2024 14:58:01 -0400
In-Reply-To: <AdZoyAF3KM7KpFgCG8qu9DzJPRd3_8QonlGRmnklBP6UpvtM9rQemwfsaT45MvIkPgIMBqThOPjtFlct3pyFmV9Amh-7xRdpd76OFRRSho0=@protonmail.com>
References: <gp_qhnxiYq_pgzpw26Gw5lC53i2aOD1tik9Lrprf0yhURin012f3YvwxS-8mGXOX7ObRAiMqjBkyyxiC8vkwuMMg0Kng4dSOI4Edwww0v4I=@proton.me> <C248DA16-5642-4141-8561-108F157A0D97@andrewg.com> <nLeggcwwubArYMbVyxeaaGb3-QcrtILJob0uhfTjhbXRnCUQWJv0sjwhDuXvc705DhqW2XNEJHqagEFow2v0i5L1cRAv2ixFvqDIDp3lFiQ=@protonmail.com> <55c42efdaea1bd661f5d3607706a6d4d388cea61.camel@redhat.com> <fU3_9MgtQjRnA48uQszLXegERJDcKOLGHUssln9CZfamMwBNpbD6Wj5zVpCl_DrfaTqkuJpDGsI4-13uRDyBDZuHNMtcsD5wP376GsxSWSU=@protonmail.com> <b329a33a05f8dca61571ea049357c421c48f6927.camel@redhat.com> <4e9oBXl8Mu7-Fcj3fn0UssCr_qyeZFhmgvf9CzVEw4-ueyG5h678x4P3x04DrTznZQs88Mcqp5mzPIoumsdAQb7gqJc6SdsZuCWLU__ugdI=@protonmail.com> <98f513368035f56052f8f524be41561ac9a89120.camel@redhat.com> <AdZoyAF3KM7KpFgCG8qu9DzJPRd3_8QonlGRmnklBP6UpvtM9rQemwfsaT45MvIkPgIMBqThOPjtFlct3pyFmV9Amh-7xRdpd76OFRRSho0=@protonmail.com>
Organization: Red Hat
User-Agent: Evolution 3.52.4 (3.52.4-1.fc40)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: QIMEX2GDPDVSJ454SAL2HYGGPPTXBLL2
X-Message-ID-Hash: QIMEX2GDPDVSJ454SAL2HYGGPPTXBLL2
X-MailFrom: simo@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Andrew Gallagher <andrewg@andrewg.com>, Akhil CM <akhilacm@proton.me>, "openpgp@ietf.org" <openpgp@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] Re: pure vs. pre-hash in FIPS 204 and 205
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/1_8SoxAXIQJdVncGhXnFUrWkDLQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
On Fri, 2024-08-30 at 15:59 +0000, Daniel Huigens wrote: > Hi Simo, > > On Friday, August 30th, 2024 at 17:16, Simo Sorce wrote: > > I do not understand how you come to the conclusion I do not understand > > the purpose of HashML-DSA given that purpose is clearly stated in > > FIPS204. > > Because you asked "What would be the point of doing that?" after I > quoted FIPS 204 explaining the purpose of HashML-DSA. > > The purpose clearly stated in Section 5.4 is to sign a message with an > extra hashing step. That the extra hashing step can also be done > elsewhere does not affect its primary purpose. > > > Can you quote FIPS204 to substantiate this position? > > > I have quoted FIPS 204 multiple times, but will happily do so again. > Section 5.4 says: > > In general, the “pure” ML-DSA version is preferred. > (...) If the content is not hashed at the application level, the > pre-hash version of ML-DSA signing may be used. > > In other words, HashML-DSA is intended to be used in a specific case > which does not apply to OpenPGP. I am sorry, there is no point in going in circles, I think you fundamentally misunderstand the purpose of HashML-DSA and I can't reconcile your interpretation with the text, regardless of how many times you quote select parts of it. Let's agree to disagree and end this fruitless ping-pong here. > > > I am not sure why you insist quoting this sentence. > > I insist on quoting it because it contradicts your claim that FIPS 204 > recommends HashML-DSA :) > > > YEs NIST prefers > > Pure ML-DSA where possible, but "pure" Ml-DSA'a premise is tat you pass > > the whole content you want to sign into it. > > Where does FIPS 204 say that you're not allowed to sign a hash with > pure ML-DSA? > > > I quoted it literally to support my position. > > The quotes you've provided describe something that is allowed, they > say nothing about what is recommended. Could you please provide a > quote that says that HashML-DSA is preferred for our use case, as > you claim FIPS 204 says? > > > So I think you misread the spec, and clearly you think I misread it. > > Perhaps we bring the case to NIST and ask them what they think? > > Falko already did so, and NIST have said that passing a hash to the > pure variant is permissible. But yes, feel free to reach out to them > if you think it needs further clarification, of course. The response I read from David Cooper just said that because OpenPGP structures its content in a way that would prevent substitution attacks then pure ML-DSA signature would be protected from that attack. I interpret that response as a judgment on the security of the solution which I mentioned already I do not have a problem with. In fact he opens the reply explicitly saying either could be used. Simo. -- Simo Sorce Distinguished Engineer RHEL Crypto Team Red Hat, Inc
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Justus Winter
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Phillip Hallam-Baker
- [openpgp] pure vs. pre-hash in FIPS 204 and 205 Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Justus Winter
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Akhil CM
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Phillip Hallam-Baker
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Phillip Hallam-Baker
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Phillip Hallam-Baker
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Simo Sorce
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Simo Sorce
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Simo Sorce
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Simo Sorce
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Simo Sorce