IETF Logo Mail Archive

Re: [openpgp] PQC signature algorithm selection

Falko Strenzke <falko.strenzke@mtg.de> Tue, 27 February 2024 14:38 UTC

Return-Path: <falko.strenzke@mtg.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 417A9C151065; Tue, 27 Feb 2024 06:38:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtg.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0gKNS09C6UQJ; Tue, 27 Feb 2024 06:38:31 -0800 (PST)
Received: from www.mtg.de (www.mtg.de [IPv6:2a02:b98:8:2::2]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E120C151063; Tue, 27 Feb 2024 06:38:27 -0800 (PST)
Received: from minka.mtg.de (minka [IPv6:2a02:b98:8:1:0:0:0:9]) by www.mtg.de (8.18.1/8.18.1) with ESMTPS id 41REcMVX010115 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Tue, 27 Feb 2024 15:38:22 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mtg.de; s=mail201801; t=1709044702; bh=s9OHRfeBN+ljeEiUjs37/RT3aVzuToI/GrdRNb9jExg=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=T/zh01UmIj2P9ui7I+e8dlPg8lPEbh8xh4Azs2ClpYbV40+6sbKiGRvc/vsxjisZZ WRISyP0E465Li5/xQxj4wJnuDJfi1A/90jz7eK3WqDftD5Wz9V3KdyFyW3ZDHUvkOK W5BRHS64gsyzPwf6/Qq3ozzEpUGRrAFdTWMKoiuw3A4rN1j8/Vz2xYeYghVo/uaoTT GU+5jXJFpzjK2HVZSw/BzEx+Yc7aUo+aSUdhz11uGm5d3TqR6anSX9NZnDRZ9BpuDN O93IUIF8ImJXIHVt4H/iKnUB7LtBTgB36WwKP+6t8ZxdRdLJ/OH5iGH5k9hFb1ySki CO+DpPA6/AIqg==
Received: from [199.99.99.194] (dhcp194 [199.99.99.194]) by minka.mtg.de (8.18.1/8.18.1) with ESMTPS id 41REcL32014013 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Tue, 27 Feb 2024 15:38:21 +0100
Message-ID: <3e0ac29e-a48d-49e9-9ec3-4819180dc3b9@mtg.de>
Date: Tue, 27 Feb 2024 15:38:21 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: de-DE, en-GB
To: Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Derek Atkins <derek@ihtfp.com>, Aron Wussler <aron@wussler.it>, "openpgp@ietf.org" <openpgp@ietf.org>
References: <KoQWmWaeY2lKLiKIiFQelFQ49xHnFQV6SVrWGMjUtMcF237bLEyMEUuqHLgbJGk1mg9M6Aw7UCCgTYTVlWcRmviOEOzq1Gk1mB7UA6vlxTk=@wussler.it> <D7DD9F61-F4D0-4049-8C56-455D412BA1BA@andrewg.com> <Xt3wTD57OI4vzZofvU5GUmyzWpwPbQCONggQQdhaH3YqBA0YiB5I5Up47pOLOz3RjTqwrYMzhc38f0eNHNPayw4vXbOUvaX57W4AhHDxF8A=@wussler.it> <e5fd4130-22bd-4612-a20d-30b2df4ddde4@cs.tcd.ie> <459d5e0430e899115c05587d9dd5b6e1.squirrel@mail.ihtfp.org> <88f33912-54db-41d9-9887-226892d897fa@cs.tcd.ie> <zcPLaEVzNo7WFjXliYxuh0Ti2n2X_gA-39IlijwGWkV8bZbjC26hWMu5mXmqVG5hhSRkTt4ZRtjcDznEOFvGbtie_5l4osG39Z75M6aps8U=@protonmail.com> <4d1331b4-11fd-4a13-b5f0-1700aa91c87d@cs.tcd.ie> <OSxySiI_q7qV2QWd1MJY__03eHalmga34LtYItTegCq6Q5G9f-Yuz7QN3XCRt6nr_ecKf61hSh1yfJk83tx8j-jc3v13g5rjlnpBdnRrhOs=@protonmail.com> <hFwG3Idz8F8U5krIZvzyHsFfsUU3kQu16t1p7VTzc3jk7QeIVaa3ZfXoYSriQ1b7hHo1OLzll3REsevI9QJnsa8qYKsJF54yNrp3noANpjQ=@protonmail.com>
From: Falko Strenzke <falko.strenzke@mtg.de>
In-Reply-To: <hFwG3Idz8F8U5krIZvzyHsFfsUU3kQu16t1p7VTzc3jk7QeIVaa3ZfXoYSriQ1b7hHo1OLzll3REsevI9QJnsa8qYKsJF54yNrp3noANpjQ=@protonmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms080504060608080703060702"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/2pMlNpbaGTW4v40aIU2M-3iFgeA>
Subject: Re: [openpgp] PQC signature algorithm selection
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2024 14:38:35 -0000

The current PQC draft also points out the purpose of multiple signatures 
for the purpose of backwards compatibility in Section 4.4 
<https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-00.html#multiple-signatures> 
as Daniel describes it.

Note also that the composite EdDSA+ML-DSA signatures have the feature of 
providing non-separability: It is not possible to remove one of the 
signatures to downgrade to a stand-alone signature of either of the two 
component schemes (since OpenPGP hashes the signature algorithm in the 
meta data). But when combining two non-composite signatures on the 
protocol level, either one can be stripped off.

I think useful signalling of the validity of multiple signatures will 
always remain difficult. On the one hand, one doesn't want to confuse 
the user with too much information. What should they conclude from one 
of two signatures being invalid or not interpretable?. On the other 
hand, in order to achieve long-term non-repudiation (to cover the 
failure of either the traditional or the PQC signature), the details 
need to be a checked or a proper policy needs to be in place. It seems 
to me that this is much easier to achieve with composites: simply check 
that there is one valid signature with EdDSA+ML-DSA.

One other important aspect to keep in mind in the discussion about 
non-composite signatures vs. composite signatures that Aron already 
pointed out (in the interim yesterday and also here in the discussion), 
is that in the non-composite case the primary key is either traditional 
or PQC and its subkey binding signatures are thus only strong as that 
single signature scheme. A composite primary EdDSA+ML-DSA key's 
signature is as strong as the strongest of the two signatures, obviously.

- Falko


Am 27.02.24 um 14:42 schrieb Daniel Huigens:
> On Tuesday, February 27th, 2024 at 14:19, Daniel Huigens wrote:
>> The benefit of combining it is that if ML-DSA is broken and Ed25519
>> isn't, the signature wouldn't be verified, even without updating the
>> receiving implementation.
> Sorry, I meant to say: ML-DSA being broken wouldn't cause a compromised
> signature to be verified. The (legitimate) Ed25519 and Ed25519+ML-DSA
> signatures would both still verify, of course.
>
> Conversely, if Ed25519 is broken, the Ed25519+ML-DSA would also continue
> to verify, even after Ed25519 was deprecated in the receiving
> implementation.
>
>
> So basically - having both an Ed25519 and an Ed25519+ML-DSA signature
> means that in the widest range of scenarios, the email is correctly
> considered valid or invalid:
>
> - MUAs that don't implement PQC can validate the Ed25519 signature
> - MUAs that do implement PQC can verify both
>    - If ML-DSA is broken and Ed25519 isn't, the attacker can't create a
>      compromised signature+message pair, even if the MUAs isn't updated
>    - If Ed25519 is broken and ML-DSA isn't, the MUA needs to be updated
>      to consider lone Ed25519 signatures invalid, but can continue to
>      verify Ed25519+ML-DSA signatures
>    - If both are broken, we need to switch to SLH-DSA :)
>
> Best,
> Daniel
>
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp
-- 

*MTG AG*
Dr. Falko Strenzke
Executive System Architect

Phone: +49 6151 8000 24
E-Mail: falko.strenzke@mtg.de
Web: mtg.de <https://www.mtg.de>

<https://www.linkedin.com/search/results/all/?fetchDeterministicClustersOnly=true&heroEntityKey=urn%3Ali%3Aorganization%3A13983133&keywords=mtg%20ag&origin=RICH_QUERY_SUGGESTION&position=0&searchId=d5bc71c3-97f7-4cae-83e7-e9e16d497dc2&sid=3S5&spellCorrectionEnabled=false>
Follow us
------------------------------------------------------------------------
<https://www.mtg.de/de/aktuelles/MTG-AG-erhaelt-Innovationspreis-des-Bundesverbands-IT-Sicherheit-e.V-00001.-TeleTrust/> 
<https://www.itsa365.de/de-de/companies/m/mtg-ag>

MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
Commercial register: HRB 8901
Register Court: Amtsgericht Darmstadt
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
Chairman of the Supervisory Board: Dr. Thomas Milde

This email may contain confidential and/or privileged information. If 
you are not the correct recipient or have received this email in error,
please inform the sender immediately and delete this email.Unauthorised 
copying or distribution of this email is not permitted.

Data protection information: Privacy policy 
<https://www.mtg.de/en/privacy-policy>

v2.23.0 | Report a Bug | By Email