Re: [openpgp] PQC signature algorithm selection
Falko Strenzke <falko.strenzke@mtg.de> Tue, 27 February 2024 14:38 UTC
Return-Path: <falko.strenzke@mtg.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 417A9C151065; Tue, 27 Feb 2024 06:38:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtg.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0gKNS09C6UQJ; Tue, 27 Feb 2024 06:38:31 -0800 (PST)
Received: from www.mtg.de (www.mtg.de [IPv6:2a02:b98:8:2::2]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E120C151063; Tue, 27 Feb 2024 06:38:27 -0800 (PST)
Received: from minka.mtg.de (minka [IPv6:2a02:b98:8:1:0:0:0:9]) by www.mtg.de (8.18.1/8.18.1) with ESMTPS id 41REcMVX010115 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Tue, 27 Feb 2024 15:38:22 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mtg.de; s=mail201801; t=1709044702; bh=s9OHRfeBN+ljeEiUjs37/RT3aVzuToI/GrdRNb9jExg=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=T/zh01UmIj2P9ui7I+e8dlPg8lPEbh8xh4Azs2ClpYbV40+6sbKiGRvc/vsxjisZZ WRISyP0E465Li5/xQxj4wJnuDJfi1A/90jz7eK3WqDftD5Wz9V3KdyFyW3ZDHUvkOK W5BRHS64gsyzPwf6/Qq3ozzEpUGRrAFdTWMKoiuw3A4rN1j8/Vz2xYeYghVo/uaoTT GU+5jXJFpzjK2HVZSw/BzEx+Yc7aUo+aSUdhz11uGm5d3TqR6anSX9NZnDRZ9BpuDN O93IUIF8ImJXIHVt4H/iKnUB7LtBTgB36WwKP+6t8ZxdRdLJ/OH5iGH5k9hFb1ySki CO+DpPA6/AIqg==
Received: from [199.99.99.194] (dhcp194 [199.99.99.194]) by minka.mtg.de (8.18.1/8.18.1) with ESMTPS id 41REcL32014013 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Tue, 27 Feb 2024 15:38:21 +0100
Message-ID: <3e0ac29e-a48d-49e9-9ec3-4819180dc3b9@mtg.de>
Date: Tue, 27 Feb 2024 15:38:21 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: de-DE, en-GB
To: Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Derek Atkins <derek@ihtfp.com>, Aron Wussler <aron@wussler.it>, "openpgp@ietf.org" <openpgp@ietf.org>
References: <KoQWmWaeY2lKLiKIiFQelFQ49xHnFQV6SVrWGMjUtMcF237bLEyMEUuqHLgbJGk1mg9M6Aw7UCCgTYTVlWcRmviOEOzq1Gk1mB7UA6vlxTk=@wussler.it> <D7DD9F61-F4D0-4049-8C56-455D412BA1BA@andrewg.com> <Xt3wTD57OI4vzZofvU5GUmyzWpwPbQCONggQQdhaH3YqBA0YiB5I5Up47pOLOz3RjTqwrYMzhc38f0eNHNPayw4vXbOUvaX57W4AhHDxF8A=@wussler.it> <e5fd4130-22bd-4612-a20d-30b2df4ddde4@cs.tcd.ie> <459d5e0430e899115c05587d9dd5b6e1.squirrel@mail.ihtfp.org> <88f33912-54db-41d9-9887-226892d897fa@cs.tcd.ie> <zcPLaEVzNo7WFjXliYxuh0Ti2n2X_gA-39IlijwGWkV8bZbjC26hWMu5mXmqVG5hhSRkTt4ZRtjcDznEOFvGbtie_5l4osG39Z75M6aps8U=@protonmail.com> <4d1331b4-11fd-4a13-b5f0-1700aa91c87d@cs.tcd.ie> <OSxySiI_q7qV2QWd1MJY__03eHalmga34LtYItTegCq6Q5G9f-Yuz7QN3XCRt6nr_ecKf61hSh1yfJk83tx8j-jc3v13g5rjlnpBdnRrhOs=@protonmail.com> <hFwG3Idz8F8U5krIZvzyHsFfsUU3kQu16t1p7VTzc3jk7QeIVaa3ZfXoYSriQ1b7hHo1OLzll3REsevI9QJnsa8qYKsJF54yNrp3noANpjQ=@protonmail.com>
From: Falko Strenzke <falko.strenzke@mtg.de>
In-Reply-To: <hFwG3Idz8F8U5krIZvzyHsFfsUU3kQu16t1p7VTzc3jk7QeIVaa3ZfXoYSriQ1b7hHo1OLzll3REsevI9QJnsa8qYKsJF54yNrp3noANpjQ=@protonmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms080504060608080703060702"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/2pMlNpbaGTW4v40aIU2M-3iFgeA>
Subject: Re: [openpgp] PQC signature algorithm selection
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2024 14:38:35 -0000
The current PQC draft also points out the purpose of multiple signatures for the purpose of backwards compatibility in Section 4.4 <https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-00.html#multiple-signatures> as Daniel describes it. Note also that the composite EdDSA+ML-DSA signatures have the feature of providing non-separability: It is not possible to remove one of the signatures to downgrade to a stand-alone signature of either of the two component schemes (since OpenPGP hashes the signature algorithm in the meta data). But when combining two non-composite signatures on the protocol level, either one can be stripped off. I think useful signalling of the validity of multiple signatures will always remain difficult. On the one hand, one doesn't want to confuse the user with too much information. What should they conclude from one of two signatures being invalid or not interpretable?. On the other hand, in order to achieve long-term non-repudiation (to cover the failure of either the traditional or the PQC signature), the details need to be a checked or a proper policy needs to be in place. It seems to me that this is much easier to achieve with composites: simply check that there is one valid signature with EdDSA+ML-DSA. One other important aspect to keep in mind in the discussion about non-composite signatures vs. composite signatures that Aron already pointed out (in the interim yesterday and also here in the discussion), is that in the non-composite case the primary key is either traditional or PQC and its subkey binding signatures are thus only strong as that single signature scheme. A composite primary EdDSA+ML-DSA key's signature is as strong as the strongest of the two signatures, obviously. - Falko Am 27.02.24 um 14:42 schrieb Daniel Huigens: > On Tuesday, February 27th, 2024 at 14:19, Daniel Huigens wrote: >> The benefit of combining it is that if ML-DSA is broken and Ed25519 >> isn't, the signature wouldn't be verified, even without updating the >> receiving implementation. > Sorry, I meant to say: ML-DSA being broken wouldn't cause a compromised > signature to be verified. The (legitimate) Ed25519 and Ed25519+ML-DSA > signatures would both still verify, of course. > > Conversely, if Ed25519 is broken, the Ed25519+ML-DSA would also continue > to verify, even after Ed25519 was deprecated in the receiving > implementation. > > > So basically - having both an Ed25519 and an Ed25519+ML-DSA signature > means that in the widest range of scenarios, the email is correctly > considered valid or invalid: > > - MUAs that don't implement PQC can validate the Ed25519 signature > - MUAs that do implement PQC can verify both > - If ML-DSA is broken and Ed25519 isn't, the attacker can't create a > compromised signature+message pair, even if the MUAs isn't updated > - If Ed25519 is broken and ML-DSA isn't, the MUA needs to be updated > to consider lone Ed25519 signatures invalid, but can continue to > verify Ed25519+ML-DSA signatures > - If both are broken, we need to switch to SLH-DSA :) > > Best, > Daniel > > _______________________________________________ > openpgp mailing list > openpgp@ietf.org > https://www.ietf.org/mailman/listinfo/openpgp -- *MTG AG* Dr. Falko Strenzke Executive System Architect Phone: +49 6151 8000 24 E-Mail: falko.strenzke@mtg.de Web: mtg.de <https://www.mtg.de> <https://www.linkedin.com/search/results/all/?fetchDeterministicClustersOnly=true&heroEntityKey=urn%3Ali%3Aorganization%3A13983133&keywords=mtg%20ag&origin=RICH_QUERY_SUGGESTION&position=0&searchId=d5bc71c3-97f7-4cae-83e7-e9e16d497dc2&sid=3S5&spellCorrectionEnabled=false> Follow us ------------------------------------------------------------------------ <https://www.mtg.de/de/aktuelles/MTG-AG-erhaelt-Innovationspreis-des-Bundesverbands-IT-Sicherheit-e.V-00001.-TeleTrust/> <https://www.itsa365.de/de-de/companies/m/mtg-ag> MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany Commercial register: HRB 8901 Register Court: Amtsgericht Darmstadt Management Board: Jürgen Ruf (CEO), Tamer Kemeröz Chairman of the Supervisory Board: Dr. Thomas Milde This email may contain confidential and/or privileged information. If you are not the correct recipient or have received this email in error, please inform the sender immediately and delete this email.Unauthorised copying or distribution of this email is not permitted. Data protection information: Privacy policy <https://www.mtg.de/en/privacy-policy>
- [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Werner Koch
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Simon Josefsson
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Orie Steele
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Derek Atkins
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Daniel Huigens
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Daniel Huigens
- Re: [openpgp] PQC signature algorithm selection Daniel Huigens
- Re: [openpgp] PQC signature algorithm selection Falko Strenzke
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Daniel Huigens
- Re: [openpgp] PQC signature algorithm selection iang
- Re: [openpgp] PQC signature algorithm selection Michael Richardson
- Re: [openpgp] PQC signature algorithm selection Michael Richardson
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection iang
- Re: [openpgp] PQC signature algorithm selection Falko Strenzke
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Falko Strenzke
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Justus Winter
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection iang
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Simon Josefsson
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Daniel Huigens
- Re: [openpgp] PQC signature algorithm selection Justus Winter
- Re: [openpgp] PQC signature algorithm selection Michael Richardson
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Falko Strenzke
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Michael Richardson
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Justus Winter
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Michael Richardson
- Re: [openpgp] PQC signature algorithm selection Daniel Huigens
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Daniel Huigens
- Re: [openpgp] PQC signature algorithm selection Michael Richardson
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection iang
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Daniel Huigens
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Justus Winter
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Falko Strenzke
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection iang
- Re: [openpgp] PQC signature algorithm selection iang
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Falko Strenzke
- Re: [openpgp] PQC signature algorithm selection Bart Butler
- Re: [openpgp] PQC signature algorithm selection iang
- Re: [openpgp] PQC signature algorithm selection Falko Strenzke
- Re: [openpgp] PQC signature algorithm selection Daniel Huigens
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Daniel Kahn Gillmor
- Re: [openpgp] PQC signature algorithm selection Simon Josefsson
- Re: [openpgp] PQC signature algorithm selection Derek Atkins
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Daniel Kahn Gillmor
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Daniel Kahn Gillmor
- Re: [openpgp] PQC signature algorithm selection Daniel Huigens
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Falko Strenzke
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Bart Butler
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Michael Richardson
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Derek Atkins
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Simon Josefsson
- Re: [openpgp] PQC signature algorithm selection Andreas Hülsing
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Simon Josefsson
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Andreas Hülsing
- Re: [openpgp] PQC signature algorithm selection Justus Winter
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Steffen Nurpmeso
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Michael Richardson