[openpgp] changing v5 signature salt size from 16 to 32 octets? [was: Re: lack of agenda items...]
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 04 November 2022 02:13 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50162C1524BF for <openpgp@ietfa.amsl.com>; Thu, 3 Nov 2022 19:13:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.314
X-Spam-Level:
X-Spam-Status: No, score=-6.314 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=RN8m72A4; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=sf8PdObJ
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yCXkMINaGM_a for <openpgp@ietfa.amsl.com>; Thu, 3 Nov 2022 19:13:07 -0700 (PDT)
Received: from che.mayfirst.org (unknown [162.247.75.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44ED6C1524D3 for <openpgp@ietf.org>; Thu, 3 Nov 2022 19:13:06 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1667527985; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=cLqATZNl2T0O/mGG2fBM6bk/kcIOjTO4iNIN08WtMaI=; b=RN8m72A4aIZ+cVw0gVyHEFNt8aggbWTDueskw9oQacpG6XHpWddISI+kIYQ2bqCZOjf92 Ryl1eYE5ChaImbmDA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1667527985; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=cLqATZNl2T0O/mGG2fBM6bk/kcIOjTO4iNIN08WtMaI=; b=sf8PdObJmrJ9gewFomC76FN6e8UY3vP4cMH+iVZQO9du/enAOvbjtURzUpF9S+GVFCQpr tUm2jaw7J784sHZ1OmPpMyxg+AwU0geWWw/A4vPuLROEA+BBLJd7WpRqE3oCW72E7NcQ1+Y B0sWnhQ+93WZ6yC7Y6JB0Duzx3N7wsIY3plbnsTbdZcFWN5hRI7FSSgevrY+MYOpNYn0W5X 7LGXc0ZEU6zVNX7ckZjNW14QrA9sjMCOTntoBYRStu0XbnEKmMOtwaocmUIPQoENaFmCYlD MjP10XPscA5BEgIvcP0EAx9oH9V32hhy9Gq5iCzwajQRP1fY5g3nNPBABA4Q==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id A4E21F9AD; Thu, 3 Nov 2022 22:13:04 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 18B45204C8; Thu, 3 Nov 2022 22:13:02 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Aron Wussler <aron@wussler.it>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>
In-Reply-To: <zPFgkVQD9vD3X99PVOEYp0NHQ1n8hl8mNdLgokPv_O1V7p8y4jgM6jKz0GFIix97At_foVxj-pWdKf3h-KWzEWqFhTGLiCUgrYKzJ7zM2HQ=@wussler.it>
References: <c859b8da-5fd6-297b-f30b-39805e3e3cad@cs.tcd.ie> <zPFgkVQD9vD3X99PVOEYp0NHQ1n8hl8mNdLgokPv_O1V7p8y4jgM6jKz0GFIix97At_foVxj-pWdKf3h-KWzEWqFhTGLiCUgrYKzJ7zM2HQ=@wussler.it>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Thu, 03 Nov 2022 22:13:01 -0400
Message-ID: <87h6zfh3gy.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/3LyEs_d95ox0NSnhelw6-FBEfzo>
Subject: [openpgp] changing v5 signature salt size from 16 to 32 octets? [was: Re: lack of agenda items...]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Nov 2022 02:13:12 -0000
On Thu 2022-11-03 08:32:00 +0000, Aron Wussler wrote: > In v5 we added a 16-byte random salt prefixing the data when hashing for signature, great idea because if it's unpredictable it can prevent collision attacks. > > In SPHINCS+ this is also similarly done in the construction, but it has a variable size depending on the hash output size. > > To make randomized hashing coherent with PQC signature schemes I'd like to ask if > > (1) it is possible to extend the field to 32 bytes to match other constructions, Are there any size concerns worth considering here? The salt needs to be represented in a few different contexts: - in the one-pass signature packet - in the SaltedHash Armor header for a (LIT SIG)-style signed message (non-one-pass), and probably - in some sort of RFC 3156-style parameter to enable one-pass validation of a signed e-mail message. base64-encoding the 32-byte value will bring this to 43 characters. That would make the SaltedHash: armor header 43+13+8 = 64 characters long, like so: SaltedHash: SHA3-256:9haH8LirCmteTImei9GQtIHMgJ26zM/uPAoiZepB4cw That's not implausible for messages of already moderate size, though it does double the size of the signature itself for small-signature formats like ed25519. I should add a note of historical caution about including too much gratuitous randomness. tls-extended-random [0] has not aged well [1]. [0] https://datatracker.ietf.org/doc/html/draft-rescorla-tls-extended-random [1] https://blog.cryptographyengineering.com/2017/12/19/the-strange-story-of-extended-random/ The crypto-refresh revision to RFC 4880 does caution about this in the "Random Number Generation and Seeding" section. It might be worth including pointers to that section in the section where we talk about salts for v5 signatures. > (2) it is possible to bind the salt size to the hash function. Is it the hash function that is relevant here or is it the public key signature function? From OpenPGP's perspective, the message is hashed, and the hash is signed. In the OPS packet, there is an explicit indication of the public key algorithm used. What if we were to tie the salt size to the public key algorithm, perhaps by adding a column to Public-key algorithm registry indicating "v5 signature salt size"? I understand that SPHINCS+ is itself hash-based, so perhaps this is getting too far into the PQC discussion, but can you give the WG a summary of how you think binding the salt size to the hash function would work? Are you suggesting that the salt should be (for example) the size of the hash used? That would make the SaltedHash header long enough to potentially cause linewraps when, say, SHA2-512 or SHA3-512 is in use. --dkg
- [openpgp] lack of agenda items... Stephen Farrell
- Re: [openpgp] lack of agenda items... Daniel Huigens
- Re: [openpgp] lack of agenda items... Vincent Breitmoser
- Re: [openpgp] lack of agenda items... Stephen Farrell
- Re: [openpgp] lack of agenda items... Neal H. Walfield
- Re: [openpgp] lack of agenda items... Aron Wussler
- Re: [openpgp] lack of agenda items... Stephen Farrell
- [openpgp] changing v5 signature salt size from 16… Daniel Kahn Gillmor
- Re: [openpgp] lack of agenda items... Neal H. Walfield
- Re: [openpgp] changing v5 signature salt size fro… Aron Wussler
- Re: [openpgp] changing v5 signature salt size fro… Andreas Hülsing
- Re: [openpgp] changing v5 signature salt size fro… Steffen Nurpmeso