[openpgp] Re: pure vs. pre-hash in FIPS 204 and 205
Phillip Hallam-Baker <phill@hallambaker.com> Thu, 29 August 2024 18:49 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E379C14F74E for <openpgp@ietfa.amsl.com>; Thu, 29 Aug 2024 11:49:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.654
X-Spam-Level:
X-Spam-Status: No, score=-1.654 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0DO_9DMvjH8L for <openpgp@ietfa.amsl.com>; Thu, 29 Aug 2024 11:49:23 -0700 (PDT)
Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 474E5C14F5EB for <openpgp@ietf.org>; Thu, 29 Aug 2024 11:49:23 -0700 (PDT)
Received: by mail-pj1-f42.google.com with SMTP id 98e67ed59e1d1-2d3b36f5366so763473a91.0 for <openpgp@ietf.org>; Thu, 29 Aug 2024 11:49:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724957363; x=1725562163; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=s8byGAeX5ekFluONScHVM8Etf/V9YEZJplVz7GCFCZ0=; b=IaK7fdDWo7unnNPl0GK1kS7gDl7iOpD5/dvad+xXZonnk47YyNIBuz5x6oD8OORcK6 /DUkpKZUtLz5pffXBkieolFCk0Zz42uvF03Pf/C2ii3GSPbM2BOZx90jBIDeqSP7LpGx X0iVviBvHYa+CUIDFSVu0Cpxix9EAjFPaFhW4taqNLhfAT3bA+iZEI0zHyaPSbezuVJD 8CXcd4U22/WCPC7898rbr4MgoR3AOHYBO+tCh7WpQmy0Z+ckseB+GjPCspDa4GPZEEgD ApDz/B1L8gdSNnOErMck9olSI1elDby24FCvOfKGpqhVMlRJqzT45xdlDR/x3E5DQrVh /w3Q==
X-Forwarded-Encrypted: i=1; AJvYcCXuIT1ZctBe7GP7LAMXQtU2HvM7r7J+o+p+UIon1tlMcib4M1pSjN3qbyxaAKh6hVVWE/qo/+3W@ietf.org
X-Gm-Message-State: AOJu0YwVWF79hEJrpMZ+GaehIwJGaQ4j6L/0U7ewc5TkKgZeDaFw5C0x Fr26KfMrMcdWXr2Q/g2YCG1OKUO2NXtxSByWPr3UkuJQ8tMUIZUFuwlIkwhGd2IofrJ3eaP07zM jYPp2YibdoxVI0X1wRC5FdbzyaWs=
X-Google-Smtp-Source: AGHT+IHHl5hiEv3TIvWc2+k1blxRtX3UXtf4IAsbce9gz+g3bjaRrmUWoUMRBZ9CRyfE3EJ/IQaoSMuUmBLDjgKKe2I=
X-Received: by 2002:a17:90b:4b88:b0:2d3:dacd:d94f with SMTP id 98e67ed59e1d1-2d8561a7135mr4168639a91.13.1724957362446; Thu, 29 Aug 2024 11:49:22 -0700 (PDT)
MIME-Version: 1.0
References: <gp_qhnxiYq_pgzpw26Gw5lC53i2aOD1tik9Lrprf0yhURin012f3YvwxS-8mGXOX7ObRAiMqjBkyyxiC8vkwuMMg0Kng4dSOI4Edwww0v4I=@proton.me> <C248DA16-5642-4141-8561-108F157A0D97@andrewg.com> <nLeggcwwubArYMbVyxeaaGb3-QcrtILJob0uhfTjhbXRnCUQWJv0sjwhDuXvc705DhqW2XNEJHqagEFow2v0i5L1cRAv2ixFvqDIDp3lFiQ=@protonmail.com> <FD06FA77-F9AF-4515-A210-9BA5A9E5D2FA@andrewg.com>
In-Reply-To: <FD06FA77-F9AF-4515-A210-9BA5A9E5D2FA@andrewg.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 29 Aug 2024 14:49:10 -0400
Message-ID: <CAMm+LwjNoR1Giq5zoh-bePwFMmskE36PHcUVxBG+cttTZx=ogw@mail.gmail.com>
To: Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d76b030620d6eef7"
Message-ID-Hash: G2W4BWZJDPNGPICG4BAWIDSNM7F355M7
X-Message-ID-Hash: G2W4BWZJDPNGPICG4BAWIDSNM7F355M7
X-MailFrom: hallam@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org>, Akhil CM <akhilacm@proton.me>, "openpgp@ietf.org" <openpgp@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] Re: pure vs. pre-hash in FIPS 204 and 205
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Hu-8uLkaxaYuPSluzHzjL9mSlqA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
The Monty Hall Problem provides a very useful illustration of how the framing of the problem can misdirect. In the Monty Hall problem, the contestant is given a choice of three doors, they can pick one door or they can pick two doors, their choice, should the contestant pick one door or two? Presented in that framing, the answer is obviously 'two doors'. But that is not how the problem is presented. What they are told instead is they pick one door, the presenter then removes one of the remaining doors that does not have a prize and asks if they want to switch. That choice has absolutely the identical probabilities as one or two doors. But it can take hours sometimes to get someone to see that is the case. If we look at this problem from the framing of 'design the best signature system' then the prehash is a part of our signature concern and we think of the two as being equally part of our bailiwick. But that is the wrong approach. The correct framing is to consider a cryptographic application with interfaces between modules that address separate concerns and in that framing, the digest function belongs to a separate module to the signature because that is the way we have designed those interfaces. If we don't respect the framing of the application developer, we risk overlooking the fact that the interface between the two modules is NOT the digest value, it is the tuple of the digest value and the digest algorithm. And the deeper lesson of Monty Hall is that the framing of the problem we are given by circumstances is often the wrong one for addressing it and the real task of solving the problem is to discover the right frame. On Thu, Aug 29, 2024 at 2:27 PM Andrew Gallagher <andrewg= 40andrewg.com@dmarc.ietf.org> wrote: > On 29 Aug 2024, at 18:57, Daniel Huigens <d.huigens= > 40protonmail.com@dmarc.ietf.org> wrote: > > > Hi Andrew, > > On Thursday, August 29th, 2024 at 19:40, Andrew Gallagher <andrewg= > 40andrewg.com@dmarc.ietf.org> wrote: > > > I believe at least some of the confusion arises from the spurious “not” in > the last sentence above, which seems to me to be a typo. IMO it should read > “if the content IS hashed at the application level, the pre-hash version of > ML-DSA signing may be used.” > > > No, I'm pretty sure the original is correct. The pre-hash version adds an > extra hash compared to the pure version. Therefore, if the application does > *not* hash the data, *and* a single-pass (e.g. streaming) API is > required, then HashML-DSA (the pre-hash version) can be used. > > > Ugh, yes you are correct. The text uses the passive voice extensively, > which makes it very difficult to keep track of who or what is doing the > hashing at each particular stage. I had to read it several times… :-( Sorry. > > A > _______________________________________________ > openpgp mailing list -- openpgp@ietf.org > To unsubscribe send an email to openpgp-leave@ietf.org >
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Justus Winter
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Phillip Hallam-Baker
- [openpgp] pure vs. pre-hash in FIPS 204 and 205 Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Justus Winter
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Akhil CM
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Phillip Hallam-Baker
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Phillip Hallam-Baker
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Phillip Hallam-Baker
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Simo Sorce
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Simo Sorce
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Simo Sorce
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Simo Sorce
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Simo Sorce