Re: [openpgp] Disadvantages of Salted Signatures

"Neal H. Walfield" <> Mon, 11 December 2023 09:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 16479C14F5FD for <>; Mon, 11 Dec 2023 01:32:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IOkRhE-PXQCy for <>; Mon, 11 Dec 2023 01:32:53 -0800 (PST)
Received: from ( []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 49417C14F5E2 for <>; Mon, 11 Dec 2023 01:32:53 -0800 (PST)
Received: from ([] by with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1rCceh-0001p1-G9; Mon, 11 Dec 2023 10:32:51 +0100
Received: from ([] by with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <>) id 1rCceg-000m17-NT; Mon, 11 Dec 2023 10:32:51 +0100
Date: Mon, 11 Dec 2023 10:32:50 +0100
Message-ID: <>
From: "Neal H. Walfield" <>
To: Stephan Verbücheln <>
In-Reply-To: <>
References: <> <> <> <> <>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (Gojō) APEL-LB/10.8 EasyPG/1.0.0 Emacs/27.1 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-SA-Exim-Scanned: No (on; SAEximRunCond expanded to false
Archived-At: <>
Subject: Re: [openpgp] Disadvantages of Salted Signatures
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Dec 2023 09:32:57 -0000

On Mon, 11 Dec 2023 08:37:21 +0100,
Stephan Verbücheln wrote:
> On Sun, 2023-12-10 at 13:58 +0000, Stephen Farrell wrote:
> > All that said, in that discussion, we should bear in mind that
> > the liklihood that we change or re-open crypto-refresh is small,
> > and that should be the case, unless we find some show-stopper
> > issue. FWIW, I don't think this is one such.
> At least 13.2 is so erroneous that it has potential to damage the
> reputation of the standard. The references do not support either of the
> claims. One could also ask: Does such a deep dive into cryptography
> even belong there?
> The signature format itself looks fine, but it adds (yet) unjustified
> bloat and complexity, and the disadvantages have not been discussed. So
> should it be really mandatory?
> This change appears to be proposed by one party with one particular use
> case: Implementing PGP in JavaScript in the browser.

The Sequoia team discussed adding a salt to signatures to mitigate
these types of attacks when we heard about Shambles in 2020.  The
discussion is here:

The commit where we add the salt is here:

(Note: the crypto-refresh places the salt earlier in the data that is
hashed, which is better than our solution.)

A cryptographer agreed with our analysis, and we observed that OpenSSH
does the same thing for the same reason:

  The nonce field is a CA-provided random bitstring of arbitrary
  length (but typically 16 or 32 bytes) included to make attacks that
  depend on inducing collisions in the signature hash infeasible.