[openpgp] Re: pure vs. pre-hash in FIPS 204 and 205
Simo Sorce <simo@redhat.com> Fri, 30 August 2024 15:16 UTC
Return-Path: <simo@redhat.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE05EC151095 for <openpgp@ietfa.amsl.com>; Fri, 30 Aug 2024 08:16:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.253
X-Spam-Level:
X-Spam-Status: No, score=-2.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1YKcE-7nUiDS for <openpgp@ietfa.amsl.com>; Fri, 30 Aug 2024 08:16:15 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09C39C151091 for <openpgp@ietf.org>; Fri, 30 Aug 2024 08:16:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1725030973; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=S9dtSVbyeVClre9b7opnczWiD3oWrH20SD5XVHVxuoQ=; b=Sp7EmbpDLBW2oC+59VTDsQ2bvZXKjR4YPfRVy/KKPMCjt4W9L60kIJ6VWUEy+MGdBiYQnc eMtLrSvJ9D+g1aO2sG7AccjJlj0LGVjQ5Xm5fDFcrl3bHvkd1RmCCOzY3yLtEJRwpznd5t zDyRtkctv7Qszfoyf9/4HCQAbQoPMqs=
Received: from mail-oo1-f72.google.com (mail-oo1-f72.google.com [209.85.161.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-384-KOuhM6aGMGCU4jPLyN6ngA-1; Fri, 30 Aug 2024 11:16:12 -0400
X-MC-Unique: KOuhM6aGMGCU4jPLyN6ngA-1
Received: by mail-oo1-f72.google.com with SMTP id 006d021491bc7-5df9ac3042dso2003775eaf.2 for <openpgp@ietf.org>; Fri, 30 Aug 2024 08:16:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725030971; x=1725635771; h=mime-version:user-agent:content-transfer-encoding:organization :references:in-reply-to:date:cc:to:from:subject:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=S9dtSVbyeVClre9b7opnczWiD3oWrH20SD5XVHVxuoQ=; b=dR041VmrFJcd1p/WV3ZPguE9rudUstteKSU5wWqSyYugC/MV/mKzDCWaNg/vCNTATW 1KidzdaX0BLz8a9ekm/nMfkNthTMshY22OtsPt4LtXv3mWuPmzuRWS94AvqgdIMg2hwB 6KSmZbJ7RX2YAZPzJqZ0ijgM4o9HscNmRumbo84hI+U+InXj61N0QC8LQKrEEjFRnrxJ BRGBmd4vNPT57NeYzqm8bXq71buidwM7XIhNjhOCc1BebFfVpzJPSlUY44/Kkm3czkFN t/WcM6+NSx9pNREkXEYdXZSCvqUtJThbkUiUufdUABI4kJIaso2pvCiaEQbpJTNCsEP7 CXyg==
X-Forwarded-Encrypted: i=1; AJvYcCVMsagjxKLCEsHH+9s/NOIL2aeFep4z4gaaCrfnuJ1jpVD+YvngGDEKwTU2oWmoByqYprdS7l3J@ietf.org
X-Gm-Message-State: AOJu0Yz7doPyaHaV1vvQgSd2s0JjRW/ejteDX3H+ulDzdWuSSYdiB5HH HBgiLwlWEiG9UVBF+mPgByTBGPmzzjDEdM6r5CGeBWkiJ77Tr35bt4NawUPK7E6fhcxueD9fD19 WwIjPz5plc1OmBUpQ6ljcjc2gouoigdTl8VCy0wmfd8CtpA==
X-Received: by 2002:a05:6820:2297:b0:5dc:9800:a443 with SMTP id 006d021491bc7-5dfacddf48fmr2782458eaf.1.1725030971531; Fri, 30 Aug 2024 08:16:11 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGV1Hw+yKj5dZkMk3fXnZv8su8bufc3dHufPMhmZktAm1ftc3lucPqOH4c/TuIgrfigF6Dfvw==
X-Received: by 2002:a05:6820:2297:b0:5dc:9800:a443 with SMTP id 006d021491bc7-5dfacddf48fmr2782407eaf.1.1725030970933; Fri, 30 Aug 2024 08:16:10 -0700 (PDT)
Received: from m8.users.ipa.redhat.com ([2603:7000:9400:fe80::318]) by smtp.gmail.com with ESMTPSA id 006d021491bc7-5dfa047c118sm666982eaf.2.2024.08.30.08.16.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Aug 2024 08:16:10 -0700 (PDT)
Message-ID: <98f513368035f56052f8f524be41561ac9a89120.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Daniel Huigens <d.huigens@protonmail.com>
Date: Fri, 30 Aug 2024 11:16:09 -0400
In-Reply-To: <4e9oBXl8Mu7-Fcj3fn0UssCr_qyeZFhmgvf9CzVEw4-ueyG5h678x4P3x04DrTznZQs88Mcqp5mzPIoumsdAQb7gqJc6SdsZuCWLU__ugdI=@protonmail.com>
References: <gp_qhnxiYq_pgzpw26Gw5lC53i2aOD1tik9Lrprf0yhURin012f3YvwxS-8mGXOX7ObRAiMqjBkyyxiC8vkwuMMg0Kng4dSOI4Edwww0v4I=@proton.me> <C248DA16-5642-4141-8561-108F157A0D97@andrewg.com> <nLeggcwwubArYMbVyxeaaGb3-QcrtILJob0uhfTjhbXRnCUQWJv0sjwhDuXvc705DhqW2XNEJHqagEFow2v0i5L1cRAv2ixFvqDIDp3lFiQ=@protonmail.com> <55c42efdaea1bd661f5d3607706a6d4d388cea61.camel@redhat.com> <fU3_9MgtQjRnA48uQszLXegERJDcKOLGHUssln9CZfamMwBNpbD6Wj5zVpCl_DrfaTqkuJpDGsI4-13uRDyBDZuHNMtcsD5wP376GsxSWSU=@protonmail.com> <b329a33a05f8dca61571ea049357c421c48f6927.camel@redhat.com> <4e9oBXl8Mu7-Fcj3fn0UssCr_qyeZFhmgvf9CzVEw4-ueyG5h678x4P3x04DrTznZQs88Mcqp5mzPIoumsdAQb7gqJc6SdsZuCWLU__ugdI=@protonmail.com>
Organization: Red Hat
User-Agent: Evolution 3.52.4 (3.52.4-1.fc40)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: K6ZBFH5UOZ6J5ZSMOUGWIYTKG54NI6NC
X-Message-ID-Hash: K6ZBFH5UOZ6J5ZSMOUGWIYTKG54NI6NC
X-MailFrom: simo@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Andrew Gallagher <andrewg@andrewg.com>, Akhil CM <akhilacm@proton.me>, "openpgp@ietf.org" <openpgp@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] Re: pure vs. pre-hash in FIPS 204 and 205
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/SdylebKoTMM7buQ_HwPE5Q7JzOU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
On Fri, 2024-08-30 at 07:18 +0000, Daniel Huigens wrote: > Hi Simo, > > You're making an argument that goes roughly as follows: > > - I don't understand the purpose of HashML-DSA as described in FIPS 204 > - Therefore I assume the purpose must be something else, and interpret > the text of FIPS 204 differently to fit that assumption > - The purpose I assume is the one that would be relevant for OpenPGP > - Therefore we should use HashML-DSA for OpenPGP > > IMHO, this is faulty reasoning. If you don't understand the purpose > of HashML-DSA, that's fine. > I do not understand how you come to the conclusion I do not understand the purpose of HashML-DSA given that purpose is clearly stated in FIPS204. > I don't see it as my job to justify the > existence of HashML-DSA for something other than being used in OpenPGP. > For all I care it might be completely useless and nobody implements it, > like what happened with the pre-hash variants of EdDSA. > > In any case I prefer to take the text in FIPS 204 at face value, and > the straightforward reading of the text says that we shouldn't use it. Can you quote FIPS204 to substantiate this position? I quoted it literally to support my position. > > > The explanation in 5.4, the whole point of providing a pre-hash ML-DSA > > version is to allow application to doh!) "pre" Hash the message. > > That's not what it says. It says: "Like ML-DSA, the signing algorithm of > HashML-DSA takes the content to be signed, the private key, and a > context as input, as well as a hash function or XOF that is to be used > to pre-hash the content to be signed." > So it's the HashML-DSA function itself that pre-hashes the content. I quoted the literal text that says (paraphrasing) "the application can provide PHM", I do not understand how you can make this contentious. It is written right there. > > What would be the point of doing that, and then re-hashing the whole > > thing a second time ? (and then a third time internally). > > Indeed you wouldn't. That's why it says "If the content is *not* hashed > at the application level, the pre-hash version of ML-DSA signing may be > used." (emphasis mine) Yes, and I think this is where you misunderstand the context I think. This phrase allows you to use the pore-hash version *also* in the case the application gives you a full message, if the cryptographic module can use a much faster hashing mechanisms separate from the one used within the internal signing function. It is meant as an enabling and not an excluding condition. IE you are not force to use Pure ML-DSA if your devices are constrained and HashML-DSA would be a more efficient way to implement this. > > > If you are still unconvinced look at the text at the bottom of Page 20 > > which says explicitly: "As with the pre-hash signature generation, 𝑀 ′ > > may be constructed outside of the cryptographic module that performs > > ML-DSA.Verify_internal." > > The text after your quote continues "However, in the case of HashML-DSA, > the hash or XOF of the content must be computed within a FIPS 140- > validated cryptographic module, which may be a different cryptographic > module than the one that performs ML-DSA.Verify_internal." And this is relevant how? NIST sets the FIPS standards, all this is saying is that even if the application is doing the pre-hash, the hashing function should still be a FIPS validated implementation. They go to great length to specify that this hashing function can be validated in an entirely different FIPS module, exactly to avoid paperwork obstacles. It just corroborates the interpretation I am giving you that you can do that hash elsewhere, specifically by the application before passing PHM into the cryptographic module. > > Like I said, you might have a "core cryptographic module" that's on an > HSM, and a different cryptographic module that computes the hash. Yes, this is what it is saying, so how is this contradicting anything about what I said about HashML-DSA and its appropriateness? > > for the non-FIPS language versed "Outside the cryptographic module" == > > "The application" > > So no, in this case they mean "in a different cryptographic module". Your are playing with semantics, I certify software implementations of cryptographic modules as my day job, In RHEL, we have 4 different libraries certified that can do hashes, and all our applications (including PGP implementations) use one of those *certified* modules to do the Hashing. Certified cryptographic modules are not just *hardware* modules. > > I know that OpenPGP does not do that, but NIST puts down general rules > > to follow that cover all cases. That is the spirit of the > > specification, and yes if you "hold it right" you can be safe using > > Pure ML-DSA, but why go against the spirit and the recommendation of > > the spec when it is rather easy to actually follow the spec and use the > > correct function which is HashML-DSA ? > > You still haven't actually quoted a recommendation of the spec. > The only relevant recommendation I see is: "In general, the “pure” > ML-DSA version is preferred." I am not sure why you insist quoting this sentence. YEs NIST prefers Pure ML-DSA where possible, but "pure" Ml-DSA'a premise is tat you pass the whole content you want to sign into it. You are clearly do not want to do that, you want to pass in pre-hashed content, so you clearly fall into the pre-hash category which is served by HashML-DSA. > > > They would not have made available HashML-DSA if there weren't > > legitimate cases for it. > > Like the text I quoted above says, "If the content is not hashed at the > application level, the pre-hash version of ML-DSA signing may be used." > So the exact opposite case of OpenPGP. You are treating an inclusive or like an exclusive or here. This text just says that even if the cryptographic module is given a full message, the implementation can still decide to use the pre-hash variant instead of the pure one, for internal convenience reasons. This text has nothing to do with application that use pre-hashing so it is irrelevant to establish what is the correct function to use for openpgp. > > Btw, if your position is that you _disagree_ with NIST and/or FIPS 204, I disagree with your interpretation, because I think your interpretation is faulty. You are reading preferences and requirements that are not there, and coming up to a conclusion which is the exact opposite of what the spec would recommend you to do. This is why I am debating your statements. > like some parts of your email seem to suggest, that's perfectly fine, > but that's something entirely different than claiming that the spec > recommends something different than what it actually recommends. So I think you misread the spec, and clearly you think I misread it. Perhaps we bring the case to NIST and ask them what they think? Simo. -- Simo Sorce Distinguished Engineer RHEL Crypto Team Red Hat, Inc
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Justus Winter
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Phillip Hallam-Baker
- [openpgp] pure vs. pre-hash in FIPS 204 and 205 Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Justus Winter
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Akhil CM
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Phillip Hallam-Baker
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Phillip Hallam-Baker
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Phillip Hallam-Baker
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Simo Sorce
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Falko Strenzke
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Andrew Gallagher
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Simo Sorce
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Simo Sorce
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Daniel Huigens
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Simo Sorce
- [openpgp] Re: pure vs. pre-hash in FIPS 204 and 2… Simo Sorce