Re: [openpgp] Disadvantages of Salted Signatures

Andrew Gallagher <> Mon, 11 December 2023 17:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 86D30C14CF13 for <>; Mon, 11 Dec 2023 09:18:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4OxMtdFYmS54 for <>; Mon, 11 Dec 2023 09:18:14 -0800 (PST)
Received: from ( []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 4D55CC14CF01 for <>; Mon, 11 Dec 2023 09:18:13 -0800 (PST)
Received: from (serenity [IPv6:fc93:5820:7349:eda2:99a7::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id B027A5ED7E; Mon, 11 Dec 2023 17:18:10 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=andrewg-com; t=1702315090; bh=7gWafCPD/RZ2qoB7LljhCudnyI14D2kBvdEO50sXhT0=; h=From:Subject:Date:References:To:In-Reply-To:From; b=WOAUonagHJUzfUng2dn3ifHhtnqECdDsSlWb+ocWlhVsY3KNm4uc2UJI4n3LPuytE F20DGiOWB88OBsNt7g9PaTwd04g86ulp5/9aHt7CQss12VzVZ5ryuuNcl7iG8a+fbc SnbUbTVtjsHi+6dotV0WM9SdFLwjUKamW8npJKIY4cMkn0qXqa3Ts3ts3JzGtJp3Gj Y7Qiz9ix15KFl5rVGR27CqcRAuSH4tIiuTSTtbXMwk3SgDIH065pWofs6JXSK7qdsi 6yTmhZzjrFWuLSryBm6PX8KCZFopuYsFTE58bIxqPFWiE+ZZ24ASmSUShO7cUeb9rN YC46dHWwvjqug==
From: Andrew Gallagher <>
Content-Type: multipart/signed; boundary="Apple-Mail=_2187FD11-F5EF-42C0-A687-6ED96680F656"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Date: Mon, 11 Dec 2023 17:17:52 +0000
References: <> <> <>
To: Stephan Verbücheln <>, "openpgp\\\\" <>
In-Reply-To: <>
Message-Id: <>
X-Mailer: Apple Mail (2.3731.700.6)
Archived-At: <>
Subject: Re: [openpgp] Disadvantages of Salted Signatures
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Dec 2023 17:18:19 -0000

On 11 Dec 2023, at 16:43, Stephan Verbücheln <> wrote:
> I believe, the following two questions are still worth debating because
> the mandatory salt does not come at zero cost.
> Is it practically relevant?
> Hash algorithms which are vulnerable to collisions should not be used
> anyway. SHA-1 was deprecated in 2011, a long time before that attack
> was demonstrated.

OpenPGP is a high-latency communications protocol with roundtrips often measured in decades. It currently supports artifacts generated in the 1990s, and will do so well into the foreseeable future. There is therefore value in insuring against speculative weaknesses no matter how remote they may currently appear.

> Does it make sense to have it mandatory or default?
> In most cases, PGP users sign their own data (e-mails, software
> tarballs etc.). It could nevertheless be default for “certify”
> operations.

IMO there is value in defing a single signature format for all use cases rather than one deterministic one and one nondeterministic one. If deterministic signatures are required in specialised applications, they could be achieved by other means, e.g. a verifiable-seed PRNG. This is currently out of scope and would need to be signalled via some novel or out-of-band mechanism, however there are other parts of the spec where verifiable-seed randomness may be useful (padding comes to mind) and we could potentially treat these as a general class of problem in a future document. Alternatively, as discussed previously, an application that requires determinism could allow the salt to be externally forced in the verification mode. I therefore don’t believe lack of determinism in the spec is a blocker.