[openpgp] Fwd: [pqc-forum] Question regarding pure vs. pre-hash ML-DSA
Falko Strenzke <falko.strenzke@mtg.de> Thu, 29 August 2024 08:08 UTC
Return-Path: <falko.strenzke@mtg.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8B64C19ECB8 for <openpgp@ietfa.amsl.com>; Thu, 29 Aug 2024 01:08:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtg.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jvBbVOjR1GY0 for <openpgp@ietfa.amsl.com>; Thu, 29 Aug 2024 01:08:48 -0700 (PDT)
Received: from www.mtg.de (www.mtg.de [IPv6:2a02:b98:8:2::2]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D2DAC18DBBA for <openpgp@ietf.org>; Thu, 29 Aug 2024 01:08:47 -0700 (PDT)
Received: from minka.mtg.de (minka [IPv6:2a02:b98:8:1:0:0:0:9]) by www.mtg.de (8.18.1/8.18.1) with ESMTPS id 47T88kAv005161 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Thu, 29 Aug 2024 10:08:46 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mtg.de; s=mail201801; t=1724918926; bh=zKga8vXziZncjHpeZbt0bvhEd/jLGymTEZStSgy/Eqc=; h=Date:Subject:References:From:To:In-Reply-To; b=rZ5vuN933X3cfoOsP6xZkVjt+QAxhKZwEuiWa/cElnmlhj08dcSkV6k17UmFfVyu7 BIkFNH6io80RO6+tl816JMNCnPxHQYleuV6x0wBDevXefmRREU/JZYLYp0VO0/DNEb 3/BFkgUU3kuMan93NiJu/Pdda2YiOHJ9v0sVDsOsxEI1rCTMfqRoaaEiR2Lbs43oq+ +u+FweTKSPb9DBaeAgu7BQ5S3o7jP6u1cLDKTjJFssLTh6kC3MQb2bjqlqETWujy+Z 4Uofrm2Hq6DJRxZsOY2ZcAOaJKfI7KPVF2dIYIHq3DkkwnwbADWnh1KYdZQs/jA65k R8kupcyGk8nqw==
Received: from [199.99.99.194] (dhcp194 [199.99.99.194]) by minka.mtg.de (8.18.1/8.18.1) with ESMTPS id 47T88imA012682 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Thu, 29 Aug 2024 10:08:44 +0200
Content-Type: multipart/alternative; boundary="------------p9q0000mNqb0K6sWimZeG3Mx"
Message-ID: <9f26a754-0268-4fc7-abcc-7eeebe38eb88@mtg.de>
Date: Thu, 29 Aug 2024 10:08:44 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-GB
References: <0555d567-e161-488f-a4eb-30a015f8c0d0@mtg.de>
From: Falko Strenzke <falko.strenzke@mtg.de>
To: pqc-forum <pqc-forum@list.nist.gov>, "Moody, Dustin (Fed)" <dustin.moody@nist.gov>, "openpgp@ietf.org" <openpgp@ietf.org>
Organization: MTG AG
In-Reply-To: <0555d567-e161-488f-a4eb-30a015f8c0d0@mtg.de>
X-Forwarded-Message-Id: <0555d567-e161-488f-a4eb-30a015f8c0d0@mtg.de>
Message-ID-Hash: 4WHAFTAUC6ICITA3JLF7EFWPGN2GL5JQ
X-Message-ID-Hash: 4WHAFTAUC6ICITA3JLF7EFWPGN2GL5JQ
X-MailFrom: falko.strenzke@mtg.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] Fwd: [pqc-forum] Question regarding pure vs. pre-hash ML-DSA
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/WJSBPOF0hTqzSmZ-a_0kA6ucq-M>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
Hi Dustin, in that case let me formulate the most relevant question that we are facing in OpenPGP currently, that was my main motivation for understanding the quoted paragraphs: OpenPGP is committed to the hash-and-sign paradigm. RFC 9580, the current specification, throughout describes how data is first hashed and then signed. When introducing ML-DSA and SLH-DSA to OpenPGP, we are bound to this approach. The question now is: In such a case, is it a NIST approved solution, to use the pure variants of both PQC schemes to sign the hash value? Best regards, Falko Am 28.08.24 um 18:00 schrieb Moody, Dustin (Fed): > Falko, > > We're trying to answer your question, but we don't quite get the point > you're making, which makes it hard to respond. Can you try explaining > it to me again, as clearly as possible so we understand? The text > seems pretty straightforward to us. > > Dustin > > > ------------------------------------------------------------------------ > *From:* pqc-forum@list.nist.gov on behalf of Falko Strenzke > *Sent:* Wednesday, August 28, 2024 12:41 AM > *To:* Phillip Hallam-Baker > *Cc:* pqc-forum > *Subject:* Re: [pqc-forum] Question regarding pure vs. pre-hash ML-DSA > > Thanks for the pointer. If I see it correctly you are suggesting a > pre-image attack on a hash algorithm that is accepted by the > recipient. Pre-image attacks are not a known threat for any hash > algorithm still potentially in use, not even MD5, as far as I know, > but it's certainly a valid concern to hedge against this possibility. > This would be the reason why the pre-hash variant hashes the hash OID > internally. This is all the more showing how important correct use of > the two variants is and is thus reinforcing my question. > > My question to NIST actually isn't about technical matters regarding > the security properties of hash algorithms, I am asking how NIST > intends the quoted text is to be understood that is part of their > guidance on using the pre-hash variant. > > The meaning of the sentence following in the next paragraph is also > not clear to me: "/In order to maintain the same level of security > strength when the content is hashed at the application level or using > HashML-DSA [...]/" This seems to suggest that the content may be > hashed at the application level and then the hash signed with the pure > variant. (That is implied by the "or" connecting the two clauses.) > Possibly here it is referred to a case like that of CMS where the > signedAttrs may be signed and where the message digest is contained in > that object. But I think that doesn't become clear. My recent > experience in a discussion is that this paragraph can be understood to > counter the clear statement at the beginning of section 5.4: > > /For some use cases, this may be addressed by signing a digest of the > message along with some domain separation information rather than > signing the message directly. This version of ML-DSA is known as > “pre-hash” ML-DSA or HashML-DSA./ > > Best regards, > Falko > > Am 27.08.24 um 17:29 schrieb Phillip Hallam-Baker: > > You can indeed pass the digest directly into pure. The issue being > that it is unsafe to do so, an attacker can perform a digest > substitution attack on it. > > Consider the case where the application supports a hash which has > been broken to the extent that they can create any digest output > they like - MD-BORKED > > Queen Alice decides to knight Bob, writes out a declaration to > that effect, hashes it with SHA-2-512 and posts it to the gazette. > > Mallet takes the signature, writes out a death warrant for Bob and > uses the MD-BORKED manipulation code to create a digest that > matches that of the original message. Instead of arriving to find > the Queen holding a sword to confer the accolade, Bob finds the > headsman holding an axe. > > > That is why it is always necessary to bind the digest type into > the signature if a pre-hash is used. > > Pure should only be used on the message content itself or on a > manifest structure which includes the digest value. > > So for example, a DARE signature on a chunk appended to a sequence > typically contains the following information: > > * Digest algorithm used to digest the content > * Digest value over the content > * Digest algorithm used to create the Merkle Tree > * Apex value of the Merkle tree > * Witness value showing demonstrating the signer knew the > encryption key > * Application context identifier > > Those values are carried in a separate JSON manifest which once I > have finished the code will be signed with ML-DSA pure and with > Ed448 pure with the context string 'DARE manifest'. > > > > On Tue, Aug 27, 2024 at 7:04 AM Falko Strenzke > <falko.strenzke@mtg.de <mailto:falko.strenzke@mtg.de>> wrote: > > Dear NIST team, > > in FIPS 204, Section 5.4, I read > > /If the content to be signed is large, hashing of the content > is often performed at the application level. > For example, in the Cryptographic Message Syntax [29 ], a > digest of the content may be computed, and > that digest is signed along with other attributes. If the > content is not hashed at the application level, the > pre-hash version of ML-DSA signing may be used./ > > How is the last sentence to be understood? If the content is > not hashed at the application level, that sounds to me as if > it can be fed into the pure signature generation or > verification routine directly. After all, ML-DSA signature > generation and verification is single-pass over the message, > if I am not mistaken. > > On the contrary, my understanding of the pre-hash variant is > that it is specifically for those cases, where the protocol is > bound to compute a hash before it can access (or decide on) > the signature generation or verification function. The last > sentence of the quote, however, seems to suggest that the > pre-hash variant is merely a convenience function to combine > the hash computation with the signature computation. > > Can you please clarify? > > Best regards, > Falko > > -- > > *MTG AG* > Dr. Falko Strenzke > > Phone: > +49 6151 8000 24 > E-Mail: > falko.strenzke@mtg.de <mailto:falko.strenzke@mtg.de> > Web: > mtg.de > <https://www.mtg.de><https://www.linkedin.com/search/results/all/?fetchDeterministicClustersOnly=true&heroEntityKey=urn%3Ali%3Aorganization%3A13983133&keywords=mtg%20ag&origin=RICH_QUERY_SUGGESTION&position=0&searchId=d5bc71c3-97f7-4cae-83e7-e9e16d497dc2&sid=3S5&spellCorrectionEnabled=false> > Follow us > ------------------------------------------------------------------------ > <https://360-german-security-alliance.de/> > <https://www.itsa365.de/de-de/companies/m/mtg-ag> > > MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany > Commercial register: HRB 8901 > Register Court: Amtsgericht Darmstadt > Management Board: Jürgen Ruf (CEO), Tamer Kemeröz > Chairman of the Supervisory Board: Dr. Thomas Milde > > This email may contain confidential and/or privileged > information. If you are not the correct recipient or have > received this email in error, > please inform the sender immediately and delete this > email.Unauthorised copying or distribution of this email is > not permitted. > > Data protection information: Privacy policy > <https://www.mtg.de/en/privacy-policy> > > -- > You received this message because you are subscribed to the > Google Groups "pqc-forum" group. > To unsubscribe from this group and stop receiving emails from > it, send an email to pqc-forum+unsubscribe@list.nist.gov > <mailto:pqc-forum+unsubscribe@list.nist.gov>. > To view this discussion on the web visit > https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/e619b550-178a-4816-8605-8ffb3d0e9c06%40mtg.de > <https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/e619b550-178a-4816-8605-8ffb3d0e9c06%40mtg.de?utm_medium=email&utm_source=footer>. > > -- > > *MTG AG* > Dr. Falko Strenzke > > Phone: > +49 6151 8000 24 > E-Mail: > falko.strenzke@mtg.de <mailto:falko.strenzke@mtg.de> > Web: > mtg.de > <https://www.mtg.de><https://www.linkedin.com/search/results/all/?fetchDeterministicClustersOnly=true&heroEntityKey=urn%3Ali%3Aorganization%3A13983133&keywords=mtg%20ag&origin=RICH_QUERY_SUGGESTION&position=0&searchId=d5bc71c3-97f7-4cae-83e7-e9e16d497dc2&sid=3S5&spellCorrectionEnabled=false> > Follow us > ------------------------------------------------------------------------ > <https://360-german-security-alliance.de/> > <https://www.itsa365.de/de-de/companies/m/mtg-ag> > > MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany > Commercial register: HRB 8901 > Register Court: Amtsgericht Darmstadt > Management Board: Jürgen Ruf (CEO), Tamer Kemeröz > Chairman of the Supervisory Board: Dr. Thomas Milde > > This email may contain confidential and/or privileged information. If > you are not the correct recipient or have received this email in error, > please inform the sender immediately and delete this > email.Unauthorised copying or distribution of this email is not permitted. > > Data protection information: Privacy policy > <https://www.mtg.de/en/privacy-policy> > > -- > You received this message because you are subscribed to the Google > Groups "pqc-forum" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to pqc-forum+unsubscribe@list.nist.gov > <mailto:pqc-forum+unsubscribe@list.nist.gov>. > To view this discussion on the web visit > https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/f1447b2b-b72e-40be-b4ed-df6b28ae6867%40mtg.de > <https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/f1447b2b-b72e-40be-b4ed-df6b28ae6867%40mtg.de?utm_medium=email&utm_source=footer>. -- *MTG AG* Dr. Falko Strenzke Phone: +49 6151 8000 24 E-Mail: falko.strenzke@mtg.de Web: mtg.de <https://www.mtg.de> ------------------------------------------------------------------------ MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany Commercial register: HRB 8901 Register Court: Amtsgericht Darmstadt Management Board: Jürgen Ruf (CEO), Tamer Kemeröz Chairman of the Supervisory Board: Dr. Thomas Milde This email may contain confidential and/or privileged information. If you are not the correct recipient or have received this email in error, please inform the sender immediately and delete this email.Unauthorised copying or distribution of this email is not permitted. Data protection information: Privacy policy <https://www.mtg.de/en/privacy-policy>
- [openpgp] Fwd: [pqc-forum] Question regarding pur… Falko Strenzke
- [openpgp] Re: Fwd: [pqc-forum] Question regarding… David A. Cooper
- [openpgp] Re: Fwd: [pqc-forum] Question regarding… Falko Strenzke
- [openpgp] Re: Fwd: [pqc-forum] Question regarding… Simo Sorce
- [openpgp] Re: Fwd: [pqc-forum] Question regarding… David A. Cooper
- [openpgp] Re: Fwd: [pqc-forum] Question regarding… Daniel Huigens
- [openpgp] Re: Fwd: [pqc-forum] Question regarding… Simo Sorce