[openpgp] Re: Fwd: [pqc-forum] Question regarding pure vs. pre-hash ML-DSA
"David A. Cooper" <david.cooper@nist.gov> Thu, 29 August 2024 19:06 UTC
Return-Path: <david.cooper@nist.gov>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15722C14F6FA for <openpgp@ietfa.amsl.com>; Thu, 29 Aug 2024 12:06:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.706
X-Spam-Level:
X-Spam-Status: No, score=-2.706 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.453, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id snjT0gvJR5AU for <openpgp@ietfa.amsl.com>; Thu, 29 Aug 2024 12:05:58 -0700 (PDT)
Received: from SA9PR09CU002.outbound.protection.outlook.com (mail-southcentralusazon11010003.outbound.protection.outlook.com [40.93.193.3]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4012C14F6E9 for <openpgp@ietf.org>; Thu, 29 Aug 2024 12:05:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=pXT6pn8UzPLHekWmbg4ksUzKEtUIbk/DUF10XI2LCfVsjkmuldLixjO9/s70/tCxPVdwFYb+q4kPkLQzpcQzp6WKt+7wVd0NwX79WO5XMcsebWmzWdKRwpIiCVRsFXZ/nAPF6puMEYPxWazyr0DV3nT09otz6ihgqZRvwAGFgIwR6yrB4UQXWULBWQr4OQ8n7UkCjNl16600n/gugf1uxWFr5Lx5kgLtz7ZfQdHLBLAWGsSLiTbau+AuUYA15Ig66rMmX0Rb4+0TAhdEsO1dgMe0o5hPa/0f42gZRim5cKy2w2ijDGrs9E+UrNdxVhrU+AlI2ZKEKxpN3NrQGFVxoQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2ETrYC7w1yevi2hX6xGP/58QMnKrXbby52NV73+gyRA=; b=XQ5x8wYWOIhOlJmwDy9oTBvFfeVy9a9Taix3+zphR6zH1Uzu7bdQ5+h72b6tttARUqAkyl9VhoqMNPgDnXLp3DfIGDqprVYyGzxKUUrZIIU3Li4qTK/tVpWTNN4LOVsamsjGGyn94Bvsl8TIVEiftl0Zq5n7h7BHfjkdjolMAczYwjZL6K9L4B19Y7CT7ZVh0KXQP8HH54ZZ1ZQK1fWqibRAfmwqhjf48aFoeI4YjB7UBcnT4W16wHcggjeihbgLyad6z2FfxwWtrO/IJzClJ6SM7c70bqa8ihnpjeSOiJPK2ECEhv6Ag653FysrY8Ec6CNrZI6+TU8S1FsiqrkQIA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 129.6.16.77) smtp.rcpttodomain=ietf.org smtp.mailfrom=nist.gov; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nist.gov; dkim=none (message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2ETrYC7w1yevi2hX6xGP/58QMnKrXbby52NV73+gyRA=; b=DYUuWUc9Lu+8rlyKPOZPN7wuy7kZE3HPTwsFdbJxJZMOXipi8cdmINSJ+hjjjY9FYGGwLhJk126yoGNy+BetDDoFeZNspte9+p+iHtTda/5L3mxQlBx+ir5P319R7YVFafQ0gAHUQBpAA3O70s2ormJ4z56eEjzWz2mG0dn5ME2JQbRw1HdGNMwbkWY+GIxl497yKw6r4zT+ggCPR8bXJG7UZnbcrISxZnVz03auuJjsX7bY2ldrv0JNDM38dFokRcTSM8BNAnLCiLRzWf7ZAoCH41yDIMPq6sCOmVlwWezuCseSCC2bUj/YBqSkFOZMOgyt3gUsj1lfusDWS6x5jw==
Received: from DM6PR09CA0030.namprd09.prod.outlook.com (2603:10b6:5:160::43) by SA1PR09MB10441.namprd09.prod.outlook.com (2603:10b6:806:362::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7918.20; Thu, 29 Aug 2024 19:05:55 +0000
Received: from BL02EPF0001B419.namprd09.prod.outlook.com (2603:10b6:5:160:cafe::e3) by DM6PR09CA0030.outlook.office365.com (2603:10b6:5:160::43) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7918.20 via Frontend Transport; Thu, 29 Aug 2024 19:05:54 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 129.6.16.77) smtp.mailfrom=nist.gov; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nist.gov;
Received-SPF: Pass (protection.outlook.com: domain of nist.gov designates 129.6.16.77 as permitted sender) receiver=protection.outlook.com; client-ip=129.6.16.77; helo=smtp2.nist.gov; pr=C
Received: from smtp2.nist.gov (129.6.16.77) by BL02EPF0001B419.mail.protection.outlook.com (10.167.242.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7918.13 via Frontend Transport; Thu, 29 Aug 2024 19:05:54 +0000
Received: from [132.163.219.14] ([132.163.219.14]) by smtp2.nist.gov with Microsoft SMTPSVC(10.0.14393.4169); Thu, 29 Aug 2024 15:05:54 -0400
Content-Type: multipart/alternative; boundary="------------JBihBOXGtRYGfRpPUoCINM74"
Message-ID: <d9b5779c-d5f4-4d42-b102-85b81704c130@nist.gov>
Date: Thu, 29 Aug 2024 12:05:53 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Falko Strenzke <falko.strenzke@mtg.de>
References: <0555d567-e161-488f-a4eb-30a015f8c0d0@mtg.de> <9f26a754-0268-4fc7-abcc-7eeebe38eb88@mtg.de>
Content-Language: en-US
From: "David A. Cooper" <david.cooper@nist.gov>
In-Reply-To: <9f26a754-0268-4fc7-abcc-7eeebe38eb88@mtg.de>
X-OriginalArrivalTime: 29 Aug 2024 19:05:54.0385 (UTC) FILETIME=[78E61410:01DAFA46]
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BL02EPF0001B419:EE_|SA1PR09MB10441:EE_
X-MS-Office365-Filtering-Correlation-Id: 54fb9834-df3e-4262-f4c9-08dcc85d9b94
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700013|4022899009|1800799024|82310400026;
X-Microsoft-Antispam-Message-Info: r1GSOn+vzn4fh5nKEc5O+VhT+Db+VjlBvW02GzL66Gi+25t5CN8vF4kqPrxvFxARvQBacj2Bmz+TotPNnZRBERFxAXxUEulTL51LBgxC053YVkjzlHcoeqe9fucZmbSU9f+WcZP6POd8fsH/KTvZsCKDG6MZO+p7W7YoFKUWZzCRDoUVdN8Heky1bXYs1XRKTvEGE7UwRoRlgiyUzozRiV4+KNNkTfD95apTPBdQMfw3AVFaoXDz8dLp04TRvk4EyEjur4qfwY8fiLvXaKCD9SS2djHwy9ovifeT8XmcdOyJx9StmrdGS1Jaug9KcuknJmJUIOyE4FMRykJNycIovU/aEWrdngOXsOvxN0rxJ0HA0dE2MIsOWgV8oXO9qfsddl2os+suGe6fOwzfj1kzzDdbEkInDj6fQ/SfG09KLA7PPy9PqRQK+rRF9r1S1YJ3l2K0qcZLWqM+mgIAyfziPqyP1VlZbx+3DK3l0I4rkqVVCKuDIP/Fluzvcr9tJHql70gu9cR8GKVqbIgzeHNXrk82PzhzhnMFYeHMAW3r5ziLkMUuFCUHPzISYUFgB4lDdCnL5tACrmPQZ4Yi0CTOPXbWZF2LDplYioIWVkB32cThQSmyNXS1PvcDtxEicgcSVUgD6pFaILXjRZ3/uE4abgv/PJ4Kbt+/XwjvlzC+g+WWxIJgxZpOjjrqBWRrpo48FpdUiyTy4ZtRO7bD2KtIIkYwDA7j2X7UdpghWULALD1JqgRpLRqwwHplGt03QorR5GbSnzXks1i2FbTMgl0WDjoGbou/admQl2XZ33K9eWAr2qHluTWQALtS0bAe41Qlo2eBPmiQQf+BM4emI5SHoYVEKgu9P+3yLpILwJCSvammM3hT5p1dAkJb3dJfWhztS6ruF5ZHsfn+cmwuZDfhSs0lCBYksoWZvBQko6yMy0OoZZdf3m4sdq9ikVPLriQEzueEP1ox2D66WAML0RlyX9R5Gk8G70vP2pmHZYeu+4iwUtM/8UppVQI6i4cdPVAyODdtuvSYHKUwRpQKz/Ji/25WCLdnVtKSDcRWgXixK0v+wPXxdKHwmNUhdrLnAAORzgwbw5gKf/MSqyGjEVblW5XVtXTnUHCCq6dNc2N3q2SInw7w80CM8YZRnTJaRRqN4CJShPgFDe8RxYMbJfOSaB0LMIPJ46ogsxwt2k14jzAPbbhz/s8DkRPRo9DSzM4gXwWa8CznpwmX4eW/2qNSwlJCSZaxnXC4PQIkfC9Xn8lARuwuO++mQHBD6WXsZtWHs4Ih/VCk/O/XburdaXA1pDYKsi4gkUpx4x93zr1rZku2n/MrTCUJqyq6MNnPubikP6VwmdN1O0O7p9sxMC20IiY80Zy8Ez6M/Iey2NdA2prrKuLA+WXFLA93F4OF04uZ
X-Forefront-Antispam-Report: CIP:129.6.16.77;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:smtp2.nist.gov;PTR:smtp2.nist.gov;CAT:NONE;SFS:(13230040)(36860700013)(4022899009)(1800799024)(82310400026);DIR:OUT;SFP:1101;
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Aug 2024 19:05:54.7512 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 54fb9834-df3e-4262-f4c9-08dcc85d9b94
X-MS-Exchange-CrossTenant-Id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=2ab5d82f-d8fa-4797-a93e-054655c61dec;Ip=[129.6.16.77];Helo=[smtp2.nist.gov]
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: TreatMessagesAsInternal-BL02EPF0001B419.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR09MB10441
Message-ID-Hash: AQWZ5A7GHOKR74MOO2PL573AT7GYF24M
X-Message-ID-Hash: AQWZ5A7GHOKR74MOO2PL573AT7GYF24M
X-MailFrom: david.cooper@nist.gov
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: pqc-forum <pqc-forum@list.nist.gov>, "openpgp@ietf.org" <openpgp@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] Re: Fwd: [pqc-forum] Question regarding pure vs. pre-hash ML-DSA
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/WTc-wmxdfeWlNYYqyU68guWY8DE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
Hello Falko, The text in Section 5.4 of FIPS 204 and Section 10.2 of FIPS 205 just attempts to explain the reason that both "pure" and "pre-hash" versions. I'm not familiar with OpenPGP, but it seems like this is a case where either version could be used. From my reading of Section 5.2.4 of RFC 9580, the content that is signed is what is referred to as a trailer. In the case of RSA and ECDSA, the trailer is signed directly. The text may describe hashing the trailer first and then generating a signature from that hash, but the result is the same as just signing the trailer. Section 6.1.1 of https://www.ietf.org/archive/id/draft-ehlen-openpgp-nist-bp-comp-00.html notes that an ECDSA signature is created by computing a hash of M and then performing ECDSA.Sign() on that hash, but "excluding Step 1: H = Hash(M) in [the FIPS 186-5 ECDSA] algorithm specification." So, the result is the same as signing M with ECDSA using the specified hash algorithm. The description for RSA in RFC 9580 is essentially the same. With EdDSA, however, Section 12.7 of RFC 9580 states to use PureEdDSA to sign the hash of the trailer. So, unlike with RSA and ECDSA, from the signature algorithm's point of view it is the hash of the trailer that is signed. HashEdDSA could have been used to sign the trailer, but that was not the decision that was made. (Perhaps the reason is that with HashEdDSA, RFC 8032 would have dictated which hash function to use.) With ML-DSA and SLH-DSA, you could either create a pre-hash signature of the trailer (which would align with how RSA and ECDSA work in RFC 9580) or a pure signature of the hash of the trailer (which would align with how EdDSA works in RFC 9580). Phillip noted that the pre-hash version signs the identifier of the hash function, preventing a potential hash algorithm substitution attack. However, the trailer seems to already include an identifier for the hash function, so a pure signature of the hash of the trailer would already be protected from such an attack. On 8/29/24 1:08 AM, Falko Strenzke wrote: > > Hi Dustin, > > > in that case let me formulate the most relevant question that we are > facing in OpenPGP currently, that was my main motivation for > understanding the quoted paragraphs: > > > OpenPGP is committed to the hash-and-sign paradigm. RFC 9580, the > current specification, throughout describes how data is first hashed > and then signed. When introducing ML-DSA and SLH-DSA to OpenPGP, we > are bound to this approach. The question now is: In such a case, is it > a NIST approved solution, to use the pure variants of both PQC schemes > to sign the hash value? > > > Best regards, > Falko > > > Am 28.08.24 um 18:00 schrieb Moody, Dustin (Fed): >> Falko, >> >> We're trying to answer your question, but we don't quite get the >> point you're making, which makes it hard to respond. Can you try >> explaining it to me again, as clearly as possible so we understand? >> The text seems pretty straightforward to us. >> >> Dustin >> >> >> ------------------------------------------------------------------------ >> *From:* pqc-forum@list.nist.gov on behalf of Falko Strenzke >> *Sent:* Wednesday, August 28, 2024 12:41 AM >> *To:* Phillip Hallam-Baker >> *Cc:* pqc-forum >> *Subject:* Re: [pqc-forum] Question regarding pure vs. pre-hash ML-DSA >> >> Thanks for the pointer. If I see it correctly you are suggesting a >> pre-image attack on a hash algorithm that is accepted by the >> recipient. Pre-image attacks are not a known threat for any hash >> algorithm still potentially in use, not even MD5, as far as I know, >> but it's certainly a valid concern to hedge against this possibility. >> This would be the reason why the pre-hash variant hashes the hash OID >> internally. This is all the more showing how important correct use of >> the two variants is and is thus reinforcing my question. >> >> My question to NIST actually isn't about technical matters regarding >> the security properties of hash algorithms, I am asking how NIST >> intends the quoted text is to be understood that is part of their >> guidance on using the pre-hash variant. >> >> The meaning of the sentence following in the next paragraph is also >> not clear to me: "/In order to maintain the same level of security >> strength when the content is hashed at the application level or using >> HashML-DSA [...]/" This seems to suggest that the content may be >> hashed at the application level and then the hash signed with the >> pure variant. (That is implied by the "or" connecting the two >> clauses.) Possibly here it is referred to a case like that of CMS >> where the signedAttrs may be signed and where the message digest is >> contained in that object. But I think that doesn't become clear. My >> recent experience in a discussion is that this paragraph can be >> understood to counter the clear statement at the beginning of section >> 5.4: >> >> /For some use cases, this may be addressed by signing a digest of the >> message along with some domain separation information rather than >> signing the message directly. This version of ML-DSA is known as >> “pre-hash” ML-DSA or HashML-DSA./ >> >> Best regards, >> Falko >> >> Am 27.08.24 um 17:29 schrieb Phillip Hallam-Baker: >> >> You can indeed pass the digest directly into pure. The issue >> being that it is unsafe to do so, an attacker can perform a >> digest substitution attack on it. >> >> Consider the case where the application supports a hash which has >> been broken to the extent that they can create any digest output >> they like - MD-BORKED >> >> Queen Alice decides to knight Bob, writes out a declaration to >> that effect, hashes it with SHA-2-512 and posts it to the gazette. >> >> Mallet takes the signature, writes out a death warrant for Bob >> and uses the MD-BORKED manipulation code to create a digest that >> matches that of the original message. Instead of arriving to find >> the Queen holding a sword to confer the accolade, Bob finds the >> headsman holding an axe. >> >> >> That is why it is always necessary to bind the digest type into >> the signature if a pre-hash is used. >> >> Pure should only be used on the message content itself or on a >> manifest structure which includes the digest value. >> >> So for example, a DARE signature on a chunk appended to a >> sequence typically contains the following information: >> >> * Digest algorithm used to digest the content >> * Digest value over the content >> * Digest algorithm used to create the Merkle Tree >> * Apex value of the Merkle tree >> * Witness value showing demonstrating the signer knew the >> encryption key >> * Application context identifier >> >> Those values are carried in a separate JSON manifest which once I >> have finished the code will be signed with ML-DSA pure and with >> Ed448 pure with the context string 'DARE manifest'. >> >> >> >> On Tue, Aug 27, 2024 at 7:04 AM Falko Strenzke >> <falko.strenzke@mtg.de <mailto:falko.strenzke@mtg.de>> wrote: >> >> Dear NIST team, >> >> in FIPS 204, Section 5.4, I read >> >> /If the content to be signed is large, hashing of the content >> is often performed at the application level. >> For example, in the Cryptographic Message Syntax [29 ], a >> digest of the content may be computed, and >> that digest is signed along with other attributes. If the >> content is not hashed at the application level, the >> pre-hash version of ML-DSA signing may be used./ >> >> How is the last sentence to be understood? If the content is >> not hashed at the application level, that sounds to me as if >> it can be fed into the pure signature generation or >> verification routine directly. After all, ML-DSA signature >> generation and verification is single-pass over the message, >> if I am not mistaken. >> >> On the contrary, my understanding of the pre-hash variant is >> that it is specifically for those cases, where the protocol >> is bound to compute a hash before it can access (or decide >> on) the signature generation or verification function. The >> last sentence of the quote, however, seems to suggest that >> the pre-hash variant is merely a convenience function to >> combine the hash computation with the signature computation. >> >> Can you please clarify? >> >> Best regards, >> Falko >> >> -- >> >> *MTG AG* >> Dr. Falko Strenzke >> >> Phone: >> +49 6151 8000 24 >> E-Mail: >> falko.strenzke@mtg.de <mailto:falko.strenzke@mtg.de> >> Web: >> mtg.de >> <https://www.mtg.de/> >> Follow us >> ------------------------------------------------------------------------ >> >> MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany >> Commercial register: HRB 8901 >> Register Court: Amtsgericht Darmstadt >> Management Board: Jürgen Ruf (CEO), Tamer Kemeröz >> Chairman of the Supervisory Board: Dr. Thomas Milde >> >> This email may contain confidential and/or privileged >> information. If you are not the correct recipient or have >> received this email in error, >> please inform the sender immediately and delete this >> email.Unauthorised copying or distribution of this email is >> not permitted. >> >> Data protection information: Privacy policy >> <https://www.mtg.de/en/privacy-policy> >> >> -- >> You received this message because you are subscribed to the >> Google Groups "pqc-forum" group. >> To unsubscribe from this group and stop receiving emails from >> it, send an email to pqc-forum+unsubscribe@list.nist.gov >> <mailto:pqc-forum+unsubscribe@list.nist.gov>. >> To view this discussion on the web visit >> https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/e619b550-178a-4816-8605-8ffb3d0e9c06%40mtg.de >> <https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/e619b550-178a-4816-8605-8ffb3d0e9c06%40mtg.de?utm_medium=email&utm_source=footer>. >> >>
- [openpgp] Fwd: [pqc-forum] Question regarding pur… Falko Strenzke
- [openpgp] Re: Fwd: [pqc-forum] Question regarding… David A. Cooper
- [openpgp] Re: Fwd: [pqc-forum] Question regarding… Falko Strenzke
- [openpgp] Re: Fwd: [pqc-forum] Question regarding… Simo Sorce
- [openpgp] Re: Fwd: [pqc-forum] Question regarding… David A. Cooper
- [openpgp] Re: Fwd: [pqc-forum] Question regarding… Daniel Huigens
- [openpgp] Re: Fwd: [pqc-forum] Question regarding… Simo Sorce