Re: [openpgp] Disadvantages of Salted Signatures

"Neal H. Walfield" <> Mon, 11 December 2023 09:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 51A9FC14F5E2 for <>; Mon, 11 Dec 2023 01:15:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.206
X-Spam-Status: No, score=-4.206 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id H-JzpWVBWrZ1 for <>; Mon, 11 Dec 2023 01:15:32 -0800 (PST)
Received: from ( []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id ADDB2C14F5E3 for <>; Mon, 11 Dec 2023 01:15:31 -0800 (PST)
Received: from ([] by with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1rCcNt-0001B5-JY; Mon, 11 Dec 2023 10:15:29 +0100
Received: from ([] by with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <>) id 1rCcNs-00EfMj-OC; Mon, 11 Dec 2023 10:15:29 +0100
Date: Mon, 11 Dec 2023 10:15:29 +0100
Message-ID: <>
From: "Neal H. Walfield" <>
To: Stephan Verbücheln <>
In-Reply-To: <>
References: <>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (Gojō) APEL-LB/10.8 EasyPG/1.0.0 Emacs/27.1 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-SA-Exim-Scanned: No (on; SAEximRunCond expanded to false
Archived-At: <>
Subject: Re: [openpgp] Disadvantages of Salted Signatures
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Dec 2023 09:15:36 -0000

On Sat, 09 Dec 2023 10:04:14 +0100,
Stephan Verbücheln wrote:
> In section 13.2. (Advantages of Salted Signatures) of the draft 
> draft-ietf-openpgp-crypto-refresh-12, there are two motivations
> mentioned for salted signatures.
> The first is resistance to hash collision attacks with reference to
> "SHA-1 Is A Shambles". This analysis seems to be plain wrong. I do not
> see how the salt would make collision attacks any harder, let alone
> raise the cost to second-preimage levels.

I rereviewed the SHA-1 is a Shambles paper.  For those following
along, it is is available here:

I'm confused as to why you think a salt wouldn't help prevent this

As I understand it, the Shambles attack is a chosen-prefix attack.
From section 6:

  We recall that a chosen-prefix collision attack works as follows:
  given two arbitrary prefixes P and P′, an attacker can generate two
  messages M and M′ such that H(P ‖ M) = H(P′ ‖ M′).

The scenario is: the attacker finds two, carefully crafted prefixes
that collide.  One appears to be benign, and the other is malicious.
The attacker convinces the victim to sign the benign text, and then
transfers the signature to the malicious text.  From Section 1.1:

  The chosen prefixes correspond to headers of two PGP identity
  certificates with keys of different sizes, an RSA-8192 key and an
  RSA-6144 key. By exploiting properties of the OpenPGP and JPEG
  format, we can create two public keys (and their corresponding
  private keys): key A with the victim name, and key B with the
  attacker name and picture, such that the identity certificate
  containing the attacker key and picture leads to the same SHA-1 hash
  as the identity certificate containing the victim key and
  name. Therefore, the attacker can request a signature of his key and
  picture from a third party (from the Web of Trust or from a CA) and
  transfer the signature to key A. The signature stays valid because
  of the collision, while the attacker controls key A with the name of
  the victim, and signed by the third party. Therefore, he can
  impersonate the victim and sign any document in her name.

This attack is possible due to the structure of a PGP signature; the
attacker is able to choose the prefix that the victim signs.  This is
illustrated in Figure 8 of the paper: the attacker controls a huge
part of the prefix.

Wouldn't this attack fail if the victim prepended a salt to the data
that they sign?  Then the attacker wouldn't be able to chose the