Re: [openpgp] changing v5 signature salt size from 16 to 32 octets? [was: Re: lack of agenda items...]
Aron Wussler <aron@wussler.it> Fri, 04 November 2022 09:58 UTC
Return-Path: <aron@wussler.it>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38521C152708 for <openpgp@ietfa.amsl.com>; Fri, 4 Nov 2022 02:58:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wussler.it
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D9wci11G2raj for <openpgp@ietfa.amsl.com>; Fri, 4 Nov 2022 02:58:48 -0700 (PDT)
Received: from mail-4323.proton.ch (mail-4323.proton.ch [185.70.43.23]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFE19C14CE44 for <openpgp@ietf.org>; Fri, 4 Nov 2022 02:58:47 -0700 (PDT)
Date: Fri, 04 Nov 2022 09:58:33 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wussler.it; s=protonmail3; t=1667555923; x=1667815123; bh=h8yCoapOfvCUEwFYUo5cUgDp0crxIoHX4R5D5CJ6T+o=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=mCd8xxz16PO5t4fqVbyzEhX7Jpqd55/uWng1m807tMXFlb6Fa0lWBKYNisG6hbFkv YKBwYncRH1H/DVoquriCN7Ytk+4K64mSv560TiGPwAlY4oab2UZf7beVSX66TELViY dUQxYLXrq4r4hrUme5zzC4fvmU3E6RTr7Z4efjDDrc8Rb+jzG/V3VPaXbwPXHHZ4sk xfB/kEg+b3+zp/cPzzvqFONPzejsjZavZmbhEeHU14UeA5AVqI2ds303UmuNFhcxq1 RLT2nksfD6LEsRGuLnL9iMpziSPDeGVDzdEi+bhjSl2sE5dZG3ZWdmg3tY8y/CZqRL Utrg+gfvzTQqg==
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
From: Aron Wussler <aron@wussler.it>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>
Message-ID: <y8wQdD01KuMlhISMcLGLRcsSfMPywmbJ6WOy6pusfFyQMeu5La0v7Ktx8IrNE30mH5I4wmw0Ku2biM_5XX8xzDLzqDP9jmYA31YdeTwIgis=@wussler.it>
In-Reply-To: <87h6zfh3gy.fsf@fifthhorseman.net>
References: <c859b8da-5fd6-297b-f30b-39805e3e3cad@cs.tcd.ie> <zPFgkVQD9vD3X99PVOEYp0NHQ1n8hl8mNdLgokPv_O1V7p8y4jgM6jKz0GFIix97At_foVxj-pWdKf3h-KWzEWqFhTGLiCUgrYKzJ7zM2HQ=@wussler.it> <87h6zfh3gy.fsf@fifthhorseman.net>
Feedback-ID: 10883271:user:proton
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="------9aa8423245e5cd2747d25b34c78adb1b22d5c35d9f44c12e93597ffa7ed5c4b3"; charset="utf-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/_adDwMiGpllZeU2OcmFxjiFuHL4>
Subject: Re: [openpgp] changing v5 signature salt size from 16 to 32 octets? [was: Re: lack of agenda items...]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Nov 2022 09:58:53 -0000
Hi dkg, hi all, > Are there any size concerns worth considering here? I agree, generally I don't like the idea of increasing size for everyone, especially when it's not needed. Compact signatures like Ed25519 will definitely be affected from this change. This is a trade-off between simple design (fixed size - but larger) or on-wire efficiency. > > (2) it is possible to bind the salt size to the hash function. > Is it the hash function that is relevant here or is it the public key > signature function? IMO here it's the hash function specifically. Given a weak hash function that still provides second preimage-resistance but not collision resistance an attacker can not craft a plaintext such that its signature will match another message. Furthermore the algorithm ID unfortunately does not univocally identify the strength of the algorithm. RSA could be 2K or 8K, EdDSA may be Ed25519 or Ed448, ... Therefore, I would bind it to the hash function. Generally speaking hashing with SHA-512 and then producing a signature with Ed25519 will make the curve the weak link. > I understand that SPHINCS+ is itself hash-based, so perhaps this is > getting too far into the PQC discussion, but can you give the WG a > summary of how you think binding the salt size to the hash function > would work? I would imagine to change the following notes [1], [2] to a fixed-size octet string that depends on the hash algorithm ID, and add a reference to the table at 9.5. In section 9.5 [3] I would add a column "Salt size" with 16 octets for all 256 bits or lower hashes, 24 octets for 384 bits hashes, and 32 octets for 512 bits hashes. OpenPGP has the requirement of hashing the message before signing, for instance already now without PQC in EdDSA we follow this paradigm (be it streaming, or how "things are done") This expands the attack surface, because a collision on the hash means a valid signature. The crypto-refresh addresses this by adding salted signing, and we'd like to leverage this to maintain the security proofs in Dilithium and SPHINCS+ because, similarly to EdDSA, both algorithms expect the full data to be passed there, not just the hash of the data. The change we're proposing would be independent of PQC crypto, even though it has its roots in SPHINCS+. It would allow us to reuse the decision done from the authors of SPHINCS+ of hashing a random string of variable length n (see section 6.4 and table 3 and in [4]), therefore maintaining the security proof at the same level even with the OpenPGP construction. Finally, being this an online attack, I acknowledge that 16 bytes will be sufficient for most uses, but would mean a degradation of security in certain contexts, for instance when signing using SPHINCS+-192 or SPHINCS+-256 and expecting the full security of the algorithm. Cheers, Aron [1] https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-5.4-3.5 [2] https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-5.2.3-2.10 [3] https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-9.5 [4] https://sphincs.org/data/sphincs+-r3.1-specification.pdf -- Aron Wussler Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930 ------- Original Message ------- On Friday, November 4th, 2022 at 03:13, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: > On Thu 2022-11-03 08:32:00 +0000, Aron Wussler wrote: > > > In v5 we added a 16-byte random salt prefixing the data when hashing for signature, great idea because if it's unpredictable it can prevent collision attacks. > > > > In SPHINCS+ this is also similarly done in the construction, but it has a variable size depending on the hash output size. > > > > To make randomized hashing coherent with PQC signature schemes I'd like to ask if > > > > (1) it is possible to extend the field to 32 bytes to match other constructions, > > > Are there any size concerns worth considering here? > > The salt needs to be represented in a few different contexts: > > - in the one-pass signature packet > - in the SaltedHash Armor header for a (LIT SIG)-style signed > message (non-one-pass), and probably > - in some sort of RFC 3156-style parameter to enable one-pass > validation of a signed e-mail message. > > base64-encoding the 32-byte value will bring this to 43 characters. > > That would make the SaltedHash: armor header 43+13+8 = 64 characters > long, like so: > > SaltedHash: SHA3-256:9haH8LirCmteTImei9GQtIHMgJ26zM/uPAoiZepB4cw > > That's not implausible for messages of already moderate size, though it > does double the size of the signature itself for small-signature formats > like ed25519. > > I should add a note of historical caution about including too much > gratuitous randomness. tls-extended-random [0] has not aged well [1]. > > [0] https://datatracker.ietf.org/doc/html/draft-rescorla-tls-extended-random > [1] https://blog.cryptographyengineering.com/2017/12/19/the-strange-story-of-extended-random/ > > The crypto-refresh revision to RFC 4880 does caution about this in the > "Random Number Generation and Seeding" section. It might be worth > including pointers to that section in the section where we talk about > salts for v5 signatures. > > > (2) it is possible to bind the salt size to the hash function. > > > Is it the hash function that is relevant here or is it the public key > signature function? From OpenPGP's perspective, the message is hashed, > and the hash is signed. In the OPS packet, there is an explicit > indication of the public key algorithm used. What if we were to tie the > salt size to the public key algorithm, perhaps by adding a column to > Public-key algorithm registry indicating "v5 signature salt size"? > > I understand that SPHINCS+ is itself hash-based, so perhaps this is > getting too far into the PQC discussion, but can you give the WG a > summary of how you think binding the salt size to the hash function > would work? Are you suggesting that the salt should be (for example) > the size of the hash used? That would make the SaltedHash header long > enough to potentially cause linewraps when, say, SHA2-512 or SHA3-512 is > in use. > > --dkg > > _______________________________________________ > openpgp mailing list > openpgp@ietf.org > https://www.ietf.org/mailman/listinfo/openpgp
- [openpgp] lack of agenda items... Stephen Farrell
- Re: [openpgp] lack of agenda items... Daniel Huigens
- Re: [openpgp] lack of agenda items... Vincent Breitmoser
- Re: [openpgp] lack of agenda items... Stephen Farrell
- Re: [openpgp] lack of agenda items... Neal H. Walfield
- Re: [openpgp] lack of agenda items... Aron Wussler
- Re: [openpgp] lack of agenda items... Stephen Farrell
- [openpgp] changing v5 signature salt size from 16… Daniel Kahn Gillmor
- Re: [openpgp] lack of agenda items... Neal H. Walfield
- Re: [openpgp] changing v5 signature salt size fro… Aron Wussler
- Re: [openpgp] changing v5 signature salt size fro… Andreas Hülsing
- Re: [openpgp] changing v5 signature salt size fro… Steffen Nurpmeso