Re: [openpgp] changing v5 signature salt size from 16 to 32 octets? [was: Re: lack of agenda items...]
Andreas Hülsing <ietf@huelsing.net> Fri, 04 November 2022 10:53 UTC
Return-Path: <ietf@huelsing.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CF9BC14CF00 for <openpgp@ietfa.amsl.com>; Fri, 4 Nov 2022 03:53:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=huelsing.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5pPPsMCstV5s for <openpgp@ietfa.amsl.com>; Fri, 4 Nov 2022 03:53:03 -0700 (PDT)
Received: from www363.your-server.de (www363.your-server.de [78.46.179.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 452E1C14CF16 for <openpgp@ietf.org>; Fri, 4 Nov 2022 03:53:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=huelsing.net; s=default2007; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:From:References:Cc:To:Subject:MIME-Version:Date:Message-ID:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID; bh=/OFJ4psHPgqRDmyfbuOrCQuRc1xvs/fCTTdpnq92c/s=; b=SIARv4Kli6xTaE/lI7JMCi4TTD vF5s/rTZCqYuyXN2W4/+Ooy4rj5zESDhUANlX6uHwmpxoGL0QwQWvUT9Gn+SwjvU4oPOeQzo+PPpV k3ng3inJPR04l+OO5a19KP9KsG4OI10Mo2kNS4o1+AGeX0cqIpfMtq1fXZIMEVJl9dLvn+hjwF7Px oNzS0kmxqERZo6Qwn5omcEohwP2ixmSxIMGdyDsiqvvcJnPIojYLtBP/MBGSTjN6bL/ED5ntvbvLq +pm2rtU83lUehhvhcSVQjBF0pBJJ6UzLiTkdlYuW4izSNUNsRFAymGOfX6J4pZ5/z9QXMMHt5bxQW Bj+sf/Lg==;
Received: from sslproxy06.your-server.de ([78.46.172.3]) by www363.your-server.de with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <ietf@huelsing.net>) id 1oquJn-000HtK-8K; Fri, 04 Nov 2022 11:52:58 +0100
Received: from [138.96.48.7] by sslproxy06.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <ietf@huelsing.net>) id 1oquJm-000Tof-J7; Fri, 04 Nov 2022 11:52:58 +0100
Message-ID: <7bcad887-0bd9-a88c-3dba-4302d9a22438@huelsing.net>
Date: Fri, 04 Nov 2022 11:52:58 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.2.2
Content-Language: en-US
To: Aron Wussler <aron@wussler.it>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>
References: <c859b8da-5fd6-297b-f30b-39805e3e3cad@cs.tcd.ie> <zPFgkVQD9vD3X99PVOEYp0NHQ1n8hl8mNdLgokPv_O1V7p8y4jgM6jKz0GFIix97At_foVxj-pWdKf3h-KWzEWqFhTGLiCUgrYKzJ7zM2HQ=@wussler.it> <87h6zfh3gy.fsf@fifthhorseman.net> <y8wQdD01KuMlhISMcLGLRcsSfMPywmbJ6WOy6pusfFyQMeu5La0v7Ktx8IrNE30mH5I4wmw0Ku2biM_5XX8xzDLzqDP9jmYA31YdeTwIgis=@wussler.it>
From: Andreas Hülsing <ietf@huelsing.net>
In-Reply-To: <y8wQdD01KuMlhISMcLGLRcsSfMPywmbJ6WOy6pusfFyQMeu5La0v7Ktx8IrNE30mH5I4wmw0Ku2biM_5XX8xzDLzqDP9jmYA31YdeTwIgis=@wussler.it>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: ietf@huelsing.net
X-Virus-Scanned: Clear (ClamAV 0.103.7/26710/Fri Nov 4 08:53:05 2022)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/l_DMs2LJz4ziymVOB1piBolmxhY>
Subject: Re: [openpgp] changing v5 signature salt size from 16 to 32 octets? [was: Re: lack of agenda items...]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Nov 2022 10:53:08 -0000
Hi all, To give a bit of context why the SPHINCS+ team did this and I still consider this a very good idea also in OpenPGP: The attacks on SHA1 have demonstrated that collision attacks are also in practice significantly easier than (second-)preimage attacks (not only in absolute cost but in a "getting better than the generic attack"-sense). This is something theory has predicted in some sense for a long time -> you cannot build a collision resistant hash function from every one-way or second-preimage resistant hash function. This seems to be a good reason to avoid collision resistance as an assumption. Including an unpredictable salt in the hash input (for MD-based hashes this value has to be included as prefix) avoids collision attacks up to "guessing the prefix". In consequence, you want to make this salt the length of the security parameter. For SPHINCS+ this is the output length of the used hash functions. For other schemes it is the bit security, i.e., 128 bit for a 256 bit curve scheme like Ed25519. Best wishes, Andreas On 04-11-2022 10:58, Aron Wussler wrote: > Hi dkg, hi all, > >> Are there any size concerns worth considering here? > I agree, generally I don't like the idea of increasing size for everyone, especially when it's not needed. Compact signatures like Ed25519 will definitely be affected from this change. > This is a trade-off between simple design (fixed size - but larger) or on-wire efficiency. > >>> (2) it is possible to bind the salt size to the hash function. >> Is it the hash function that is relevant here or is it the public key >> signature function? > IMO here it's the hash function specifically. Given a weak hash function that still provides second preimage-resistance but not collision resistance an attacker can not craft a plaintext such that its signature will match another message. > Furthermore the algorithm ID unfortunately does not univocally identify the strength of the algorithm. RSA could be 2K or 8K, EdDSA may be Ed25519 or Ed448, ... > > Therefore, I would bind it to the hash function. Generally speaking hashing with SHA-512 and then producing a signature with Ed25519 will make the curve the weak link. > >> I understand that SPHINCS+ is itself hash-based, so perhaps this is >> getting too far into the PQC discussion, but can you give the WG a >> summary of how you think binding the salt size to the hash function >> would work? > > I would imagine to change the following notes [1], [2] to a fixed-size octet string that depends on the hash algorithm ID, and add a reference to the table at 9.5. > In section 9.5 [3] I would add a column "Salt size" with 16 octets for all 256 bits or lower hashes, 24 octets for 384 bits hashes, and 32 octets for 512 bits hashes. > > OpenPGP has the requirement of hashing the message before signing, for instance already now without PQC in EdDSA we follow this paradigm (be it streaming, or how "things are done") > This expands the attack surface, because a collision on the hash means a valid signature. The crypto-refresh addresses this by adding salted signing, and we'd like to leverage this to maintain the security proofs in Dilithium and SPHINCS+ because, similarly to EdDSA, both algorithms expect the full data to be passed there, not just the hash of the data. > > The change we're proposing would be independent of PQC crypto, even though it has its roots in SPHINCS+. It would allow us to reuse the decision done from the authors of SPHINCS+ of hashing a random string of variable length n (see section 6.4 and table 3 and in [4]), therefore maintaining the security proof at the same level even with the OpenPGP construction. > > Finally, being this an online attack, I acknowledge that 16 bytes will be sufficient for most uses, but would mean a degradation of security in certain contexts, for instance when signing using SPHINCS+-192 or SPHINCS+-256 and expecting the full security of the algorithm. > > Cheers, > Aron > > > [1] https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-5.4-3.5 > [2] https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-5.2.3-2.10 > [3] https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-9.5 > [4] https://sphincs.org/data/sphincs+-r3.1-specification.pdf > > -- > Aron Wussler > Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930 > > > > ------- Original Message ------- > On Friday, November 4th, 2022 at 03:13, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: > > >> On Thu 2022-11-03 08:32:00 +0000, Aron Wussler wrote: >> >>> In v5 we added a 16-byte random salt prefixing the data when hashing for signature, great idea because if it's unpredictable it can prevent collision attacks. >>> >>> In SPHINCS+ this is also similarly done in the construction, but it has a variable size depending on the hash output size. >>> >>> To make randomized hashing coherent with PQC signature schemes I'd like to ask if >>> >>> (1) it is possible to extend the field to 32 bytes to match other constructions, >> Are there any size concerns worth considering here? >> >> The salt needs to be represented in a few different contexts: >> >> - in the one-pass signature packet >> - in the SaltedHash Armor header for a (LIT SIG)-style signed >> message (non-one-pass), and probably >> - in some sort of RFC 3156-style parameter to enable one-pass >> validation of a signed e-mail message. >> >> base64-encoding the 32-byte value will bring this to 43 characters. >> >> That would make the SaltedHash: armor header 43+13+8 = 64 characters >> long, like so: >> >> SaltedHash: SHA3-256:9haH8LirCmteTImei9GQtIHMgJ26zM/uPAoiZepB4cw >> >> That's not implausible for messages of already moderate size, though it >> does double the size of the signature itself for small-signature formats >> like ed25519. >> >> I should add a note of historical caution about including too much >> gratuitous randomness. tls-extended-random [0] has not aged well [1]. >> >> [0] https://datatracker.ietf.org/doc/html/draft-rescorla-tls-extended-random >> [1] https://blog.cryptographyengineering.com/2017/12/19/the-strange-story-of-extended-random/ >> >> The crypto-refresh revision to RFC 4880 does caution about this in the >> "Random Number Generation and Seeding" section. It might be worth >> including pointers to that section in the section where we talk about >> salts for v5 signatures. >> >>> (2) it is possible to bind the salt size to the hash function. >> Is it the hash function that is relevant here or is it the public key >> signature function? From OpenPGP's perspective, the message is hashed, >> and the hash is signed. In the OPS packet, there is an explicit >> indication of the public key algorithm used. What if we were to tie the >> salt size to the public key algorithm, perhaps by adding a column to >> Public-key algorithm registry indicating "v5 signature salt size"? >> >> I understand that SPHINCS+ is itself hash-based, so perhaps this is >> getting too far into the PQC discussion, but can you give the WG a >> summary of how you think binding the salt size to the hash function >> would work? Are you suggesting that the salt should be (for example) >> the size of the hash used? That would make the SaltedHash header long >> enough to potentially cause linewraps when, say, SHA2-512 or SHA3-512 is >> in use. >> >> --dkg >> >> _______________________________________________ >> openpgp mailing list >> openpgp@ietf.org >> https://www.ietf.org/mailman/listinfo/openpgp >> >> _______________________________________________ >> openpgp mailing list >> openpgp@ietf.org >> https://www.ietf.org/mailman/listinfo/openpgp
- [openpgp] lack of agenda items... Stephen Farrell
- Re: [openpgp] lack of agenda items... Daniel Huigens
- Re: [openpgp] lack of agenda items... Vincent Breitmoser
- Re: [openpgp] lack of agenda items... Stephen Farrell
- Re: [openpgp] lack of agenda items... Neal H. Walfield
- Re: [openpgp] lack of agenda items... Aron Wussler
- Re: [openpgp] lack of agenda items... Stephen Farrell
- [openpgp] changing v5 signature salt size from 16… Daniel Kahn Gillmor
- Re: [openpgp] lack of agenda items... Neal H. Walfield
- Re: [openpgp] changing v5 signature salt size fro… Aron Wussler
- Re: [openpgp] changing v5 signature salt size fro… Andreas Hülsing
- Re: [openpgp] changing v5 signature salt size fro… Steffen Nurpmeso