[openpgp] Re: pure vs. pre-hash in FIPS 204 and 205

Andrew Gallagher <andrewg@andrewg.com> Thu, 29 August 2024 18:45 UTC

Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 418B8C14F5E5 for <openpgp@ietfa.amsl.com>; Thu, 29 Aug 2024 11:45:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jfxg09uPunEj for <openpgp@ietfa.amsl.com>; Thu, 29 Aug 2024 11:45:00 -0700 (PDT)
Received: from fum.andrewg.com (fum.andrewg.com [IPv6:2a01:4f9:c011:23ad::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06DFDC14F6EF for <openpgp@ietf.org>; Thu, 29 Aug 2024 11:44:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1724957098; bh=i13m0LPstuNmNQraLV+slTZRyLdofvP4ctmVgKPKqwg=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=S6p7hSNB9RCQFjkUprJIQ5pwjSyZvDAof9hxsbczrnHlbVv1bMtayOXKwFRy/bjDY jTomqzodZuOMS+p58P/w14chvy+ToMO6YKxlAWRIzzfFJSYEO4YtYdFewxTtww28cq wzzpDkucesPN3qYxpfuN7wHTShVthFeEhEWeMk5ddpH+k99evIbaRfIihtDb0eKloc wuXAWPV/98lHN8yezeZJZeIkqHoiR5hdoHFCQwf7Ra/6UgtjMZjHQ2S8wiuE2SlCK3 Cdx8mb9RAVpHnJi3Vh9WYms18VB8BtPFbUcAqMSW8uaoGd9g6GNixhOKgd2xAaqga7 57kNWXwgecy+A==
Received: from smtpclient.apple (serenity [IPv6:fc93:5820:7349:eda2:99a7::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id 0D8DD5E34C; Thu, 29 Aug 2024 18:44:57 +0000 (UTC)
From: Andrew Gallagher <andrewg@andrewg.com>
Message-Id: <415A68D3-ABB5-43C0-BE9D-C2DA18D9A651@andrewg.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_D0224FB8-A93B-46B0-B1B5-5ED3E5F6AD4C"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
Date: Thu, 29 Aug 2024 19:44:33 +0100
In-Reply-To: <CAMm+Lwg-n8EUkb1feKUYHd1RQx6y4149LsZMg8f3eNzQqO4j+w@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
References: <fb9f748b-2024-4de1-849a-e52880c9a241@mtg.de> <CAMm+Lwh-9yuEs7BYpsA-k9bKWZT8v7ws8BPMdtECj+DgOG6syw@mail.gmail.com> <2027BD57-D6E2-400B-9AA3-8E444FE5372A@andrewg.com> <CAMm+Lwg-n8EUkb1feKUYHd1RQx6y4149LsZMg8f3eNzQqO4j+w@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
Message-ID-Hash: WJPCLYY6H74EMLVJU74ZPFD7AYZZO5AC
X-Message-ID-Hash: WJPCLYY6H74EMLVJU74ZPFD7AYZZO5AC
X-MailFrom: andrewg@andrewg.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Falko Strenzke <falko.strenzke@mtg.de>, "openpgp@ietf.org" <openpgp@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] Re: pure vs. pre-hash in FIPS 204 and 205
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/riG-aw3ZiAdX4HPt-TZMypGkPB8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

On 29 Aug 2024, at 19:18, Phillip Hallam-Baker <phill@hallambaker.com> wrote:
> 
> On Thu, Aug 29, 2024 at 1:46 PM Andrew Gallagher <andrewg@andrewg.com <mailto:andrewg@andrewg.com>> wrote:
>> On 29 Aug 2024, at 17:21, Phillip Hallam-Baker <phill@hallambaker.com <mailto:phill@hallambaker.com>> wrote:
>>> 
>>> I am also committed to hash-then-encrypt. It is the structure we adopted long ago and I don't see a good argument for changing. If we have a 1TB Zip file and it already has a SHA-2-512 digest in the checksum, we want to use that, not compile another digest. And I think we should use the same approach for certificates and assertions.
>> 
>> I don’t understand this. Do you mean hash-then-sign? And if so, I’m not sure how a zipfile checksum is relevant…?
> 
> Hash then sign. If you sign the zipfile...

If you sign the zipfile in v6 you have to hash ( seed || zipfile || trailer ), so knowing the hash of the zipfile itself does not help much. In the case of v4, you hash ( zipfile || trailer ) which depending on the hash algorithm used *might* be possible via a length extension attack - but it doesn’t (shouldn’t?) work with SHA-3, for example.

> If you only want to do ML-DSA, then just use Prehash and make sure you can translate from the OpenPGP identifier to the OID. Which really isn't a huge issue as you already have to do that for RSA.

Or just use Pure and make sure that whatever you pass to it isn’t malleable. Prefix the hash to be signed with a context separation parameter?

A