Re: [openpgp] Recap of the signature options [was: PQC signature algorithm selection]
Simon Josefsson <simon@josefsson.org> Mon, 04 March 2024 23:48 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC0FFC18DBB8 for <openpgp@ietfa.amsl.com>; Mon, 4 Mar 2024 15:48:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b="+4C0YLh1"; dkim=pass (2736-bit key) header.d=josefsson.org header.b="P9tz8uvX"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XD0TgH7rctM6 for <openpgp@ietfa.amsl.com>; Mon, 4 Mar 2024 15:48:06 -0800 (PST)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0ED0CC18DB97 for <openpgp@ietf.org>; Mon, 4 Mar 2024 15:48:05 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2303; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding :Content-ID:Content-Description; bh=FcADSF7U1ZijiEWUMEVTT5/Y206rsuwrHc/1vQHTgu8=; t=1709596083; x=1710805683; b=+4C0YLh1U+mi+6Ft1I4Kc/W1K1ShvZUEHztpxKrNuohDcgXVnCCr5QFeXwe642D4q+ocNRyMh3G /6Z8jjWhNAw==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2303; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:To:From:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description; bh=FcADSF7U1ZijiEWUMEVTT5/Y206rsuwrHc/1vQHTgu8=; t=1709596083; x=1710805683; b=P9tz8uvXX36zjNaDxhh7OO4eQZgywhA7QgdTMsPP2yXmMdkwtS4hWDq/NRvRPJD8CpRc+L4qWAa 5xUGthOPCPzP+BJB2i29z55bWO5DG/HqkULsWub6eM/GWiSfLM/6hHmt3fmOB/lAaiMkLbpXlpHLc bpUGX1La7Q8aQWnGGuEUKLXsMRgSG26gLL2Oh9b+GdGlEAGEOoHyjbmvUwRn3Qwh+K6hnLuwjHw9+ GW1xsZvw10tFsBDH/64jxF/kLbVhoPWQsV8W6WMaZL8VxXfTG68u1UsXRiF7uH0g6GhbOLM+FKrNp jaIlT8A0dbpc8guwJHbpYQvIZmTNL8/c9St7Q2f/GooP7KXwFUqaTS2KbHz60VaY+LhZz06theLTS S+k5kDmJi4yvzON6MMGJQ6bMYISI3Txiz5gmeMPTYjKrjcVDFJ+BY+jBPSh+qc9UdWnq49h9O;
Received: from [2001:9b1:41ac:ff00:472e:4b49:56c6:2c7b] (port=35926 helo=kaka) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <simon@josefsson.org>) id 1rhI2J-003sog-5k for openpgp@ietf.org; Mon, 04 Mar 2024 23:47:59 +0000
From: Simon Josefsson <simon@josefsson.org>
To: "openpgp@ietf.org" <openpgp@ietf.org>
References: <eSTNujDSQ-_B0YtGCoZ-6ZfZdrpf_m3_2mYpLag81M3m6AgB6QlTHsiZ5kM9c6kAfK-g62RKtdnjh0Azc_aqUCSS9XTj2d9HVlcWOBaiqVY=@wussler.it>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:23:240304:aron@wussler.it::a2j2gkcN6QxYjsUS:I0nK
X-Hashcash: 1:23:240304:openpgp@ietf.org::jLVpQR8h4EYAvROC:V2sh
Date: Tue, 05 Mar 2024 00:47:14 +0100
In-Reply-To: <eSTNujDSQ-_B0YtGCoZ-6ZfZdrpf_m3_2mYpLag81M3m6AgB6QlTHsiZ5kM9c6kAfK-g62RKtdnjh0Azc_aqUCSS9XTj2d9HVlcWOBaiqVY=@wussler.it> (Aron Wussler's message of "Mon, 04 Mar 2024 17:13:43 +0000")
Message-ID: <87v861y2yl.fsf@kaka.sjd.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/u824Tb0gLGVIouP3jY5xpgiCRVA>
Subject: Re: [openpgp] Recap of the signature options [was: PQC signature algorithm selection]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2024 23:48:11 -0000
Narrowing down options is good. I think the options could be made more clear if we discuss properties of the hybrid signature combiner scheme. For background see https://eprint.iacr.org/2023/423.pdf and https://datatracker.ietf.org/doc/html/draft-ietf-pquip-pqt-hybrid-terminology-02#section-5 on the WNS, SNS and SV terms. I am reading in https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#name-composite-signatures the following: 4.3. Composite Signatures The ML-DSA + ECC signature consists of independent ML-DSA and ECC signatures, and an implementation MUST successfully validate both signatures to state that the ML-DSA + ECC signature is valid. Some more details in https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#name-signature-verification follows: To verify a ML-DSA + EdDSA signature the following sequence of operations has to be performed: Verify the EdDSA signature with EdDSA.Verify() from Section 6.1.1 Verify the ML-DSA signature with ML-DSA.Verify() from Section 6.1.3 The signature value are formed as concatenation of component signatures, quoting https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#name-signature-packet-tag-2 follows: The algorithm-specific v6 signature parameters for ML-DSA + EdDSA signatures consists of: - A fixed-length octet string representing the EdDSA signature, whose length depends on the algorithm ID as specified in Table 10. - A fixed-length octet string of the ML-DSA signature value, whose length depends on the algorithm ID as specified in Table 12. The intention seems to achieve a SV property, am I reading this right? I would feel more comfortable if PGP relied on a hybrid signature combiner scheme that offered SV as a cryptographic property rather than as a somewhat implicit protocol property. And one that were specified generally and not just for PGP. One such scheme could be designed by replacing the two-part component signature values with just one value that is: SHA3(Ed25519.signature || Ed25519.publickey || ML-DSA-87.signature || ML-DSA-87.publickey || context) and the verifier has to compare the computed signature against that value before being able to say ACK or NAK. I may be missing something fundamental here, so a question: Are there any fundamental reasons why a hybrid PQ/T signature scheme for PGP cannot rely on a opaque signature combiner (like the one that I suggested above, only better) that provides a SV guarantee? Reversely: is there any reason PGP must use the separable two-value approach in section 6.3.1 of draft-ietf-openpgp-pqc? /Simon
- [openpgp] Recap of the signature options [was: PQ… Aron Wussler
- Re: [openpgp] Recap of the signature options [was… Stephen Farrell
- Re: [openpgp] Recap of the signature options [was… Simon Josefsson
- Re: [openpgp] Recap of the signature options [was… Falko Strenzke
- Re: [openpgp] Recap of the signature options [was… Simon Josefsson