[openpgp] Re: pre-hashed vs. direct signature PQC schemes

Daniel Huigens <d.huigens@protonmail.com> Tue, 23 July 2024 14:49 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 177B5C14F5E3 for <openpgp@ietfa.amsl.com>; Tue, 23 Jul 2024 07:49:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.804
X-Spam-Level:
X-Spam-Status: No, score=-2.804 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gP1LN4iMRyfS for <openpgp@ietfa.amsl.com>; Tue, 23 Jul 2024 07:49:41 -0700 (PDT)
Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DB7EC14F702 for <openpgp@ietf.org>; Tue, 23 Jul 2024 07:49:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1721746178; x=1722005378; bh=/QXH3zj9KgQAYzYB51sMohq4zDWrHufxBz9rGM0em3Y=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=fhPMXeAI3ubWxLBNl//1JAiwKp8k2bWKN60lsTXEcEaFWXiAqsgZMqjWwC+H1dMVk R+2QIvljeJy+bohofhz1edDzRXGuVD7wkwk71WYNFi77rSeh2/48u+4gqhE/liirrf +LwZAgOZeNjbOrefdITU3tCLSURMA/iI6zyL/FRaENnEzoODM94TjZ2+YqbHgSXQV/ XXJKoYAISlmqLFvBTrVZUkAJFvuznuJP/CqjRhZ/LIeeuA8V43lTgj2gUj9TYdsHZb TYACkyfwnJpR3uY0hkxSpGs75n1CNpcuu+mMZpsWJZ5gWAxWOGEz+mYdPwMLNpbnys ocfvBj/NcLCLw==
Date: Tue, 23 Jul 2024 14:49:31 +0000
To: Falko Strenzke <falko.strenzke@mtg.de>
From: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <MqzjO5I8_A2wW99mGIzBYV9qzS7O6VqkIgzGOxxlGEo6bgxN7hXNGk5-1gl5ENcnCnGFktNfRtRiAP5dWcJyOMia6mIMUQz1rpR7X8taLNY=@protonmail.com>
In-Reply-To: <5b4dcb6b-6ab3-4150-8923-cda5dc8f88e0@mtg.de>
References: <5b4dcb6b-6ab3-4150-8923-cda5dc8f88e0@mtg.de>
Feedback-ID: 2934448:user:proton
X-Pm-Message-ID: a3d5426cea58eea6b59244a397fbd860707273c2
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="b1_iGbOSgDieUZvxZfksPlHq14oLec3nb5b8tzKr4uppc"
Message-ID-Hash: KNB3YWJBWPQRVQJEF3CVQD7YMDAMN45G
X-Message-ID-Hash: KNB3YWJBWPQRVQJEF3CVQD7YMDAMN45G
X-MailFrom: d.huigens@protonmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "openpgp@ietf.org" <openpgp@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] Re: pre-hashed vs. direct signature PQC schemes
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/vBtUjadMYX_2BdO8bbQB-K9FCZs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Hi Falko,

I'm not fully familiar with the pre-hashed variants of ML-DSA and SLH-DSA but if I understand them correctly, the analogy with PureEdDSA and HashEdDSA is not fully correct.

HashEdDSA performs one more hashing step internally than PureEdDSA (see https://www.rfc-editor.org/rfc/rfc8032.html#section-4) the purpose of which is to be able to provide a single-pass (e.g. streaming) interface for signing (which PureEdDSA can't do), but the intended use is still to pass the message to the function, not the hash.

By contrast, [this presentation](https://csrc.nist.gov/csrc/media/Presentations/2024/panel-rehashing-pre-hashing/images-media/panel-pre-hashing-pqc2024.pdf) says that the "normal" variant of ML-DSA and SLH-DSA will take a message and hash it internally, while the pre-hashed version will take a hash and not hash internally. In that case, it makes sense to use the pre-hashed version since the data is already hashed. In the case of EdDSA, it wouldn't make sense to use HashEdDSA (as specified) as that would just add another unnecessary hashing step, rather than take one away.

If we wanted to fully comply with the intended use of EdDSA, what we could have done is specify that we don't prehash the data in OpenPGP and then pass it to HashEdDSA (or PureEdDSA, but then we lose the ability to stream), but that's a much larger change than swapping the variant.

Best,
Daniel

On Tuesday, July 23rd, 2024 at 15:58, Falko Strenzke <falko.strenzke@mtg.de> wrote:

> During the session yesterday we mentioned that the NIST standards will specify a pre-hashed as well “direct” variant for the ML-DSA and SLH-DSA signature schemes and that the PQC drafts will use the pre-hashed one. The reason is that the integration of a signature scheme into OpenPGP follows the hash-and-sign paradigm, and this is exactly what the pre-hashed variants are specified for. This is noteworthy as the crypto-refresh took the formally wrong decision of using the PureEdDSA instead of the HashEdDSA variant in the analogous case of EdDSA: there, H(M) is provided to the PureEdDSA variant which is clearly against the intended use of the two variants. This doesn’t have any security implications, as, even if the correct use of the PureEdDSA variant should ever be introduced in OpenPGP, signature forgeries cannot occur since OpenPGP always includes the signature algorithm ID (which would necessarily differ in this case) in the hashed meta data.
>
> So our plan is to do it correctly for the PQC algorithms, even if only in order to demonstrate correct use of the two variants. What we do not mean by this (at least I myself), is changing the use of EdDSA in the ML-DSA+EdDSA multi-algorithm signature scheme. The crypto-refresh specifies already to use PureEdDSA and I would tend to leave it at that also for the new multi-algorithm schemes.
>
> I hope this clarifies what we intend to do and why. Anyone let me know if there is still something unclear.
>
> - Falko
>
> --
>
> MTG AG
> Dr. Falko Strenzke
>
> Phone: +49 6151 8000 24
> E-Mail: falko.strenzke@mtg.de
> Web: [mtg.de](https://www.mtg.de)
>
> [Follow us on LinkedIn](https://www.linkedin.com/search/results/all/?fetchDeterministicClustersOnly=true&heroEntityKey=urn%3Ali%3Aorganization%3A13983133&keywords=mtg%20ag&origin=RICH_QUERY_SUGGESTION&position=0&searchId=d5bc71c3-97f7-4cae-83e7-e9e16d497dc2&sid=3S5&spellCorrectionEnabled=false)
> Follow us
> ---------------------------------------------------------------
>
> [360° GSA - German Security Alliance](https://360-german-security-alliance.de/)	[Info it-sa 2024](https://www.itsa365.de/de-de/companies/m/mtg-ag)
>
> MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
> Commercial register: HRB 8901
> Register Court: Amtsgericht Darmstadt
> Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
> Chairman of the Supervisory Board: Dr. Thomas Milde
>
> This email may contain confidential and/or privileged information. If you are not the correct recipient or have received this email in error,
> please inform the sender immediately and delete this email.Unauthorised copying or distribution of this email is not permitted.
>
> Data protection information: [Privacy policy](https://www.mtg.de/en/privacy-policy)