IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: LAMPS Virtual Interim in Sept. 2022

Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 16 September 2022 18:06 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C594C14F6E7 for <spasm@ietfa.amsl.com>; Fri, 16 Sep 2022 11:06:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8PvbrY6yOu-y for <spasm@ietfa.amsl.com>; Fri, 16 Sep 2022 11:06:43 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8250EC14CF10 for <spasm@ietf.org>; Fri, 16 Sep 2022 11:06:43 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id CE7981031A; Fri, 16 Sep 2022 21:06:40 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id AMPN0yKpafTO; Fri, 16 Sep 2022 21:06:40 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 98C7A72; Fri, 16 Sep 2022 21:06:38 +0300 (EEST)
Date: Fri, 16 Sep 2022 21:06:38 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: LAMPS <spasm@ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Message-ID: <YyS7Lso7GmhDDZUI@LK-Perkele-VII2.locald>
References: <CADqLbzJjBpPF+6bZ2E2r_eXKFmzCcd5i8H_ZV7O0Dg9Kg+i1xw@mail.gmail.com> <AB126236-D280-4922-A711-CE4C2948C6B3@vigilsec.com> <CADqLbzJF1YYPMpHF3q4NfD-VMG6UM3QdtT33WcL7QE7D8mUvTA@mail.gmail.com> <CADqLbz+ZgNvynnOOH0g13GKMegKrgAghJmTJr=C2pAtYo45X5Q@mail.gmail.com> <02E791EC-13CF-4C23-9BAD-A29938C9B2CF@vigilsec.com> <CADqLbzJtuxY9wdPE1iC3O=NFS8JnojuspbJBXN_=FZ2=4dfg=Q@mail.gmail.com> <D49B24A7-10D1-424E-B1C6-6202343F99F3@vigilsec.com> <68F68C22-B0DC-452D-B8BC-CE4B8B53B664@vigilsec.com> <CH0PR11MB57397348405207DC6733877E9F489@CH0PR11MB5739.namprd11.prod.outlook.com> <38067E9F-7C3D-4AC9-83E2-FF56B400B511@ll.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <38067E9F-7C3D-4AC9-83E2-FF56B400B511@ll.mit.edu>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/09veBt_ynZqNSLzPZDmF2-nyxcY>
Subject: Re: [lamps] [EXTERNAL] Re: LAMPS Virtual Interim in Sept. 2022
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Sep 2022 18:06:47 -0000

On Fri, Sep 16, 2022 at 04:58:22PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
> Mike Ounsworth wrote:
> > Could I get a slot at the LAMPS interim to discuss the hash-then-sign
> > issue for Dilithium and Falcon?
> 
> I think this issue is worth discussing.
> 
> > Issue summary:
> >
> > - Needing to stream your entire message to your crypto module is dumb
> > (think streaming an entire firmware image to your network HSM for
> > code-signing, or to your TPM for secure boot validation; yuck).
> 
> I'm not sure I agree here - if you sign a hash of something, you can't be
> sure it's a hash of what you wanted to sign.

Then there is the problem is that carelessly done pre-hashing can lead
to signature standing for two things, which is considered to break the
signature algorithm.

Pre-hashed variant of Ed25519 does very nasty hacks prevent that
attack.


Related question: How common it is that HSM itself checks format of
the data it is signing? Without such checks, it is completely open to
signing whatever.


> > - Both Dilithium and Falcon have, as their first internal step' a hash
> > of the message prepended with a nonce (the pubkey for Dilithium, and a
> > random r for Falcon), I assume in order to block pre-computed collision
> > attacks.
> > - If you, for example, do SHA256(m) before calling Dilithium.sign(),
> > then you have re-introduced that collision attack.
> 
> This assumes one can find collisions in the hash function used. For
> SHA2 and SHA3 it's a tall assumption. AFAIK, the main reason SHA3 hasn't
> superseded SHA2 at this point (despite that SHA3 is cryptographically 
> nicer and better) is that SHA2 proved to be "strong enough".

I am aware of at least one place where anti-collision countermeasures
are mandated for SHA-2.


> > - You can externalize that first hashing step of the Dilithium /
> > Falcon sign / verify algs outside of the crypto module without
> > breaking interop, but doing so will need to be mentioned in the
> > standards, and will need security review.
> 
> Offhand, I doubt this can be secure...

I think it might be safe enough for Dilithium. However, for Falcon, 
there is serious issue that one of the hash inputs must be generated by
the crypto module. And then it is not possible at all for SPHINCS+.



-Ilari

v2.35.0 | Report a Bug | By Email | System Status