Re: [lamps] Whether to hash-then-sign with Dilithium and Falcon?
"D. J. Bernstein" <djb@cr.yp.to> Sat, 20 August 2022 18:29 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB664C152701 for <spasm@ietfa.amsl.com>; Sat, 20 Aug 2022 11:29:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.905
X-Spam-Level:
X-Spam-Status: No, score=-6.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X-QiOGQR7Av2 for <spasm@ietfa.amsl.com>; Sat, 20 Aug 2022 11:29:34 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id 64E3CC1522D6 for <spasm@ietf.org>; Sat, 20 Aug 2022 11:29:34 -0700 (PDT)
Received: (qmail 31215 invoked by uid 1010); 20 Aug 2022 18:29:32 -0000
Received: from unknown (unknown) by unknown with QMTP; 20 Aug 2022 18:29:32 -0000
Received: (qmail 232810 invoked by uid 1000); 20 Aug 2022 18:29:08 -0000
Date: Sat, 20 Aug 2022 18:29:08 -0000
Message-ID: <20220820182908.232808.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: pqc-forum@list.nist.gov, spasm@ietf.org, cfrg@irtf.org
Mail-Followup-To: pqc-forum@list.nist.gov, spasm@ietf.org, cfrg@irtf.org
In-Reply-To: <CAMm+LwihTg8fC17SYLO-iPVj3ahxcaFBX-0mhtYZFMHkU_RtCA@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/BARUlmXaP5fCeEe1TDoObDLpZNU>
Subject: Re: [lamps] Whether to hash-then-sign with Dilithium and Falcon?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Aug 2022 18:29:38 -0000
Phillip Hallam-Baker writes: > If this is a useful approach, then move it out of the signature > primitive and push it into the envelope format. Sure, people converting a signature system m |-> Sign(m) into a one-pass signature system m |-> Sign(H(m)) can maybe be convinced to instead convert it into a safer one-pass signature system m |-> r,Sign(H(r,m)) where r is chosen randomly at signing time. Both conversions are generic, and the performance differences are minor. But moving this _out_ of the underlying signature system is dangerous. Applications will often expose the underlying signature system directly to attackers. For example, an RSA HSM that returns h^d given h, trusting the environment to choose h as a hash, is breakable by essentially the attack of https://link.springer.com/article/10.1007/s00145-015-9205-5. > If SHAKE is broken, then we are going to have so many problems that the > security of the signature algorithm is irrelevant. Certainly we'd like to end up in a world where everyone is using a hash function that we can confidently assume is collision-resistant. However, avoiding this assumption turns out to simplify security review: * Avoiding collision resistance means that cryptanalysts can avoid worrying about some important, hard-to-analyze attack avenues (e.g., what Wang dubbed "message modification"). * Some components of security analyses can be computer-verified today, but (because of well-known formalization difficulties) assuming collision resistance creates problems for this. * In the opposite direction, the random r above creates its own complications in security review, but looking at the details shows that these complications are _relatively_ easy to analyze. Simplifying security review is important because the overall situation in post-quantum cryptography is that security reviewers are terribly overloaded. Compare, e.g., https://eprint.iacr.org/2021/543 ("A decade unscathed") to https://eprint.iacr.org/2022/975. For many more examples see https://ntruprime.cr.yp.to/latticerisks-20211031.pdf. If a cryptosystem takes 10 unnecessary risks, each independently incurring a 10% chance of disaster, then the cryptosystem has, overall, a 65% chance (1-0.9^10) of disaster from these risks. Systematically avoiding risks is much safer. ---D. J. Bernstein
- [lamps] Whether to hash-then-sign with Dilithium … Mike Ounsworth
- Re: [lamps] Whether to hash-then-sign with Dilith… Scott Fluhrer (sfluhrer)
- Re: [lamps] Whether to hash-then-sign with Dilith… Mike Ounsworth
- Re: [lamps] [pqc-forum] RE: Whether to hash-then-… Massimo, Jake
- Re: [lamps] [CFRG] [pqc-forum] RE: Whether to has… Tadahiko Ito
- Re: [lamps] [EXTERNAL] Re: [CFRG] [pqc-forum] RE:… John Gray
- Re: [lamps] [EXTERNAL] Re: [CFRG] [pqc-forum] RE:… Phillip Hallam-Baker
- Re: [lamps] [EXTERNAL] Re: [CFRG] [pqc-forum] RE:… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: [CFRG] [pqc-forum] RE:… Phillip Hallam-Baker
- Re: [lamps] [EXTERNAL] Re: [CFRG] [pqc-forum] RE:… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] [EXTERNAL] Re: [CFRG] [pqc-forum] RE:… Mike Ounsworth
- Re: [lamps] Whether to hash-then-sign with Dilith… D. J. Bernstein
- Re: [lamps] [EXTERNAL] Re: [CFRG] [pqc-forum] RE:… Tadahiko Ito