Re: [lamps] [EXTERNAL] Re: [CFRG] [pqc-forum] RE: Whether to hash-then-sign with Dilithium and Falcon?

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Fri, 19 August 2022 19:58 UTC

Return-Path: <prvs=6230d3ccbe=uri@ll.mit.edu>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28616C14F723; Fri, 19 Aug 2022 12:58:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yz5TEUIHaKVQ; Fri, 19 Aug 2022 12:58:20 -0700 (PDT)
Received: from MX2.LL.MIT.EDU (mx2.ll.mit.edu [129.55.12.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AE05C157908; Fri, 19 Aug 2022 12:57:43 -0700 (PDT)
Received: from LLEX2019-2.mitll.ad.local (llex2019-2.llan.ll.mit.edu [172.25.4.124]) by MX2.LL.MIT.EDU (8.17.1.5/8.17.1.5) with ESMTPS id 27JJvTu4037070 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 19 Aug 2022 15:57:29 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=m/GUthMUDsMpcjyqcgpFJZe7wZXP0GqFSJscjet9SEZ4ZYVUIuOcvdhvpyTxPhPtDorBDaQ1tfAzkAamyJ6DudfsjBJ580gPJ+uT5fXWYDrbQOpBYjbpWJW5P4OYtvIUbWwdhT+7dPAONns9mrmtgFSMwq3m7b3Kxoibw5MVWUGfpnfOvabwclKZhVpLHMOy0+gXn+QeaShVymJNTbJJEmJqkqV3jHSvbi4crHZZgUSpzXn6Nu8G2IrJE3J1RmPYXa9xkbIlO2mXEE7A4qovmJ9XODuneDutXiyhqkATzO3YChYOhIgPzfZThMi//HmBZy9C/NnI/8MF+YJPjqwyeg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ce6XxeduALehzaIhSJXr/m3qFmYzTEUVdYzDUKOlrFg=; b=emx8kM319zd+2AnWebAY8mUOSM44+AKk/62qEi/r1G/YaByOym1d+BfIlbKYFAD29T8sRuknsJV8jcKARU0mW4HLMVGGi3a6FaJLpXtoHzd+pTTyt7OhJzkwcuPdgOw3LsVgQaepQTjKE/g515pOUd6wvJxb8iUPFZjbWiN2Ax77Tio9TgWdcNEzBjZ6mrimEMJttXxiPojhhIL1nJCVolbhUD6rRnw7MGBEiGCIG5vd/4B/Aob+m27INIowhM3aUPFeId6d+y/0Q5Nt7InGzHIHbQm4TgbDh+We9qi8mCOXiMP7twFmQVFql6jaNfPlag0UbaSWyCk1Q8LMLWp/tw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Phillip Hallam-Baker <phill@hallambaker.com>, Mike Ounsworth <Mike.Ounsworth@entrust.com>
CC: LAMPS <spasm@ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [lamps] [EXTERNAL] Re: [CFRG] [pqc-forum] RE: Whether to hash-then-sign with Dilithium and Falcon?
Thread-Index: AdiyWmrrCCvkDLBiTn2DcOMWvaOQ/gABb6NQAAQ+JgAAE/kJgAASGGSwABycwAAAHkI4AAADzCcA///AogA=
Date: Fri, 19 Aug 2022 19:57:35 +0000
Message-ID: <0BF867D6-C4E0-4D9C-8B72-E1CE59308A6F@ll.mit.edu>
References: <CH0PR11MB5739393F19DD5282E3D7EF549F6A9@CH0PR11MB5739.namprd11.prod.outlook.com> <CH0PR11MB5444B9D3A0CB6E447A2FA3E5C16A9@CH0PR11MB5444.namprd11.prod.outlook.com> <88358933-A540-4000-9C7D-D248F670122F@amazon.com> <CAFTXyYC=Zt0hhk5G2A6b6AOM6Aww7jL3CwUmcZfNpmsWW0cpGQ@mail.gmail.com> <DM6PR11MB2585E47B6D7D92EBC1E71A29EA6D9@DM6PR11MB2585.namprd11.prod.outlook.com> <CAMm+LwiCxwv6smMSL4u+3dnBYWDkStE4pBXh25GKAuaVj+nehg@mail.gmail.com> <CH0PR11MB5739054876AF545FCA6DEA749F6C9@CH0PR11MB5739.namprd11.prod.outlook.com> <CAMm+LwihTg8fC17SYLO-iPVj3ahxcaFBX-0mhtYZFMHkU_RtCA@mail.gmail.com>
In-Reply-To: <CAMm+LwihTg8fC17SYLO-iPVj3ahxcaFBX-0mhtYZFMHkU_RtCA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.63.22070801
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: de46bbdb-5b80-48aa-05cf-08da821d0fa9
x-ms-traffictypediagnostic: BN0P110MB1369:EE_
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ekGTiw6Jy8uDq7IqyllJnX0Ipt1SSkh3wkIVyFd9L9DcwPYclbjHRzTvhVSOSZjcZT0hBvhIf39Iebny2t+stlXn9zLkkiCBWpDokoAfoRHHZDILyCE7+G6xSVgBE6jbKbBjzQtEXifodk0v3Ehg/aSSrstH5s4P0/4eB+5fjuMtdLu2Dm4w+VXuykMjKEjl+pug0v+UdjskvH7/VynJ/rCSSZNnH8Jf6I1lALyqgoTWiE1TX3r71QZLNJomjDdBYWtP1XAjoadvqb9aLlfBwtbCQhB2FrVOVsvCsL5a7UNexGRTZepuZg7zse+hSAbPK3cx4yswBtOXBmUI/txxAxWvVihg82Qdj2b/K30MNB6jV+I9HPjnk0+OEtUa4HXcLOMdLGItzc6nobiVk/nwbf2pf03SmvyzSG1ChthfJwtvINH+3SrPgK/DtGh9eYGBe1fctMaRlvL7UJGaTHLYTGHgfwM0AWl9W00NuIlmo4FPVM3UE8frfHclWHmvT8KKWW1V5S0EOVlWtyL83QN2S8H3/R50W/uvADRcFeDEQkT/AkbMXY2gm4nQRQwMLTW79SueKwbwppERM6vk2sNyJu3vWfo/dhnvoFzOTY+p9UJMfLvPtR7K2FUDjmyXYMMXLCCl/MxEDsvcbI6UclS6ZI170/h+m3aNar0ND3HjEhVOr11dpPkf9lVTtS2o8nWlCFWiwh6oqSI1uJbTxNkFZEirhdSh4eJ5hi0NDFebXC82Tc05z0Cx2cmINtfdQ3zP
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(366004)(966005)(6486002)(71200400001)(498600001)(2906002)(33656002)(54906003)(38070700005)(86362001)(110136005)(75432002)(99936003)(2616005)(186003)(122000001)(166002)(6506007)(26005)(53546011)(6512007)(66574015)(66556008)(8936002)(66946007)(66446008)(76116006)(5660300002)(64756008)(4326008)(8676002)(66476007)(38100700002)(83380400001)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: oo8EWJaIB3wAbWmzfNd2jkRTpYyfmESs1QX2rrOYyFrWrVkaW9UiQCNwY7CsW57c7OGIDiLfzVCkF7pFnrPfPhT+wu/5mOmKYO08ctQZLqxVN4hkIvDIWpPh6q3WpdlE923j4kURKtI/nVMR0ft1HvErZkvEQHZdw2yVvMN5OLh03BD9uzWz9L1BlEftUyH/+pYeHr72uWUNaazBxlxUt+zluN5hm5KEcOeWP3INf5mufWaUYZEBZwnxI2adNIMq4IfAvftYX0bs8mQxKHny2W/Pvsy50wbP6VTthCD/pPqYCjtm8nrA+fLkxRsYOtTxn9kcgRWpSs3QwI52j8FtZaRbgS3iKK2n9l0El5ewN6Xkk7hHtVjJQ/1XSDvW9IfP2u0cW+5+9DpEHsluwRw6dpeGPcOTWwFdODJ3bFCGT/c=
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3743769454_1036189106"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: de46bbdb-5b80-48aa-05cf-08da821d0fa9
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Aug 2022 19:57:35.4119 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1369
X-Proofpoint-ORIG-GUID: CMuE5I1-nbaq_qZhMA_3XeLkgZkfWBqr
X-Proofpoint-GUID: CMuE5I1-nbaq_qZhMA_3XeLkgZkfWBqr
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-19_11,2022-08-18_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 mlxscore=0 adultscore=0 malwarescore=0 mlxlogscore=999 phishscore=0 spamscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2207270000 definitions=main-2208190074
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/fJMVsipH1GveMsF1yK-LtMyVbKI>
Subject: Re: [lamps] [EXTERNAL] Re: [CFRG] [pqc-forum] RE: Whether to hash-then-sign with Dilithium and Falcon?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2022 19:58:22 -0000

Oh right. So far I am up the Kyber pass and have not done Dilithium yet.

 

Me too. 😃 

 

this has the nice property that `r` is generated at signing time by the signer. So should SHAKE develop a collision attack similar to the one we saw for SHA1, then the collision pre-computation as still intractable for the attacker because the attacker cannot not know `r` in advance. (Disclaimer: I am just an engineer trying to wrap my head around this, corrections welcome!).

Meh, seems like an unnecessary concern. And I am not sure how this actually helps against collision attacks in general.

 

It does help against collision attacks (not sure what you meant by “in general”). But, as you said:

 

If SHAKE is broken, then we are going to have so many problems that the security of the signature algorithm is irrelevant.

 

I do not think SHAKE (or even SHA2) will be broken in the foreseeable future, but indeed, in the (practically impossible, IMHO) case it is broken – we’ll have many more problems than the signature algorithm security.

 

As a matter of protocol composition, the signature algorithm should not be trying to fix a potential issue in the digest algorithm because things are going to be breaking all over.

So, the concern with hash-then-sign is that if `m` above is itself a message digest, ie `m = SHA256(M)`, then you have un-done the collision resistance that is built in to the Falcon primitive, essentially reducing the security properties of Falcon. Adding the message digest to the signed content does not help if the attacker is holding two messages with the same SHA256 hash.

If this is a useful approach, then move it out of the signature primitive and push it into the envelope format. 

 

It is a useful approach, and it probably does belong to the envelope.

 

TNX

  

From: Phillip Hallam-Baker <phill@hallambaker.com> 
Sent: August 18, 2022 10:29 PM
To: John Gray <John.Gray=40entrust.com@dmarc.ietf.org>
Cc: Tadahiko Ito <tadahiko.ito.public@gmail.com>; Massimo, Jake <jakemas=40amazon.com@dmarc.ietf.org>; Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; Mike Ounsworth <Mike.Ounsworth@entrust.com>; LAMPS <spasm@ietf.org>; cfrg@irtf.org; pqc-forum <pqc-forum@list.nist.gov>; Kampanakis, Panos <kpanos@amazon.com>; sean@ssn3rd.com; bas@westerbaan.name
Subject: Re: [lamps] [EXTERNAL] Re: [CFRG] [pqc-forum] RE: Whether to hash-then-sign with Dilithium and Falcon?

 

 

 

On Thu, Aug 18, 2022 at 11:29 AM John Gray <John.Gray=40entrust.com@dmarc.ietf.org> wrote:

Thanks Tadahiko,

 

I read through your paper, and it covers exactly the usability issues we have come across!   We were wondering if it is possible to perform the specific hashing external to the server (which could be an HSM as in your paper, or timestamp server, etc).   For example, for Dilithium the mu := CRH( tr || M) and for Falcon it would be  c <- HashToPoint(r || m, q, n).    Your paper answers that question, it can be done for Falcon, but  not Dilithium (without changing the signature output).   So part of our question is whether using a regular external Hash as we do today for RSA and ECDSA (and what you call a boundary type B) somehow reduces the security and we shouldn’t recommend it.   We are interested in this because we are looking at defining composite pairs or triples which combine existing signature algorithms like RSAWithSHA256 and ECDSAWithSHA256 with Falcon or Dilithium.    Having to change the operational paradigm for an HSM or something like a timestamping server would result in large amounts of data having to be piped across the internet for signatures (as you point out in your paper).    

 

For our composite signature use case it brings up similar questions.   We can support a mode where external hashing is done once, and then individually signed by the components (this makes it much more efficient) both internally and externally for the HSM, timestamping, code signing use-cases.   However, in the case of Dilithium there would need to be two signature modes Sig = Dilithium (Message) and the other would be Sig = Dilithium ( HASH (Message)).   I don’t think that is necessarily a bad thing as long as it is standardized and secure.   Alternatively, we could support independent hashing for each component, but that gets strange if you are doing an external hash for ECDSA, but then need to send the whole data for Dilithium.   We would likely have to end up supporting sending the whole data if external hashing compromises security of the PQC composites, but then it is even more inefficient as each component would need to hash independently.    You also covers this in section 4.3 your paper:

 

“We can construct type B cryptographic boundaries by adding one more hash function before the execution of PQC’s signature generation algorithm… This approach would improve the efficiency of lattice based digital signature schemes deployed in HSM. It would have a greater impact on Dilithium, but also be applicable to Falcon and other digital signature schemes. Two modes of PQC algorithms utilizing this approach will be able to exist, namely, a PQC algorithm without an additional hash (i.e. original PQC algorithm) and a PQC algorithm with an additional hash. If there are two modes of a digital signature scheme, then the asymmetric operation for those two modes must not be identical. The reason is that, obtaining a signature from the mode with an additional hash function would help attackers who can attack another mode which is without the additional hash function.”

 

That is not a new issue and it is one that we discussed at great length for RSA. The hash of the digest is part of the signature payload to prevent substitution attacks.

 

I am finding the description of the problem here to be making assumptions about what 'formal proofs' are demonstrating that are probably demonstrating something else. If you assume there is only one true digest function, you 'solve' the digest substitution problem by pretending it does not exist...

 

 

In my view, the signature function should be over the payload and the additional authenticated data. Whether this is the OID of the digest algorithm alone or something more depends on the signature scheme. That is what JOSE etc. have to sort out. 

 

Preventing a digest downgrade attack may be considered the concern of the cryptographic envelope format because there may be more than one form of downgrade attack to be considered. But it is also something we have traditionally included in the signature...

 

 

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system. 

-- 
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+unsubscribe@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CAMm%2BLwihTg8fC17SYLO-iPVj3ahxcaFBX-0mhtYZFMHkU_RtCA%40mail.gmail.com.