search

lamps-wg / dilithium-certificates

I-D that describes the algorithm identifiers for NIST's PQC ML-DSA for use in the Internet X.509 Public Key Infrastructure
Other
7 stars 7 forks source link

Mention pure ML-DSA's prehashing support #47

Closed bwesterb closed 1 week ago

bwesterb commented 3 weeks ago

as discussed in the working group meeting 121 on Tuesday.

cc @csosto-pk

csosto-pk commented 2 weeks ago

I dislike this option more than HashML-DSA. Breaking up the signature has implication to its security analysis.

I responded to the list with my counterpoints to Sophie's points (it does not seem to have appeared in the list yet). I am not convinced that taking mu out of the signature is more secure than HashML-DSA. And even if it was, it means SLH-DSA would need to something else, which means less alignment.

Anyway, if the WG concludes that taking mu is preferred than HashML-DSA, then I can live with it. In a sense it solves my problem. But I will try to make arguments against it.

We also need to confirm that NIST will certify external mu SigGen and SigVer because that broke with ECDSA SigVer recently.

bwesterb commented 2 weeks ago

We also need to confirm that NIST will certify external mu SigGen and SigVer because that broke with ECDSA SigVer recently.

Dang confirmed, pointing to the comment on line 6 of algorithm 7. Deb confirmed too for CNSA 2.