search

lamps-wg / draft-composite-sigs

IETF Internet-Draft about X.509 certificates with composite keys and signatures.
Other
1 stars 1 forks source link

Clarifying Composite Signature Specifications for Consistent Implementation #39

Open mojtaba-bisheh opened 1 month ago

mojtaba-bisheh commented 1 month ago

I am seeking clarification on the input message for the composite signature specification to ensure consistent understanding and implementation. Given that ML-DSA operates in two modes—pure and pre-hash—and there are various prefixes/OIDs for the pre-hashed mode, this clarification is crucial. There is also one more hashing operation within the ECC boundary that should not be mistaken for what the composite signature needs in M' := Domain || HASH(Message) step.

There are two options here:

One option is to move hybrid domain concatenation into HASH operation (similar to ML-DSA scheme),i.e., M' := HASH(Domain || Message). In this case, there is one other HASH operation for both ECC and pre-hash ML-DSA: for ECC: HASH(M') = HASH(HASH(Hybrid_Domain || Message)) for pure ML-DSA: = HASH(tr || M') = H(tr || 0x00 || ctx_len || ctx || HASH(Hybrid_Domain || Message)) for pre-hash ML-DSA: = HASH(tr || M') = H(tr || 0x01 || ctx_len || ctx || OID || HASH(HASH(Hybrid_Domain || Message)) This back-to-back hashing operation for ECC and pre-hash MLDSA makes no sense, so you can remove the hash operation and just append message with an OID that reduces the complexity of the computation too.

Second option is keeping the current condition as: for ECC: HASH(M') = HASH(Hybrid_Domain || HASH(Message)) for pure ML-DSA: = HASH(tr || M') = H(tr || 0x00 || ctx_len || ctx || Hybrid_Domain || HASH(Message)) for pre-hash ML-DSA: = HASH(tr || M') = H(tr || 0x01 || ctx_len || ctx || OID || HASH(Hybrid_Domain || HASH(Message))

Furthermore, Including test vectors and examples in the specification would promote uniform implementation across the industry.

janklaussner commented 5 days ago

Hi @mojtaba-bisheh ,

This seems similar to #34 and #45 . Solution is to use only pure ML-DSA in Composites and do either a PreHash or not when generating M'.

pure M' := Domain || IntegerToBytes(|ctx|, 1) || ctx || Message preHash M' := Domain || IntegerToBytes(|ctx|, 1) || ctx || HashOID || HASH(Message)

Both ECC and ML-DSA get the same M'. The ECC algorithm will do another Hash again.

Does this work for you or do you see any issues with that?