ounsworth
commented
1 week ago In the meeting today, we discussed two versions. I don't think we reached consensus about which was better.
Version 1:
Sign (sk, Message, ctx) -> (signature)
Signature Generation Process:
1. Compute the new Message M' by concatenating the Domain identifier (i.e., the DER encoding of the Composite signature algorithm identifier) with the Hash of the Message
M' := Domain || HASH(ctx || Message)
2. Generate the 2 component signatures independently, by calculating the signature over M'
according to their algorithm specifications that might involve the use of the hash-n-sign paradigm.
S1 := ML-DSA.Sign( K1, A1, M', ctx="" )
S2 := Trad.Sign( K2, A2, M' )Version 2:
Sign (sk, Message, ctx) -> (signature)
Signature Generation Process:
1. Compute the new Message M' by concatenating the Domain identifier (i.e., the DER encoding of the Composite signature algorithm identifier) with the Hash of the Message
M' := Domain || HASH(Message)
2. Generate the 2 component signatures independently, by calculating the signature over M'
according to their algorithm specifications that might involve the use of the hash-n-sign paradigm.
S1 := ML-DSA.Sign( K1, A1, M', ctx )
S2 := Trad.Sign( K2, A2, HASH(ctx || M') )
See discussion here:
https://mailarchive.ietf.org/arch/msg/spasm/YFW4hVCZAQiVge2Z1kzAlIcM4U8/
The idea is that you may want to bind the actually application context, like "MS Firmware Sign" in addition to the composite sig OID. This
If we make this change, the composite sign would become:
or possibly
where
Ctxis external input to the composite Sign(), and defaults to the empty string.My concern with doing things outside the HASH is that this is the pre-hash for RSA / ECDSA, so a very long context string could overflow the RSA / ECDSA "block" -- therefore I think any kind of variable-length Ctx needs to be inside the hash.