ilaril
commented
2 weeks ago Alternatively, since RSA and ECDSA actually sign a hash, and everything else relevant has context inputs, one could do something like the follows to get actual strong non-separability (even for RSA and ECDSA):
Pure:
M' = Domain | 0 | len(ctx) | ctx | M
Prehashed:
M' = Domain | 1 | len(ctx) | ctx | HashOID | PH(M)
RSA:
RSA_signhash(cSHAKE256(M', ctx="sig-composite"))
ECDSA:
ECDSA_signhash(bytes2bits_be(cSHAKE256(M', ctx="sig-composite")))
Ed25519:
Ed25519ctx_sign(M', ctx="sig-composite")
Ed448:
Ed448_sign(M', ctx="sig-composite")
ML-DSA:
MLDSA_sign(M', ctx="sig-composite")
Some notes:
- The bytes2bits_be() is to ensure that ECDSA interprets the hash in the expected way.
- This aligns with the model presented in the meeting.
In the current proposal M' is starting with the OID. My suggestion is to prefix a "magic" constant of length of 16 or 32 bytes to the OID.
The reason is the following: In the case that a signature stripping attack is executed where the PQ signature is stipped of, the reamaining traditional signature is valid for the message M'. This amounts to a EUF-CMA violation (under consideration of cross-algorithm chosen message oracle queries). Prefixing the magic constant allows CMS implementations of the signature verification to perform attack detection by checking the start of the signed data to be equal to the magic string. Otherwise, the forged message cannot be detected and may cause harm in the receiving system.
The value of the attack detection mechanism should be mentioned in the text as well. In my view, it should be specified as a "SHOULD" feature.