Composite signature domain separators?

openpgp-pqc / draft-openpgp-pqc

Repository of the WIP draft-ietf-openpgp-pqc

Other

8 stars 2 forks source link

Composite signature domain separators? #133

Closed ounsworth closed 3 weeks ago

ounsworth commented 3 months ago

Within the LAMPS composite sigs, we have:

M' := Domain || HASH(Message)

S1 := Sign( K1, A1, M' )
S2 := Sign( K2, A2, M' )

where Domain is the DER( Composite_OID ). The intent is so that S1 and S2 will not verify over HASH(Message) directly, but only over DER( Composite_OID ) || HASH(Message). This achieves Strong Non-Separability as per Hale-Connolly.

Is there a reason that you are not doing this for your composite signature?

falko-strenzke commented 3 months ago

In OpenPGP Strong Non-Separability is achieved in without any additional measures, since OpenPGP hashes the signature algorithm identifier as part of the meta data in the signature digest. Thus changing the signature algorithm in the signature packet causes a signature to which no message can be found.

falko-strenzke commented 2 months ago

@ounsworth Is it OK if we close this issue?