[COSE] Sign twice but hash only once?

Fri, 17 Jun 2022 10:04:08 -0700 

Hello,

There may be no good answer to this, but I wanted to check.

- The payload is large, say a big chunk of SW, maybe a SW update.
- The HW hash engine is costly to spin up
- Signing twice, once with ECDSA once with LMS for PQ is required

Because of the way COS_Signatures and the Sig_structure works the hashes signed 
by ECDSA and LMS are not the same. One of the reasons they’re not the same is 
that the hash covers the algorithm ID. You have to hash all the bytes in the 
payload twice.


Here’s Sig_structure today:

Sig_structure = [
    context : "Signature" / "Signature1",
    body_protected : empty_or_serialized_map,
    ? sign_protected : empty_or_serialized_map,
    external_aad : bstr,
    payload : bstr
]

If the COSE design was different with Sig_structure ordered like this:
Sig_structure = [
    context : "Signature" / "Signature1",
    external_aad : bstr,
    payload : bstr,
    body_protected : empty_or_serialized_map,
    ? sign_protected : empty_or_serialized_map
]
it would have been possible to hash up through the payload and clone the hash 
context. But, that is not the case and we’re not going to change this part of 
COSE now.


It seems like the thing to do here is add a level of hashing indirection — hash 
the actual payload bytes, then that hash becomes the COSE payload. Probably the 
right way to do this to define this:

Hash_structure = [
    context : "Hash",
    body_protected : empty_or_serialized_map,
    payload : bstr,
]

as the bytes to hash. That way the algorithm identifier and other body 
protected headers are covered. 

This could be the basis of another signature format for COSE. Call it 
COSE_SignIndirect. The body algorithm ID header parameter is the hash over the 
Hash_structure. Then:

Indirect_Sig_structure = [
    context : “IndirectSignature",
    sign_protected : empty_or_serialized_map,
    external_aad : bstr,
    Hash_structure_hash : bstr
]

This would be roughly equivalent to what is done for the encryption formats 
with the symmetric encryption algorithm.

But given we’re probably not going to create COSE_SignIndirect, I can still get 
most of what I need by creating a new header parameter called body_hash_alg, 
and by making the above Hash_structure the body for a COSE_Sign. The actual 
payload bytes would be transmitted separately outside of COSE.

LL



_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose

Reply via email to