On Tue, Jul 30, 2024 at 9:46 AM Ilari Liusvaara <[email protected]> wrote:
> On Tue, Jul 30, 2024 at 08:52:09AM -0500, Orie Steele wrote: > > The intention is to register the same algorithms. > > > > Pre-hash algorithms should be treated the same way, but because COSE and > > JOSE has algorithm as optional, unless there is domain separation in the > > public keys, that would be application later alignment. > > One problem with supporting pre-hash algorithms is that the current key > type specified in PQ signature drafts is incompatible with pre-hashing. > How so? If there is no domain separation in public keys, then the same public key can be used for both pre-hash and regular ML-DSA right? COSE and JOSE expressions of that key would normally rely on the algorithm identifier, which currently we do not register any algorithms for pre-hash (hence it is not supported). To support it, we would add a new algorithm identifier like "alg": "ML-DSA-44-PH" to distinguish public keys used for pre-hash from public keys used for traditional "alg": "ML-DSA-44". If there is domain separation in public keys we might add a new kty for PH keys, like: "kty": "ML-DSA-PH" > > Pre-hash seems like a good idea, especially if folks are moving from > ES256 > > with SHA-256. > > > > Any application interfaces that JOSE or COSE have built around > pre-hashing > > are probably easier to preserve. > > As note, such interfaces already break with Ed25519/Ed448. However, > non-prehashed ML-DSA can still be supported. > > For large messages, I would rather have things like hash envelopes or > hash once, sign twice. > > Furthermore, in COSE one really wants to use the same hash as one > used in signature. However, all but SLH-DSA (which can also use SHA-2) > always use SHA-3. > > > > Imo, it would be good to have the domain separation in the keys as > > signatures and not rely on application layer signaling. > > There already is domain separation in signatures, which prevents any > attacks apart from weak pre-hashes. > Right, which means new algorithms are required for COSE / JOSE to support PH variants. If domain separation is added to keys, we would need new key types as well. Does this match your understanding? > > > > -Ilari > > _______________________________________________ > COSE mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
