Dear,
I would like to ask how the future development of digital signature
algorithms for the DKIM standard will be addressed.
Currently the RSA algorithm is used, usually the size 1024b - 2048b,
although it has been supported for 6 years the size up to 4096b and the
Ed25519 algorithm. However, its extension is minimal. From my
perspective DKIM:
RSA (according to RFC, supported DSS, EU directive eIDAS and X.509 standard)
- uses the PKCS#1 v1.5 padding, but thanks to the architecture I do not
know about the possibility of applying Bleichenbacher attack ('98).
- I do not know about the possibility of using PKCS#1 v2.2 aka RSA-OAEP
- RSA has a subexponential complexity, therefore increasing the
complexity of the attack requires significantly greater key
- RSA 1024 recommended since 2001, RSA 2048 since 2015, RSA 3072 since
2020 (NIST, but similar ENISA in EU and many national authorities)
Ed25519 (according to RFC, supported by FIPS 186-5, EU directive eIDAS
and X.509 standard)
- has a constant time consuming
- has a low support
- according to the statistics adoption is somewhere around 5%
- the security equivalent roughly corresponds to RSA 3072
Ed448 (not in RFC, but supported by FIPS 186-5, EU directive eIDAS and
X.509 standard)
- has a constant time consuming
- the security equivalent roughly corresponds to RSA 9216
Unfortunately, these algorithms are not resistant to quantum computers.
It is debatable whether it will actually be possible to build such
computers (see for more details
https://thequantuminsider.com/2024/07/26/quantum-error-mitigation-may-face-hard-limits/),
but the current development of cryptography is not just about quantum
computers. As a precaution, it might be worth considering the
possibility of extending the existing set of algorithms by Ed448, as
well as the implementation of the new NIST standards. From my
perspective, it is interesting to look at the complexity of attacks on
current cryptography both on classical computers and the potential risk
in terms of development, more at
https://quantumcomputingreport.com/the-gqi-quantum-resource-estimator-playbook/,
a graph containing visualization of the complexity.
NIST released the first three standards for quantum computer-resistant
cryptography a few days ago (PQC aka Post Quantum Cryptography).
Information can be found at
https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
details then in files:
FIPS 203 - Module-Lattice-Based Key-Encapsulation Mechanism
https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.203.pdf
FIPS 204 - Module-Lattice-Based Digital Signature
https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.204.pdf
FIPS 205 - Stateless Hash-Based Digital Signature
https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.205.pdf
What is our view and opinion?
Regards
Jan
--
--
-- --- ----- -
Jan Dušátko
Tracker number: +420 602 427 840
e-mail: [email protected]
GPG: https://keys.dusatko.org/2E7D58B90FC2867C.asc
_______________________________________________
Ietf-dkim mailing list -- [email protected]
To unsubscribe send an email to [email protected]
