On Thu, Oct 03, 2024 at 08:00:16PM +0200, Emil Lundberg wrote: > > If you don't want domain separation, then you simply need to identify > > registered algorithms, > > > For the keys and the resulting cryptograms, yes. But that's not what my > question was about. > > [...] where you can do the pre hash part separate from the signing part. > > [...] > > [...] but be careful, this does not generalize to other COSE digital > > signature schemes, like Ed25519 / EdDSA. > > > This is what I'm asking about - or, more precisely, how to communicate > where the separation happens between "pre hash part" and "signing part". > Like you point out, there's no way to describe that generically, especially > since some algorithms like PureEdDSA and ML-DSA *can't* be separated like > that.
For ML-DSA, it is possible to calculate the internal hash (mu; 64 bytes) from the public key and message. For PureEdDSA (and SLH-DSA), to get two-party signing with O(1) communication, interactive (two-round) protocol is required. This is possible exploiting the fact that verifiers can not detect if the first message-dependent value has been replaced by random value. However, this is playing with fire (the protocol must never fork and random numbers have to be absolutely perfect). -Ilari _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
