From 3548bbefc626e8ac2dd118d551391ffa648f2352 Mon Sep 17 00:00:00 2001 From: John Gray <55205977+johngray-dev@users.noreply.github.com> Date: Wed, 29 Jan 2025 13:33:12 -0500 Subject: [PATCH] Add prefix encoding to definition and fix section reference --- draft-ietf-lamps-pq-composite-sigs.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/draft-ietf-lamps-pq-composite-sigs.md b/draft-ietf-lamps-pq-composite-sigs.md index 2566dd5..c1604e7 100644 --- a/draft-ietf-lamps-pq-composite-sigs.md +++ b/draft-ietf-lamps-pq-composite-sigs.md @@ -272,7 +272,7 @@ This specification uses the Post-Quantum signature scheme ML-DSA as specified in In [FIPS.204] NIST defined ML-DSA to have both pure and pre-hashed signing modes, referred to as "ML-DSA" and "HashML-DSA" respectively. Following this, this document defines "Composite-ML-DSA" and "HashComposite-ML-DSA" which mirror the external functions defined in [FIPS.204]. -# Composite ML-DSA Functions +# Composite ML-DSA Functions {#sec-sigs} ## Key Generation @@ -370,7 +370,8 @@ Implicit inputs: Composite OID. See section on Domain Separators below. Prefix The prefix String which is the byte encoding of the String - "CompositeAlgorithmSignatures2025" + "CompositeAlgorithmSignatures2025" which in hex is + 436F6D706F73697465416C676F726974686D5369676E61747572657332303235 Output: @@ -451,7 +452,8 @@ Implicit inputs: Composite OID. See section on Domain Separators below. Prefix The prefix String which is the byte encoding of the String - "CompositeAlgorithmSignatures2025" + "CompositeAlgorithmSignatures2025" which in hex is + 436F6D706F73697465416C676F726974686D5369676E61747572657332303235 Output: @@ -535,7 +537,8 @@ Implicit inputs: or "Ed25519". Prefix The prefix String which is the byte encoding of the String - "CompositeAlgorithmSignatures2025" + "CompositeAlgorithmSignatures2025" which in hex is + 436F6D706F73697465416C676F726974686D5369676E61747572657332303235 Domain Domain separator value for binding the signature to the Composite OID. See section on Domain Separators below. @@ -621,7 +624,8 @@ Implicit inputs: or "Ed25519". Prefix The prefix String which is the byte encoding of the String - "CompositeAlgorithmSignatures2025" + "CompositeAlgorithmSignatures2025" which in hex is + 436F6D706F73697465416C676F726974686D5369676E61747572657332303235 Domain Domain separator value for binding the signature to the Composite OID. See section on Domain Separators below. @@ -1528,7 +1532,7 @@ There are mechanisms within Internet PKI where trusted public keys do not appear ## Use of Prefix to for attack mitigation -The Prefix value specified in the message format calculated in {{{sec-sigs}} can be used by a traditional verifier to detect if the composite signature has been stripped apart. An attacker would need to compute M' = Prefix || Domain || len(ctx) || ctx || M or M' := Prefix || Domain || len(ctx) || ctx || HashOID || PH(M). Since the Prefix is the constant String "CompositeAlgorithmSignatures2025" (Byte encoding 436F6D706F73697465416C676F726974686D5369676E61747572657332303235 ) a traditional verifier can check if the Message starts with this prefix and reject the message. +The Prefix value specified in the message format calculated in {{sec-sigs}} can be used by a traditional verifier to detect if the composite signature has been stripped apart. An attacker would need to compute M' = Prefix || Domain || len(ctx) || ctx || M or M' := Prefix || Domain || len(ctx) || ctx || HashOID || PH(M). Since the Prefix is the constant String "CompositeAlgorithmSignatures2025" (Byte encoding 436F6D706F73697465416C676F726974686D5369676E61747572657332303235 ) a traditional verifier can check if the Message starts with this prefix and reject the message.