Merge pull request #108 from lamps-wg/jg_86_addPrefixAttackMitigation

Add support for the prefix
lamps-wg · Jan 29, 2025 · 5c49dab · 5c49dab
2 parents d5b36d4 + 9dd0052
commit 5c49dab
Showing 1 changed file with 24 additions and 4 deletions.
diff --git a/draft-ietf-lamps-pq-composite-sigs.md b/draft-ietf-lamps-pq-composite-sigs.md
@@ -356,6 +356,7 @@ Explicit inputs:
   ctx   The Message context string, which defaults to the empty string.
 
 
+
 Implicit inputs:
 
   ML-DSA   A placeholder for the specific ML-DSA algorithm and
@@ -368,6 +369,10 @@ Implicit inputs:
   Domain   Domain separator value for binding the signature to the
            Composite OID. See section on Domain Separators below.
 
+  Prefix   The prefix String which is the byte encoding of the String
+           "CompositeAlgorithmSignatures2025" which in hex is
+           436F6D706F73697465416C676F726974686D5369676E61747572657332303235
+
 Output:
 
   signature   The composite signature, a CompositeSignatureValue.
@@ -379,7 +384,7 @@ Signature Generation Process:
 
   2. Compute the Message M'.
 
-      M' = Domain || len(ctx) || ctx || M
+      M' = Prefix || Domain || len(ctx) || ctx || M
 
   3. Separate the private key into component keys.
 
@@ -446,6 +451,10 @@ Implicit inputs:
   Domain   Domain separator value for binding the signature to the
            Composite OID. See section on Domain Separators below.
 
+  Prefix   The prefix String which is the byte encoding of the String
+           "CompositeAlgorithmSignatures2025" which in hex is
+           436F6D706F73697465416C676F726974686D5369676E61747572657332303235
+
 
 Output:
     Validity (bool)    "Valid signature" (true) if the composite
@@ -469,7 +478,7 @@ Signature Verification Process:
 
   3. Compute the Message M'.
 
-        M' = Domain || len(ctx) || ctx || M
+        M' = Prefix || Domain || len(ctx) || ctx || M
 
   4. Check each component signature individually, according to its
      algorithm specification.
@@ -527,6 +536,10 @@ Implicit inputs:
            parameter set to use, for example "RSASA-PSS with id-sha256"
            or "Ed25519".
 
+ Prefix    The prefix String which is the byte encoding of the String
+           "CompositeAlgorithmSignatures2025" which in hex is
+           436F6D706F73697465416C676F726974686D5369676E61747572657332303235
+
  Domain    Domain separator value for binding the signature to the
            Composite OID. See section on Domain Separators below.
 
@@ -543,7 +556,7 @@ Signature Generation Process:
 
   2. Compute the Message format M'.
 
-        M' :=  Domain || len(ctx) || ctx || HashOID || PH(M)
+        M' :=  Prefix || Domain || len(ctx) || ctx || HashOID || PH(M)
 
   3. Separate the private key into component keys.
 
@@ -610,6 +623,10 @@ Implicit inputs:
             parameter set to use, for example "RSASA-PSS with id-sha256"
             or "Ed25519".
 
+  Prefix    The prefix String which is the byte encoding of the String
+            "CompositeAlgorithmSignatures2025" which in hex is
+            436F6D706F73697465416C676F726974686D5369676E61747572657332303235
+
   Domain    Domain separator value for binding the signature to the
             Composite OID. See section on Domain Separators below.
 
@@ -639,7 +656,7 @@ Signature Verification Process:
 
   3. Compute a Hash of the Message.
 
-      M' = Domain || len(ctx) || ctx || HashOID || PH(M)
+      M' = Prefix || Domain || len(ctx) || ctx || HashOID || PH(M)
 
   4. Check each component signature individually, according to its
      algorithm specification.
@@ -1538,6 +1555,9 @@ Specifically, in order to achieve this non-separability property, this specifica
 
 There are mechanisms within Internet PKI where trusted public keys do not appear within signed structures -- such as the Trust Anchor format defined in [RFC5914]. In such cases, it is the responsibility of implementers to ensure that trusted composite keys are distributed in a way that is tamper-resistant and does not allow the component keys to be trusted independently.
 
+## Use of Prefix to for attack mitigation
+
+The Prefix value specified in the message format calculated in {{sec-sigs}} can be used by a traditional verifier to detect if the composite signature has been stripped apart.  An attacker would need to compute `M' = Prefix || Domain || len(ctx) || ctx || M`  or  `M' :=  Prefix || Domain || len(ctx) || ctx || HashOID || PH(M)`.  Since the Prefix is the constant String "CompositeAlgorithmSignatures2025" (Byte encoding 436F6D706F73697465416C676F726974686D5369676E61747572657332303235 ) a traditional verifier can check if the Message starts with this prefix and reject the message.
 
 <!-- End of Security Considerations section -->