On Fri 2021-05-21 20:18:02 +0000, brian m. carlson wrote:
On 2021-05-21 at 17:48:56, Daniel Kahn Gillmor wrote:
Alternately, maybe we should instead reframe OpenPGP's use of Ed25519 as
a "PureEdDSA" scheme that signs only the OpenPGP digest (not the signed
data directly). That bypasses the "PH" parameter, but it also means
that any cryptanalsis that is applied to EdDSA isn't necessarily
applicable to OpenPGP, because we have this additional step involved.
I would prefer this approach. OpenPGP has traditionally allowed users
to use whatever digest they like with keys, even when the standards have
traditionally fixed a digest. For example, DSA generally has specified
that either SHA-1 or SHA-2 has to be used and it has to be used with the
proper size q, but we've allowed RIPEMD-160 and SHA-256 with smaller q.
If, for example, we discover a weakness in SHA-512, it should be fine
to switch to SHA3-512 for signatures without problems.
well, it's true that we could swap out PH(x) (the prehash function) but
if i'm understanding EdDSA correctly, we could *not* swap out H(x) (the
hash function), which is SHA-512(dom2(phflag,context)||x) for any
variant of Ed25519.
see https://datatracker.ietf.org/doc/html/rfc8032#section-5.1 for more
details about the EdDSA parameter choices for the three different
flavors of Ed25519.
If i'm understanding how OpenPGP uses Curve25519 for signatures
correctly, I don't think that the OpenPGP choice of digest has any
effect on H(x). If it does, it's hard to say that we'll have dodged a
SHA-512 weakness entirely.
I will admit that using multiple digests may require additional work for
cryptanalysis, but I suspect that if PureEdDSA is secure with arbitrary
messages and the hash function is collision resistant (both of which we
would reasonably expect), then this approach will likely be secure. I
provide no proof of my conjecture, though.
I have the same intuition as you, and the same lack of rigorous proof :P
Description: PGP signature
openpgp mailing list