NIST notes that in the third round there are 3 signature finalists, and 3 signature alternates. Recent cryptanalysis has impacted the analysis of both Rainbow and GeMSS. We are concerned about a lack of diversity of signature schemes for security and application reasons. As a starting point for discussion, we would like to point out a couple of paragraphs from NISTIR 8309, our 2nd Round report:
"NIST sees SPHINCS+ as an extremely conservative choice for standardization. If NIST’s confidence in better performing signature algorithms is shaken by new analysis , SPHINCS+ could provide an immediately available algorithm for standardization at the end of the third round. "
And
"NIST is pleased with the progress of the PQC standardization effort but recognizes that current and future research may lead to promising schemes which were not part of the NIST PQC Standardization Project. NIST may adopt a mechanism to accept such proposals at a later date. In particular, NIST would be interested in a general-purpose digital signature scheme which is not based on structured lattices."
We would like to ask for feedback from the community about this issue. Thank you.
Dustin Moody
NIST PQC team
On Jan 21, 2021, at 11:12 AM, 'Moody, Dustin (Fed)' via pqc-forum <pqc-...@list.nist.gov> wrote:
EXTERNAL EMAIL : Exercise caution when responding, opening links, or opening attachments.
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/DM6PR09MB5096782DB2F165C8A2E0ADB5E5A10%40DM6PR09MB5096.namprd09.prod.outlook.com.
Dear Dustin and NIST,
To us, it appears clearly that, at least for code-based
signatures--Hamming, rank, and possibly other metrics--the
scientific situation has evolved significantly and positively
since the 2017 call. We believe that numerous actors are now in a
position to submit new secure and efficient proposals for digital
signatures, including general purpose ones.
Besides variations on the Stern scheme (i.e. non-interactive
zero-knowledge--a la Fiat Shamir schemes) which in our opinion are
interesting options, there have been recently some further
developments. For instance if we just cite on our own recent
works, there is a hash-and-sign signature (Wave) and a rank metric
variation of the Schnorr-Lyubashevsky approach (Durandal). We
cannot speak for others, but we certainly plan to submit some
proposals if a call is made.
Best regards,
Thomas Debris-Alazard
Philippe Gaborit
Nicolas Sendrier
Jean-Pierre Tillich
Hi Dustin and PQC Forum,
My 2c,
Generally speaking, a Round 4 for both signatures and KEMs would be good, because it could increase diversity and thereby increase security in strongest-link multiple-scheme cryptography (and perhaps agility in single-scheme crypto, if downgrade attacks can be thwarted out-of-band) – all this assuming that readying Round 4 does not delay finishing Round 3.
Code-based and isogeny-based signatures would certainly help diversity. A hash-based signature is quite conservative, as you say, so well worth standardizing as part of Round 3.
Best regards,
Dan
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/DM6PR09MB5096782DB2F165C8A2E0ADB5E5A10%40DM6PR09MB5096.namprd09.prod.outlook.com.
Hi Dustin and PQC forum
I would like to comment about Separation of hash with signature algorithms.
I am sorry if my concern had been discussed, or my statement or paper below is not clear enough.
<https://eprint.iacr.org/2020/990>
As far as I understand, current candidates for digital signature does not need to support separation of hash.
However, I really think a mechanism similar to separation of hash is necessary for interoperability with traditional crypto system (especially with HSM).
We often separate Public key cryptography function into two entities, like data controller and key manager,
so that data controller can calculate hash, and key manager able to focus on key management and asymmetric operation with HSM.
This feature is also important to sign large content (e.g., 10GigaByte data) with HSM.
With above background, we hope at least one of finalist signature algorithms support separation of hash (or similar mechanism to handle large file).
Regards Tadahiko Ito
I think I should clarify my statement bit more.
I believe my problem can be solved with following approaches.
1) Disassemble current PQC signature into two, and implement them
2) add external hash protocol with current PQC signature, and use that composite protocol for digital signature
At the very beginning I thought 2) would be more tangible choice, but some people said 1) is better.
I am not sure where to discuss about choice of 2), but here seems to be suitable place to discuss about choice of 1).
If anyone have any opinion about choice of 1), I would love to hear that.
Regards Tadahiko Ito
SPHINCS+ is based on a very mature primitive and is a sound design. That said, some choices should be tweaked before standardization occurs. In particular, in SPHINCS+-SHA-256 there is an issue with the definition of the H_msg function so that the security of the signature presently relies on the multi-target second pre-image resistance of the SHA-256 hash function.
As defined in section 7.2.2 of the round 3 specification,
H_msg(R, PK.seed, PK.root, M) = MGF1-SHA-256(SHA-256(R||PK.seed||PK.root||M), m).
where M is the message, m is a system parameter, R is public (pseudo)randomness, and both PK.seed and PK.root are publicly known.
This means that the H_msg is MGF1-SHA-256(K, m) where K is a 256-bit string. Each message signed by Alice provides a distinct K and an (R,M) pair that yields that K. If any other nonce/message pair (R',M') yielded the same K, then the FORS and Hypertree signature for (R',M') would be the same as those already published for (R,M).
For example, after signing two messages M1 and M2, a signer will have produced a K1 and K2. An attacker will now produce a valid signature if they can find an (R,M) pair where SHA-256(R||PK.seed||PK.root||M) is either K1 or K2.
Morgan Stern
NSA Cybersecurity
From: 'Moody, Dustin (Fed)' via pqc-forum <pqc-...@list.nist.gov>
Sent: Thursday, January 21, 2021 11:13 AM
To: pqc-forum <pqc-...@list.nist.gov>
--
SPHINCS+ is based on a very mature primitive and is a sound design. That said, some choices should be tweaked before standardization occurs. In particular, in SPHINCS+-SHA-256 there is an issue with the definition of the H_msg function so that the security of the signature presently relies on the multi-target second pre-image resistance of the SHA-256 hash function.
As defined in section 7.2.2 of the round 3 specification,
H_msg(R, PK.seed, PK.root, M) = MGF1-SHA-256(SHA-256(R||PK.seed||PK.root||M), m).
where M is the message, m is a system parameter, R is public (pseudo)randomness, and both PK.seed and PK.root are publicly known.
This means that the H_msg is MGF1-SHA-256(K, m) where K is a 256-bit string. Each message signed by Alice provides a distinct K and an (R,M) pair that yields that K. If any other nonce/message pair (R',M') yielded the same K, then the FORS and Hypertree signature for (R',M') would be the same as those already published for (R,M).
For example, after signing two messages M1 and M2, a signer will have produced a K1 and K2. An attacker will now produce a valid signature if they can find an (R,M) pair where SHA-256(R||PK.seed||PK.root||M) is either K1 or K2.
--
Morgan Stern
NSA Cybersecurity
From: 'Moody, Dustin (Fed)' via pqc-forum <pqc-...@list.nist.gov>
Sent: Thursday, January 21, 2021 11:13 AM
To: pqc-forum <pqc-...@list.nist.gov>
Subject: [Non-DoD Source] [pqc-forum] Diversity of signature schemes
All,
NIST notes that in the third round there are 3 signature finalists, and 3 signature alternates. Recent cryptanalysis has impacted the analysis of both Rainbow and GeMSS. We are concerned about a lack of diversity of signature schemes for security and application reasons. As a starting point for discussion, we would like to point out a couple of paragraphs from NISTIR 8309, our 2nd Round report:
"NIST sees SPHINCS+ as an extremely conservative choice for standardization. If NIST’s confidence in better performing signature algorithms is shaken by new analysis , SPHINCS+ could provide an immediately available algorithm for standardization at the end of the third round. "
And
"NIST is pleased with the progress of the PQC standardization effort but recognizes that current and future research may lead to promising schemes which were not part of the NIST PQC Standardization Project. NIST may adopt a mechanism to accept such proposals at a later date. In particular, NIST would be interested in a general-purpose digital signature scheme which is not based on structured lattices."
We would like to ask for feedback from the community about this issue. Thank you.
Dustin Moody
NIST PQC team
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/DM6PR09MB5096782DB2F165C8A2E0ADB5E5A10%40DM6PR09MB5096.namprd09.prod.outlook.com.
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/cb7077ac25764525a3e9e4ef59caf98b%40nsa.gov.
Dear Morgan, dear all,
I am not sure what this message is exactly about.
I totally agree with you. Indirectly, SPHINCS+ needs multi-target
second preimage resistance of SHA2-256 (as it is implied by the
properties we require). SPHINCS+ needs that SHA2-256 is an
interleaved target subset resilient hash function family as stated
in Section 9 which implies multi-target second preimage
resistance. A definition of this property and an analysis of the
complexity of generic classical and quantum attacks can be found
in Section 9.
To phrase it differently, the "attack approach" that you describe would violate interleaved target subset resilience, and is therefore not possible if SHA2 has the required security properties.
I hope this answers your unstated questions?
Best wishes,
Andreas
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/cb7077ac25764525a3e9e4ef59caf98b%40nsa.gov.
Thank you for your kind words about SPHINCS+.
As for the attack, I would note that it only applies to NIST Level 5 (256 bit hash) parameter sets; for Level 1 and Level 3 parameter sets, there are other attacks that are easier.
The Sphincs+ design assumes that no more than 2^64 signatures are generated by one private key. And, because we include the public seed and root in the SHA256, that means that an attacker cannot attack two different public keys at once.
So, assuming that an attacker has 2^64 signatures signed with a single private key; he then generates various R, M values and computes the corresponding SHA256(R||PK.seed||PK.root||M) value, and sees if he has a valid signature that used that value; that hash is 256 bits (obviously), and if we assume that SHA-256 acts like a random oracle, he has a probability 2^{-192} of being one of the 2^64 values – hence this will require an expected 2^192 attempts before succeeding.
For Level 3, there are a number of other ways to forge by performing an expected 2^192 hashes (which are a lot easier because they don’t involve wading through a large pile of targets), and so this approach doesn’t reduce the security (and it’s even more so for Level 1).
On the other hand, your attack does appear to be valid against SHA-256 Level 5 parameter sets. And, it is a place where we don’t meet our intention of relying only on (second) preimage resistance (as seen by my assumption that SHA-256 acts like a random oracle).
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/cb7077ac25764525a3e9e4ef59caf98b%40nsa.gov.
Thank you David
Thank you very much for comment and information about separation of hash.
It would be very helpful for us.
I discussed with our pdf implementer and confirmed that most modern PDF implementations use CMS as you noted. Combining his and your comment, so far, we are now thinking that current best practice for us should be a requirement (or prioritization of) something like CMS, for large file signing services which would support PQC (which should be better for cryptographic and security agility points also).
Regards Tadahiko Ito
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/08b0048c-504c-a7e7-74e3-7c7781f93cb7%40nist.gov.
I believe there’s also a long-message second preimage attack that applies here. (Ray Perlner pointed this out in a discussion.)
This is a known (published in 2005!) second-preimage attack on SHA256 (or any other MD hash), but it works after a single very long message query.
If we are allowed to query many very long messages, we can do still better. With 2^{64} maximum-length messages, we have 2^{119} target intermediate hash values, so we can do the attack for around 2^{137} work, again producing a forgery. In this case, we’d also get an attack that would lower the classical security even of the 192-bit (n=24) version.
Disclaimers:
It seems like just doubling the size of this internal seed value, SHA256(R || PK.seed || PK.root || M) for the 256-bit classical security level would be enough to block the attack.
--John
Dear all,
The SPHINCS+ team discussed the points raised by Morgan Stern and
John Kelsey on list in earlier mails. We agree that the
construction of H_msg in case of the SHA2 instantiations can be
done better.
We will make the following two changes to the construction of
H_msg for SHA2:
1.) For the L5 parameters we change the hash function used to
instantiate H_Msg and PRF_msg to SHA2-512. The change for H_msg
resolves the issue raised by Morgan Stern. The change for PRF_msg
is just for consistency.
2.) We change the construction of H_msg to include the string "R
|| PK.seed" in the MGF1 call, i.e., H_msg := MGF1-SHA-X(R ||
PK.seed || SHA-X(R || PK.seed || PK.root || M ), m) (where X is
256 for L1 & L3, and 512 for L5) . This prevents the
multi-target long-message second preimage attacks pointed out by
John that would still reduce the security of the L3 parameters by
a small amount.
While we do deploy change number two, we do this as it is
essentially for free. However, we want to note that we consider
the long message attacks entirely impractical. Let me give a small
example:
The long message attack (when using the old SHA2-256 construction
for H_msg) has a success probability of ~ [hash queries] *
[signature queries] * [message length] / [chaining value size]
where the message length is expressed in number of message blocks.
Phrased differently, we use log_2( [signature queries] * [message
length]) bits of security. Assuming the maximum values, we have
2^64 signature queries with a maximum length of 2^55 blocks
resulting in a loss of 119 bits. This would clearly violate the L3
security level where [chaining value size] = 2^256 and hence we
end up far below 2^192 classical attack complexity.
However, signature queries are answered by the honest user. Assume
our user was signing messages on a single machine and that one
SHA2-256 compression function call could be done in 2^-22 seconds
(~200ns). The total amount of compression function calls required
to compute above hashes is 2^64 * 2^55 = 2^119. At above speed
that is 2^97 seconds. Considering that a year has about 2^25
seconds this means a total of 2^72 years (and an honest user will
not speed up / massively parallelize the computation for our
adversary).
Sure, a user might use a key on multiple machines. However, even
with a million machines that use the same key (which leads to
entirely different security issues) we are talking about 2^52
years. Turning this around, if the key is used for a standard
lifetime of about 2^2 years, on about a million machines
continuously generating signatures, the message blocks of all
signed messages will sum up to about 2^69 (you may distribute this
between message length and number of messages as you like). And
this would end up with an attack complexity of about 2^187 (i.e.,
just below 2^192). Given all the simplifying assumptions that I
made (like the machines continuously signing and not counting
signing time), I think we would be safe to consider this
unrealistic as an L3 attack.
The numbers above can also be turned around to argue that it seems
unlikely that signers will ever use a key pair for 2^64
signatures: Ignoring the signing time of SPHINCS+ and just
counting the message compression, it requires one million machines
that use the same key pair to continuously sign messages for four
years to sign a total of 2^64 messages of 64 bytes. Considering
that SPHINCS+ signatures rather take a bit more than a
millisecond, this adds a factor 1000, either to the number of
machines (one billion) or to the number of years (4000). In even
the most demanding use-cases we have seen so far, signers sign
substantially below these limits.
Best wishes,
Andreas for the SPHINCS+ team
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/F8AADFC2-BB26-469C-BB23-0598BDA3B2A6%40nist.gov.
Sure, a user might use a key on multiple machines. However, even with a million machines that use the same key (which leads to entirely different security issues) we are talking about 2^52 years. Turning this around, if the key is used for a standard lifetime of about 2^2 years, on about a million machines continuously generating signatures, the message blocks of all signed messages will sum up to about 2^69 (you may distribute this between message length and number of messages as you like). And this would end up with an attack complexity of about 2^187 (i.e., just below 2^192). Given all the simplifying assumptions that I made (like the machines continuously signing and not counting signing time), I think we would be safe to consider this unrealistic as an L3 attack.
--Derek Atkins