-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FIPS 205 - API for Stateless hash-based signatures (SLH-DSA) #216
base: main
Are you sure you want to change the base?
Conversation
Currently the key types use an In contrast the algorithms are all
|
I have added a consistent set of helper macros relating to key types and algorithm interrogation. Please give feedback if there are any missing, or the provision is overkill. |
I think I have made all the relevant updates to the spec-defined helper macros in Appendix C, but might have missed one or two. |
Both FIPS 204 and 205 have an admonition that users SHOULD use the hedged version. I am not aware of any real word situation where side channels are not an issue, except perhaps the inside of a tank. So I would not include the Deterministic version in the API. Now, Giles is going to say that he needs it for testing. This could be an ifdef so it is not in runtime code. Of course, if an implementation does not have a source of randomness, then it has to use the deterministic version. |
Actually, no, we don't need it for testing. It's nice, but we can do without. We can test things like asymmetric encryption which absolutely cannot be deterministic. However, I think we should have it in the API. There are environments where side channels are genuinely not an issue. For example, a certificate authority creating signatures on a discrete piece of hardware and exporting the signatures in batches does not have to worry about side channels. Furthermore, the deterministic version can be robust against timing side channels if it's implemented in constant time. If the implementation isn't perfectly constant-time, depending on the exact attack, either the hedged version or the deterministic version might be easier to attack (some attacks rely on performing the exact same computation multiple time, while others rely on signing the same message with multiple nonces). There are use cases where the determinism of the signature is a desirable feature. For example, if you have redundant systems that must give identical outputs, it's easier to arrange with a deterministic algorithm than if you have to ensure that they use synchronized RNGs. |
The use cases for deterministic signatures are edge cases. And I want to avoid that. |
The exact wording in FIPS 205 (§9.2 p36) is as follows:
Along with the algorithm description, where using PK.seed is an alternate presented almost as a comment, this suggests that this is a recommendation for implementations: "use the hedged version if you have anything remotely suitable for providing the random input". However, the specification elsewhere (§9.1 p34) states:
Unless we define these as separate algorithms, it is not possible to constrain a key to one or the other variant, and the application has no way to control how the signature is generated - as this is just an implementation decision. If we keep both forms, we should add some notes or warnings to reflect the NIST guidance on recommending the hedged variant. If we just keep one, we need to make it clear that it is implementation defined whether the signature generation is hedged or deterministic. |
FIPS 204 says And with regard to generating the random value For this purpose, even a weak RBG may be preferable to the fully deterministic But it does not have the admonition that keys should only be used for one or the other variant. I feel that we ought to try to keep the two interfaces parallel if possible. If you want something reproducible, then using SHA256(time) would probably be sufficient to hedge the signature. |
It is entirely possible that the security implications of the deterministic variant are different for ML-DSA vs SLH-DSA. It is also possible that the original text from which the paragraphs in FIPS 204 and FIPS 205 come from entirely different design and implementation teams, and the differences reflect a difference in perspective, rather than a difference in technical matters. In the first instance, I do believe we should not apply recommendations from the ML-DSA FIPS 204 specification to the SLH-DSA algorithm definition in the API. |
Not convinced that an implementation that does this would be certifiable? |
[In relation to the ML-DSA text...] A source for the recommendations in FIPS204 is the CRYSYALS-Dilithium round two submission paper §3.2, which says:
Initially Dilithium was just deterministic, but added randomization to be able to mitigate a vulnerability to side-channel leakage of the message (not key). The authors assumed that randomization may assist a Quantum attack, and therefore preferred the deterministic approach (in §1.2):
The cited texts are Breaking ed25519 in wolfssl and Attacking deterministic signature schemes using fault attacks. NIST have adjusted the scheme to use two sources of randomness, the random seed in the signing key, and some fresh randomness when signing, and falling back to just the first source when using the deterministic variant. NIST have removed any mention of concerns relating to Quantum attacks being assisted by randomness. The sense of the recommendation from FIPS204 is to prefer the hedged variant. |
* Describe relaxed verification policy * Warn regarding unjustified use of deterministic variants
… the prehash/pure separation.
I've updated this following resolution of some open issues, and aligning the API with the latest ML-DSA PR #218.
|
These APIs will first appear in the PQC extension - see #223 |
Based on the discussion and proposal in #97, here is a definition of key types and algorithms for SLH-DSA.
Fixes #97