Added a P256 variant #97
Conversation
Composite-MLDSA-2024.asn
Outdated
| @@ -253,6 +253,21 @@ sa-MLDSA65-Ed25519 SIGNATURE-ALGORITHM ::= | |||
| pk-MLDSA65-Ed25519 } | |||
|
|
|||
|
|
|||
| -- TODO: OID to be replaced by IANA | |||
| id-MLDSA87-ECDSA-P256 OBJECT IDENTIFIER ::= { | |||
There was a problem hiding this comment.
Should this be ML-DSA-65 instead of ML-DSA-87? The other changes seem to be for ML-DSA-65+ECDSA-P256 combo (e.g., id-HashMLDSA65-ECDSA-P256-SHA512).
There was a problem hiding this comment.
Oops. I must have been tired or drunk when I wrote this. Good catch.
| @@ -417,6 +432,24 @@ sa-HashMLDSA65-RSA4096-PKCS15-SHA512 SIGNATURE-ALGORITHM ::= | |||
| id-HashMLDSA65-RSA4096-PKCS15-SHA512, | |||
| pk-HashMLDSA65-RSA4096-PKCS15-SHA512 } | |||
|
|
|||
|
|
|||
| -- TODO: OID to be replaced by IANA | |||
| id-HashMLDSA65-ECDSA-P256-SHA512 OBJECT IDENTIFIER ::= { | |||
There was a problem hiding this comment.
Is it intentional to use SHA-512 with ECDSA P-256 (which usually uses P-256)?
The SHA-512 hash will be truncated to 32 bytes (This is not the same as SHA-512/256).
Regarding speed of SHA-256 versus SHA-512, on 32-bit SHA-256 is faster, and on 64-bit SHA-512 is faster, unless there is hardware SHA-256, in which case SHA-256 is faster.
There was a problem hiding this comment.
This is intentional. The full specification of this cipher suite is:
| id-HashMLDSA65-ECDSA-P256-SHA512 | <CompSig>.XX | id-ML-DSA-65 | ecdsa-with-SHA256 with secp256r1 | id-sha512 |
So the EC part is ecdsa-with-SHA256 with secp256r1. The SHA512 is a pre-hash common to both components, and since MLDSA65 is a NIST Level 3, this must be at least SHA384. We received feedback that SHA384 is not well supported so we should only use SHA256 and SHA512, so then this has to be SHA512.
Complicated, but that's how we got here. This is intentional.
It said AlgorithmID while it is actually only the algorithm name. AlgorithmID would by an ASN.1 structure. Fixes #81
This applies to all non-PreHash names only. Closes #102
…-underlying-components-section Adds rationale for use of SHA512 with MLDSA-44 in CMS section.
Author group agreed with text.
Added a "Why Hybrids?" security consideration.
…algorithm-names-in-iana-section Removes prehash from algorithm names in IANA section.
Fixes header of algorithm column in all tables.
To do before merge:
id-MLDSA65-ECDSA-P256andid-HashMLDSA65-ECDSA-P256-SHA512from the Entrust OID arc -- update all the places in the draft that need it.@johngray-dev I also fixed some typos in the IANA Considerations section (the non-prehashed OIDs still had a hash function in them), do you agree?