Script updating gh-pages from 5d7e57e. [ci skip]

draft-ietf-lamps-dilithium-certificates.txt

@@ -5,11 +5,11 @@
 LAMPS WG                                                      J. Massimo
 Internet-Draft                                             P. Kampanakis
 Intended status: Standards Track                                     AWS
-Expires: 19 May 2025                                           S. Turner
+Expires: 7 June 2025                                           S. Turner
                                                                    sn3rd
                                                         B. E. Westerbaan
                                                               Cloudflare
-                                                        15 November 2024
+                                                         4 December 2024
 
 
 Internet X.509 Public Key Infrastructure: Algorithm Identifiers for ML-
@@ -60,7 +60,7 @@ Status of This Memo
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on 19 May 2025.
+   This Internet-Draft will expire on 7 June 2025.
 
 Copyright Notice
 
@@ -85,7 +85,7 @@ Table of Contents
    4.  ML-DSA Public Keys in PKIX
    5.  Key Usage Bits
    6.  Private Key Format
-   7.  Pre-hashed mode (ExternalMu-ML-DSA)
+   7.  Pre-hashing (ExternalMu-ML-DSA)
    8.  IANA Considerations
    9.  Security Considerations
    10. References
@@ -112,12 +112,12 @@ Table of Contents
 
    [FIPS204] defines two variants of ML-DSA: a pure and a prehash
    variant.  Only the former is specified in this document.  The pure
-   variant of ML-DSA supports the typical prehash flow: one
-   cryptographic module can compute the hash _mu_ on line 6 of algorithm
-   7 of [FIPS204] and pass it to a second module to finish the
-   signature.  The first module only needs access to the full message
-   and the public key, whereas the second module only needs access to
-   hash _mu_ and the private key.
+   variant of ML-DSA supports the typical prehash flow, see Section 7.
+   In short: one cryptographic module can compute the hash _mu_ on line
+   6 of algorithm 7 of [FIPS204] and pass it to a second module to
+   finish the signature.  The first module only needs access to the full
+   message and the public key, whereas the second module only needs
+   access to hash _mu_ and the private key.
 
 1.1.  Requirements Language
 
@@ -324,33 +324,28 @@ Table of Contents
    Appendix C contains example ML-DSA private keys encoded using the
    textual encoding defined in [RFC7468].
 
-7.  Pre-hashed mode (ExternalMu-ML-DSA)
-
-   Many applications will require a "pre-hashed" mode of ML-DSA whereby
-   the signature generation process can be separated into a pre-hash
-   step and a core signature step in order to ease operational
-   requirements around large or inconsistently-sized payloads.  Many
-   applications and protocols include message digesting, but there exist
-   some that do not.  Examples of this can be found even within
-   [RFC5280]; for example certificate and certificate revocation list
-   (CRL) data structures do not include message digesting and therefore
-   become problematic when producing large CRLs or when signing a high
-   volume of certificates containing large public keys.  Such situations
-   require pre-hashing to be performed by the signature primitive.
-
-   This section presents the "ExternalMu-ML-DSA" processing flow which
-   is composed of a new pre-hashing step ExternalMu-ML-DSA.Prehash()
-   followed by alternate versions of Sign() (originally defined in
-   [FIPS204] Algorithm 2) and Sign_internal() (originally defined in
-   [FIPS204] Algorithm 7) which together provide an interface for
-   performing pre-hashed signatures as specified in [FIPS204], which
-   produces signature values which are indistinguishable from signatures
-   produced by ML-DSA.Sign() and are therefore compatible with the
-   normal ML-DSA.Verify() and are identified by the same Object
-   Identifiers as for ML-DSA.  A ML-DSA key and certificate MAY be used
-   with either ML-DSA or ExternalMu-ML-DSA interchangeably.  Note that
-   ExternalMu-ML-DSA describes a different signature API from ML-DSA and
-   therefore might require explicit support from hardware or software
+7.  Pre-hashing (ExternalMu-ML-DSA)
+
+   Some applications require prehashing, where the signature generation
+   process can be separated into a pre-hash step and a core signature
+   step in order to ease operational requirements around large or
+   inconsistently-sized payloads.  This can be performed at the protocol
+   layer, but not all protocols support it.  An example in [RFC5280] is
+   the certificate revocation list (CRL) data structures, that do not
+   include message digesting before signing.  This makes signing large
+   volumes of large CRLs challenging.
+
+   As mentioned in the introduction, pure ML-DSA signing itself supports
+   a prehashing flow by splitting the operation over two modules.  In
+   this section we make this "ExternalMu-ML-DSA" more explicit.
+
+   There are two steps.  First an ExternalMu-ML-DSA.Prehash() followed
+   by ExternalMu-ML-DSA.Sign().  Together these operate as ML-DSA.Sign()
+   from [FIPS204] and thus create exactly the same signatures as regular
+   pure ML-DSA.  An ML-DSA key and certificate MAY be used with either
+   ML-DSA or ExternalMu-ML-DSA interchangeably.  Note that ExternalMu-
+   ML-DSA describes a different signature API from ML-DSA and therefore
+   might require explicit support from hardware or software
    cryptographic modules.
 
    Note that the signing mode defined here is different from HashML-DSA
@@ -374,35 +369,35 @@ Table of Contents
 
    M' = BytesToBits(IntegerToBytes(0, 1) ∥ IntegerToBytes(|ctx|, 1)
                                                          || ctx) || M
-   mu = H(BytesToBits(pk.tr) || M', 64)
+   mu = H(BytesToBits(H(pk, 64)) || M', 64)
    return mu
 
              Figure 1: External steps of ExternalMu-ML-DSA
 
    Internal operations:
 
-   ExternalMu-ML-DSA.Sign(sk, mu):
+ExternalMu-ML-DSA.Sign(sk, mu):
 
-     if |mu| != 512 then
-       return error  # return an error indication if the input mu is not
-                     # 64 bytes (512 bits).
-     end if
+  if |mu| != 512 then
+    return error  # return an error indication if the input mu is not
+                  # 64 bytes (512 bits).
+  end if
 
-     rnd = rand(32)  # for the optional deterministic variant,
-                     # substitute rnd = 0x0 * 32
-     if rnd = NULL then
-       return error  # return an error indication if random bit
-                     # generation failed
-     end if
+  rnd = rand(32)  # for the optional deterministic variant,
+                  # set rnd to all zeroes
+  if rnd = NULL then
+    return error  # return an error indication if random bit
+                  # generation failed
+  end if
 
-     sigma = ExternalMu-ML-DSA.Sign_internal(sk, mu, rnd)
-     return sigma
+  sigma = ExternalMu-ML-DSA.Sign_internal(sk, mu, rnd)
+  return sigma
 
 
-   ExternalMu-ML-DSA.Sign_internal(sk, mu, rnd):
-      ... identical to FIPS 204 Algorithm 7, but with Line 6 removed.
+ExternalMu-ML-DSA.Sign_internal(sk, mu, rnd): # mu is passed as argument instead of M'
+   ... identical to FIPS 204 Algorithm 7, but with Line 6 removed.
 
-               Figure 2: Internal steps of ExternalMu-ML-DSA
+            Figure 2: Internal steps of ExternalMu-ML-DSA
 
 8.  IANA Considerations
 

index.html

@@ -24,14 +24,6 @@ <h1>Editor's drafts for main branch of <a href="https://github.com/lamps-wg/dili
         <td></td>
       </tr>
     </table>
-    <h2>Preview for branch <a href="seanturner-refactor">seanturner-refactor</a></h2>
-    <table id="branch-seanturner-refactor">
-      <tr>
-        <td><a href="seanturner-refactor/draft-ietf-lamps-dilithium-certificates.html" class="html draft-ietf-lamps-dilithium-certificates" title="Internet X.509 Public Key Infrastructure: Algorithm Identifiers for ML-DSA (HTML)">ML-DSA in Certificates</a></td>
-        <td><a href="seanturner-refactor/draft-ietf-lamps-dilithium-certificates.txt" class="txt draft-ietf-lamps-dilithium-certificates" title="Internet X.509 Public Key Infrastructure: Algorithm Identifiers for ML-DSA (Text)">plain text</a></td>
-        <td><a href="https://author-tools.ietf.org/api/iddiff?url_1=https://lamps-wg.github.io/dilithium-certificates/draft-ietf-lamps-dilithium-certificates.txt&amp;url_2=https://lamps-wg.github.io/dilithium-certificates/seanturner-refactor/draft-ietf-lamps-dilithium-certificates.txt" class="diff draft-ietf-lamps-dilithium-certificates">diff with main</a></td>
-      </tr>
-    </table>
     <h2>Preview for branch <a href="alg7l6">alg7l6</a></h2>
     <table id="branch-alg7l6">
       <tr>
@@ -48,14 +40,6 @@ <h2>Preview for branch <a href="mikeo_externalmu">mikeo_externalmu</a></h2>
         <td><a href="https://author-tools.ietf.org/api/iddiff?url_1=https://lamps-wg.github.io/dilithium-certificates/draft-ietf-lamps-dilithium-certificates.txt&amp;url_2=https://lamps-wg.github.io/dilithium-certificates/mikeo_externalmu/draft-ietf-lamps-dilithium-certificates.txt" class="diff draft-ietf-lamps-dilithium-certificates">diff with main</a></td>
       </tr>
     </table>
-    <h2>Preview for branch <a href="seanturner-switch2md">seanturner-switch2md</a></h2>
-    <table id="branch-seanturner-switch2md">
-      <tr>
-        <td><a href="seanturner-switch2md/draft-ietf-lamps-dilithium-certificates.html" class="html draft-ietf-lamps-dilithium-certificates" title="Internet X.509 Public Key Infrastructure: Algorithm Identifiers for ML-DSA (HTML)">ML-DSA in Certificates</a></td>
-        <td><a href="seanturner-switch2md/draft-ietf-lamps-dilithium-certificates.txt" class="txt draft-ietf-lamps-dilithium-certificates" title="Internet X.509 Public Key Infrastructure: Algorithm Identifiers for ML-DSA (Text)">plain text</a></td>
-        <td><a href="https://author-tools.ietf.org/api/iddiff?url_1=https://lamps-wg.github.io/dilithium-certificates/draft-ietf-lamps-dilithium-certificates.txt&amp;url_2=https://lamps-wg.github.io/dilithium-certificates/seanturner-switch2md/draft-ietf-lamps-dilithium-certificates.txt" class="diff draft-ietf-lamps-dilithium-certificates">diff with main</a></td>
-      </tr>
-    </table>
     <h2>Preview for branch <a href="ounsworth-more-externalmu">ounsworth-more-externalmu</a></h2>
     <table id="branch-ounsworth-more-externalmu">
       <tr>
@@ -64,14 +48,6 @@ <h2>Preview for branch <a href="ounsworth-more-externalmu">ounsworth-more-extern
         <td><a href="https://author-tools.ietf.org/api/iddiff?url_1=https://lamps-wg.github.io/dilithium-certificates/draft-ietf-lamps-dilithium-certificates.txt&amp;url_2=https://lamps-wg.github.io/dilithium-certificates/ounsworth-more-externalmu/draft-ietf-lamps-dilithium-certificates.txt" class="diff draft-ietf-lamps-dilithium-certificates">diff with main</a></td>
       </tr>
     </table>
-    <h2>Preview for branch <a href="seanturner-asn1-module">seanturner-asn1-module</a></h2>
-    <table id="branch-seanturner-asn1-module">
-      <tr>
-        <td><a href="seanturner-asn1-module/draft-ietf-lamps-dilithium-certificates.html" class="html draft-ietf-lamps-dilithium-certificates" title="Internet X.509 Public Key Infrastructure: Algorithm Identifiers for ML-DSA (HTML)">ML-DSA in Certificates</a></td>
-        <td><a href="seanturner-asn1-module/draft-ietf-lamps-dilithium-certificates.txt" class="txt draft-ietf-lamps-dilithium-certificates" title="Internet X.509 Public Key Infrastructure: Algorithm Identifiers for ML-DSA (Text)">plain text</a></td>
-        <td><a href="https://author-tools.ietf.org/api/iddiff?url_1=https://lamps-wg.github.io/dilithium-certificates/draft-ietf-lamps-dilithium-certificates.txt&amp;url_2=https://lamps-wg.github.io/dilithium-certificates/seanturner-asn1-module/draft-ietf-lamps-dilithium-certificates.txt" class="diff draft-ietf-lamps-dilithium-certificates">diff with main</a></td>
-      </tr>
-    </table>
     <h2>Preview for branch <a href="draft-ietf-lamps-dilithium-certificates-05">draft-ietf-lamps-dilithium-certificates-05</a></h2>
     <table id="branch-draft-ietf-lamps-dilithium-certificates-05">
       <tr>
@@ -80,14 +56,6 @@ <h2>Preview for branch <a href="draft-ietf-lamps-dilithium-certificates-05">draf
         <td><a href="https://author-tools.ietf.org/api/iddiff?url_1=https://lamps-wg.github.io/dilithium-certificates/draft-ietf-lamps-dilithium-certificates.txt&amp;url_2=https://lamps-wg.github.io/dilithium-certificates/draft-ietf-lamps-dilithium-certificates-05/draft-ietf-lamps-dilithium-certificates.txt" class="diff draft-ietf-lamps-dilithium-certificates">diff with main</a></td>
       </tr>
     </table>
-    <h2>Preview for branch <a href="seanturner-drop-name">seanturner-drop-name</a></h2>
-    <table id="branch-seanturner-drop-name">
-      <tr>
-        <td><a href="seanturner-drop-name/draft-ietf-lamps-dilithium-certificates.html" class="html draft-ietf-lamps-dilithium-certificates" title="Internet X.509 Public Key Infrastructure: Algorithm Identifiers for ML-DSA (HTML)">ML-DSA in Certificates</a></td>
-        <td><a href="seanturner-drop-name/draft-ietf-lamps-dilithium-certificates.txt" class="txt draft-ietf-lamps-dilithium-certificates" title="Internet X.509 Public Key Infrastructure: Algorithm Identifiers for ML-DSA (Text)">plain text</a></td>
-        <td><a href="https://author-tools.ietf.org/api/iddiff?url_1=https://lamps-wg.github.io/dilithium-certificates/draft-ietf-lamps-dilithium-certificates.txt&amp;url_2=https://lamps-wg.github.io/dilithium-certificates/seanturner-drop-name/draft-ietf-lamps-dilithium-certificates.txt" class="diff draft-ietf-lamps-dilithium-certificates">diff with main</a></td>
-      </tr>
-    </table>
     <h2>Preview for branch <a href="seanturner-oid-name">seanturner-oid-name</a></h2>
     <table id="branch-seanturner-oid-name">
       <tr>