[WIP] Add signing hooks for observing signature attempts and implementing restartable signing#1237
Draft
hanno-becker wants to merge 2 commits into
Draft
[WIP] Add signing hooks for observing signature attempts and implementing restartable signing#1237hanno-becker wants to merge 2 commits into
hanno-becker wants to merge 2 commits into
Conversation
hanno-becker
changed the title
hanno-becker
changed the title
Contributor
CBMC Results (ML-DSA-44, REDUCE-RAM)Full Results (208 proofs)
|
Contributor
CBMC Results (ML-DSA-65)Full Results (208 proofs)
|
Contributor
CBMC Results (ML-DSA-44)Full Results (208 proofs)
|
Contributor
CBMC Results (ML-DSA-87)
Full Results (208 proofs)
|
hanno-becker
force-pushed
the
sign_hooks
branch
2 times, most recently
from
a599d22 to
ba5df63
Compare
Move the MLD_CONTEXT_PARAMETERS_n macros and the associated configuration check out of common.h into a new, level-generic header context.h, included by common.h at the point the material previously sat. No behavioral change. Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>
The runtime of ML-DSA signatures is theoretically unbounded. Even the
bound of max 814 signature attempts -- approved by NIST as lowering the
chance of signing failure below 2^{-256} -- leaves a performance distribution
whose peak percentiles can be inacceptable for constrained systems with
strict timing requirements.
As a remedy, the library already provides a configuration option
MLD_CONFIG_MAX_SIGNING_ATTEMPTS to limit the number of signing attempts.
However, FIPS 204 explicitly forbids lowering the number of signing attempts
below 814, rendering the use of this option in constrained environments
non-compliant.
As a remedy, this commit introduces a facility for _restartable signing_:
In addition to using MLD_CONFIG_MAX_SIGNING_ATTEMPTS, the user can provide
a custom hook for remembering the last signing attempt, and continuing the
next signing call at that point.
More specifically, the idea is to introduce three 'signing hooks'
into the core signature routine:
- `nonce = sign_resume()`: Return the nonce corresponding to the next
signing attempt. `0` for the an initial / non-restartable signing
operation.
- `sign_attempt(nonce)`: Note the nonce for the next signing attempt.
- `sign_finish(nonce)`: Note the nonce for which signing succeeded.
Here, only `sign_resume()` affects the signing process functionally,
while `sign_attempt()` and `sign_finish()` are passive logging operations.
This approach to restartable signing only works if the consumer works
directly with the internal signing API. If they use the randomized API,
a fresh seed would be chosen even on supposedly restarted signing operations,
leading to non-compliant signatures. The use of a `sign_resume()` hook
is therefore only safe with MLD_CONFIG_NO_RANDOMIZED_API.
In contrast, `sign_attempt` and `sign_finish` are passive, and can safely
be used on their own with any configuration. Indeed, these hooks serve
other uses outside of restartable signing:
- sign_attempt can be used to get finer-grained benchmarks for individual
signing attempts
- sign_finish can be used to log the number of signing attempts, which
can be useful again for benchmarking, or for checking the expected
distribution of signing attempts.
Finally, sign_{resume|attempt|finish} can all be implemented based on
mutable globals, or based on a context. It therefore makes sense to
introduce them under the the existing MLD_CONFIG_CONTEXT_PARAMETER
wrapper, which allows functions to be called with or without an
application-specific context pointer.
Taking all these considerations together, here's what the commit changes:
- Add independent MLD_CONFIG_SIGN_HOOK_{RESUME|FINISH|ATTEMPT} configuration
options for registering signing hooks as above. When set, the user provides
the following functions, respectively:
- `nonce = mld_sign_resume([ctxt])`: Provide initial or resuming nonce
- `mld_sign_attempt(nonce [, ctxt])`: Log/remember nonce for next attempt
- `mld_sign_finish(nonce [, ctxt])`: Log/remember nonce for successful attempt
- The option can be used with or without MLD_CONFIG_CONTEXT_PARAMETER. If the
latter is set, the user-provided context will be passed to `mld_sign_xxx`
as the last argument.
- An example is added illustrating the use of the hooks to implement restartable
signing.
Note: A consumer might want to use restartable signing with randomized APIs.
This is not natively supported. However, it is expected to be easily implementable
since the components required to build randomized signing from deterministic
signing are all public.
Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>
Contributor
CBMC Results (ML-DSA-65, REDUCE-RAM)Full Results (208 proofs)
|
Contributor
CBMC Results (ML-DSA-87, REDUCE-RAM)Full Results (208 proofs)
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.