Add ML-DSA-44, SHAKE256 algorithm identifiers#860
Add ML-DSA-44, SHAKE256 algorithm identifiers#860Hayden-IO wants to merge 1 commit intosigstore:mainfrom
Conversation
|
This looks good, would you also update https://github.com/sigstore/architecture-docs/blob/main/algorithm-registry.md Re: SHAKE-256, How do you feel about not adding that now. Reading FIPS 204 $5.4, hash algorithms specified by FIPS 180-4 with sufficient output size (e.g. SHA2-256) is allowed, so maybe punt on adding SHAKE-256 until we need it? We already have a lot of algorithms listed (for ML-DSA lambda is 128 bits). From FIPS 204 $5.4:
But also, if we can work towards always hashing on the application layer (e.g. use in-toto) there is no need for the pre-hash version, and we can stick with pure only. E.g. newer cosign only signs an in-toto statement for OCI images. We could do the same for blobs and so only sign the in-toto statement referencing the blob. |
|
Thanks for the feedback! I'm happy to remove SHAKE256 - I didn't have a clear use case in mind, and to be honest we'll probably have to rethink the message digest field assuming we eventually migrate entirely over to ML-DSA since hashing is internal to the algorithm. |
From discussions with cryptographers, the general consensus is ML-DSA-44 is sufficient for PQC signing, with smaller keys and signatures. ML-DSA-65 and ML-DSA-87 will be primarily for specialized use cases, e.g. gov't requirements. Additionally, the witness network is likely to use ML-DSA-44. Updated the comment for LMS/LMS-OTS to state it should not be used at all, as there are no clients that will support this. Signed-off-by: Hayden <8418760+Hayden-IO@users.noreply.github.com>
|
sigstore/architecture-docs#61 for the registry update |
steiza
left a comment
steiza
left a comment
There was a problem hiding this comment.
I think we're doing a good job balancing experiments with forward progress here.
3 participants
From discussions with cryptographers, the general consensus is ML-DSA-44 is sufficient for PQC signing, with smaller keys and signatures. ML-DSA-65 and ML-DSA-87 will be primarily for specialized use cases, e.g. gov't requirements.
Additionally, the witness network is likely to use ML-DSA-44.
Added the SHAKE256 hash algorithm identifier, though I'm not certain it's actually needed because we'll only support the pure variant of ML-DSA.
Updated the comment for LMS/LMS-OTS to state it should not be used at all, as there are no clients that will support this.
Summary
Release Note
Documentation