[CFRG] Re: Request for adoption: Signature modes guidance / draft-harvey-cfrg-mtl-mode-03
Russ Housley <housley@vigilsec.com> Wed, 07 August 2024 21:15 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8837BC14F707 for <cfrg@ietfa.amsl.com>; Wed, 7 Aug 2024 14:15:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=vigilsec.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iV899wtjIvIL for <cfrg@ietfa.amsl.com>; Wed, 7 Aug 2024 14:15:46 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF0D2C14F6FD for <cfrg@irtf.org>; Wed, 7 Aug 2024 14:15:46 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id BC73412D718; Wed, 7 Aug 2024 17:15:45 -0400 (EDT)
Received: from smtpclient.apple (syn-047-133-109-246.res.spectrum.com [47.133.109.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 610AB12D713; Wed, 7 Aug 2024 17:15:45 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <43f8434f68c144f38b4a4a3933841899@verisign.com>
Date: Wed, 07 Aug 2024 17:15:34 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <C4016C7F-3830-4C78-A4C6-1E41A4BA4C5D@vigilsec.com>
References: <43f8434f68c144f38b4a4a3933841899@verisign.com>
To: "Kaliski, Burt" <bkaliski=40verisign.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vigilsec.com; h=content-type:mime-version:subject:from:in-reply-to:date:cc:content-transfer-encoding:message-id:references:to; s=pair-202402141609; bh=362flgNlAhFyCuXPrrSlStaxLtthJg3BWPvh6FiJ53Y=; b=mzlL/02k5RYghhT6M94XDJO9tzhuQ/MrasV96VuulIWMsirdUbZHHymucrBlQXv5sDW2Q+3+2tGj1ETrFQZpUe8QUDbYxUDwWPLh1NHqYM/nlJSOMYSpIpKz9CHAO7WJfVO+IhpUmVRM28Wk1uBJ9SnXBBR+PlsLR2MwRn3OAPlMQiXnCimumbFm3MM19B0PSwJOTGO5k57MNB8+7oBNlXVKM2/ADmPat26l68ndC4pQJD7MS8DeK6pGp3FAucQj5SdR7lkvIjTPav/WgLZ5LMaNSdr1GFuk2seYAsO4BoA9iYDGE2UhqDkjZv1K1T9XJUKSMMS0uRwvMYvXQMPePg==
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Message-ID-Hash: Q7U3ECHS6BH7O5CCSCQGDD67JK3BAWIA
X-Message-ID-Hash: Q7U3ECHS6BH7O5CCSCQGDD67JK3BAWIA
X-MailFrom: housley@vigilsec.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IRTF CFRG <cfrg@irtf.org>, "Sheth, Swapneel" <ssheth@Verisign.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: Request for adoption: Signature modes guidance / draft-harvey-cfrg-mtl-mode-03
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/F5WRgtRJmNwLGYaEWgjJSDMcTj8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
I would like to see the CFRG publish an algorithm description for MTL mode. People have been experimenting with it at the IETF Hackathon, and that may lead to some very helpful information about where the MTL mode is advantageous. Also, these developers are aware of the license, and they still were willing to donate their time to experiment. Russ > On Aug 5, 2024, at 9:42 AM, Kaliski, Burt <bkaliski=40verisign.com@dmarc.ietf.org> wrote: > > CFRG, > > Following up on my presentation at IETF 120, I would like to request that CFRG adopt draft-harvey-cfrg-mtl-mode-03 [1] as part of a broader research effort to provide guidance on modes of operation for digital signature schemes in applications. The authors' rationale is as follows: > > * NIST is in the process of standardizing what are effectively two modes of operation for FIPS 204 and 205 - "pure signing" where the message is signed directly with the underlying signature scheme and "pre-hash signing" where the hash of the message is signed. NIST has also introduced a "domain separator" format to distinguish the two modes [2]. (draft-harvey-cfrg-mtl-mode-03 adopts the domain separator format to distinguish MTL mode from others.) > > * There are discussions underway on these topics on NIST's pqc-forum mailing list [3]. It seems prudent that CFRG advance guidance to applications on how and when to use pure signing vs. pre-hash signing, how to use domain separators and context strings in inputs to signature schemes, and how to approach other modes of operation. > > * The initial use case for MTL mode is DNSSEC, as described in draft-fregly-dnsop-slh-dsa-mtl-dnssec-02 [4]. The current draft includes an example zone file signed with SPHINCS+ (SLH-DSA) in MTL mode. The authors hosted a hackathon session [5] on the draft at IETF 120 and also presented [6] at HotRFC. In addition, following the PQ DNSSEC side meeting [7], a new non-WG mailing list, pq-dnssec [8], was formed in the Security Area. The mailing list will be used for discussions of draft-fregly-research-agenda-for-pqc-dnssec-01 [9]. MTL mode is one of several approaches for reducing the operational impact of post-quantum signatures identified in the draft. > > * Another example of a signature mode where CFRG guidance would be helpful is composite signatures [10]. For instance, if the composite signature construction is applied to FIPS 204/205, does this mean that FIPS 204/205 is operated in "pure" mode (because the pre-hashing has already been done)? And how should an application use the optional context string provided by FIPS 204/205 in a composite construction? > > * Verisign announced a public, royalty-free license to certain intellectual property related to draft-harvey-cfrg-mtl-mode-03. IPR declarations 6174-6176 [11] give the official language. > > Thanks -- Burt > > [1] J. Harvey, B. Kaliski, A. Fregly, S. Sheth. Merkle Tree Ladder (MTL) Mode Signatures. draft-harvey-cfrg-mtl-mode-03, June 12, 2024, https://datatracker.ietf.org/doc/draft-harvey-cfrg-mtl-mode/03/ > [2] D. Moody. Updates on pre-hash for FIPS 204 and 205. pqc-forum@list.nist.gov mailing list, April 19, 2024, https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/JKMh0D0pa30/m/vbflXolxAQAJ. > [3] pqc-forum mailing list, https://groups.google.com/a/list.nist.gov/g/pqc-forum > [4] A.M. Fregly, B. Kaliski. J. Harvey, D. Wessels. Stateless Hash-Based Signatures in Merkle Tree Ladder Mode (SLH-DSA-MTL) for DNSSEC. draft-fregly-dnsop-slh-dsa-mtl-dnssec-02, July 8, 2024, https://datatracker.ietf.org/doc/draft-fregly-dnsop-slh-dsa-mtl-dnssec/02/ > [5] Exploring Implementation Approaches for Merkle Tree Ladder Mode Signatures for DNSSEC, IETF 120 Hackathon, https://wiki.ietf.org/en/meeting/120/hackathon > [6] A. Fregly, Stateless Hash-Based Signatures in Merkle Tree Ladder Mode (SLH-DSA-MTL) for DNSSEC, IETF 120 HotRFC, https://datatracker.ietf.org/meeting/120/materials/slides-120-hotrfc-sessa-04-stateless-hash-based-signatures-in-merkle-tree-ladder-mode-01 > [7] Side Meetings at IETF 120, https://wiki.ietf.org/en/meeting/120/sidemeetings > [8] pq-dnssec mailing list, https://mailarchive.ietf.org/arch/browse/pq-dnssec/ > [9] A.M. Fregly et al., Research Agenda for a Post-Quantum DNSSEC. draft-fregly-research-agenda-for-pqc-dnssec-01, June 26, 2024, https://datatracker.ietf.org/doc/draft-fregly-research-agenda-for-pqc-dnssec/01/ > [10] M. Ounsworth et al., Composite ML-KEM for Use in the Internet X.509 Public Key Infrastructure and CMS. draft-ietf-lamps-pq-composite-kem-04, July 8, 2024, https://datatracker.ietf.org/doc/draft-ietf-lamps-pq-composite-kem/04/ > [11] https://datatracker.ietf.org/ipr/search/?draft=draft-harvey-cfrg-mtl-mode&rfc=&doctitle=&group=&holder=VeriSign%2C+Inc.&iprtitle=&patent=&submit=draft > > _______________________________________________ > CFRG mailing list -- cfrg@irtf.org > To unsubscribe send an email to cfrg-leave@irtf.org
- [CFRG] Request for adoption: Signature modes guid… Kaliski, Burt
- [CFRG] Re: Request for adoption: Signature modes … D. J. Bernstein
- [CFRG] Re: Request for adoption: Signature modes … Richard Barnes
- [CFRG] Re: Request for adoption: Signature modes … Kathleen Moriarty
- [CFRG] Re: Request for adoption: Signature modes … Colin Perkins
- [CFRG] Re: Request for adoption: Signature modes … Stephen Farrell
- [CFRG] Re: Request for adoption: Signature modes … Richard Barnes
- [CFRG] Re: [EXTERNAL] Re: Request for adoption: S… Mike Ounsworth
- [CFRG] Re: Request for adoption: Signature modes … S Moonesamy
- [CFRG] Re: Request for adoption: Signature modes … Watson Ladd
- [CFRG] Re: Request for adoption: Signature modes … Russ Housley
- [CFRG] Re: Request for adoption: Signature modes … D. J. Bernstein
- [CFRG] Re: Request for adoption: Signature modes … Kaliski, Burt
- [CFRG] Re: Request for adoption: Signature modes … Phillip Hallam-Baker