IETF Logo Mail Archive

Re: [COSE] [jose] ML-DSA & SLH-DSA for JOSE and COSE

Simo Sorce <simo@redhat.com> Mon, 15 January 2024 14:18 UTC

Return-Path: <simo@redhat.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D0E3C14F60A for <cose@ietfa.amsl.com>; Mon, 15 Jan 2024 06:18:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vU9wim-74D12 for <cose@ietfa.amsl.com>; Mon, 15 Jan 2024 06:18:06 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C183C14F5E0 for <cose@ietf.org>; Mon, 15 Jan 2024 06:18:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1705328285; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RVvBgAMeK+zVTioksGK/aDFqQl1mK00DE+TvYUEWJb4=; b=aaaW3CKQ1UtLObInnMbUcnpob5hrNWhEEh/wPayLS+ynNEF03UvtA1HBMRO39Cs8AupU8t GXT6hPTeWak7X0UiRgsfSPiUvulomPzDGKMm7cOeKpXC+cf99z7MLj5h6oeDekEa2NtPdC d+jsYTxy7oMX8ssxOnJFeCwi2ieo2sc=
Received: from mail-qk1-f200.google.com (mail-qk1-f200.google.com [209.85.222.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-251-A_RvePcyPFaNrClUmpqTdw-1; Mon, 15 Jan 2024 09:18:03 -0500
X-MC-Unique: A_RvePcyPFaNrClUmpqTdw-1
Received: by mail-qk1-f200.google.com with SMTP id af79cd13be357-78346e55998so551900385a.0 for <cose@ietf.org>; Mon, 15 Jan 2024 06:18:03 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705328283; x=1705933083; h=mime-version:user-agent:content-transfer-encoding:organization :references:in-reply-to:date:cc:to:from:subject:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=RVvBgAMeK+zVTioksGK/aDFqQl1mK00DE+TvYUEWJb4=; b=NvdKo6VoAnmlb1UeDPNIJGfRKbUafE8oNRYSGPlebjczXpdDctX9ipOoki47X0HD01 Dng3jrs7VK8iHGlK7y0PJbYnkRnMdqo4dFL2g/8rcHwykX0mfttqKIExm7E1jknjOJGP z9hI+6lIQMPgW3FU6Ll234DhsUTSAQ+s+Dba+pPxwfQqGg1+OOTOcUjThFdMPoPYeY5D +Qv0j2n4uDQJE1V55B2XM8qy50VEZwu2PIqUkvtDIgejQl6nCsH8Fm859mNNqlez89ZW 9bkTp7dCZUkyVhbXovKAwvd4lVGyvdY+X1vcwqtcvSVmUARotByH2ihXct4lNVe2VAMs 7giA==
X-Gm-Message-State: AOJu0Yw6pzkeq7hrlPNZn2SZf5C8RK5QlBKNRNPu5QlZD5GbO2NG2cX1 BUjG0iiJbFOKonXDAZSbJAH5dEm8a4vdXVCJTVSb3bsJ44eG+n4cgI9Idiwgjr+g795tjL0jGxR Q+JGKPm4mTMRc
X-Received: by 2002:a05:620a:4d14:b0:783:3365:64cc with SMTP id wa20-20020a05620a4d1400b00783336564ccmr7767680qkn.47.1705328283260; Mon, 15 Jan 2024 06:18:03 -0800 (PST)
X-Google-Smtp-Source: AGHT+IH9KkpWP2j3mLny6Q1xaA1gblsvoYvAz00d24Y6+E4GrGvHil425ivAQXmcJ+vFzXMp7RIukQ==
X-Received: by 2002:a05:620a:4d14:b0:783:3365:64cc with SMTP id wa20-20020a05620a4d1400b00783336564ccmr7767663qkn.47.1705328282936; Mon, 15 Jan 2024 06:18:02 -0800 (PST)
Received: from m8.users.ipa.redhat.com (2603-7000-9400-fe80-0000-0000-0000-0657.res6.spectrum.com. [2603:7000:9400:fe80::657]) by smtp.gmail.com with ESMTPSA id z6-20020a05620a08c600b007811b8e3ff5sm2938036qkz.48.2024.01.15.06.18.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Jan 2024 06:18:02 -0800 (PST)
Message-ID: <90ffa51ae521e865626c1954cc914155525a701b.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Orie Steele <orie@transmute.industries>, Neil Madden <neil.e.madden@gmail.com>
Cc: JOSE WG <jose@ietf.org>, cose <cose@ietf.org>
Date: Mon, 15 Jan 2024 09:18:02 -0500
In-Reply-To: <CAN8C-_J8fj6D6o3SY-BzxnX54pr2tr9QkMfj3oeyjis7LS5ang@mail.gmail.com>
References: <CAN8C-_K6SOv9s1MG9zw5sbc2sqq5AqJ9eX7av_QUW3-XzGZBQQ@mail.gmail.com> <1F043FBA-692F-4BD6-958B-1CFAE808E847@gmail.com> <CAN8C-_J8fj6D6o3SY-BzxnX54pr2tr9QkMfj3oeyjis7LS5ang@mail.gmail.com>
Organization: Red Hat
User-Agent: Evolution 3.48.4 (3.48.4-1.fc38)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/EMuU3qnAboxxIp45sE41y4lSMEg>
Subject: Re: [COSE] [jose] ML-DSA & SLH-DSA for JOSE and COSE
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jan 2024 14:18:10 -0000

On Sat, 2024-01-13 at 08:53 -0600, Orie Steele wrote:
> Hey Neil : )
> 
> On Sat, Jan 13, 2024 at 8:33 AM Neil Madden <neil.e.madden@gmail.com> wrote:
> 
> > I’m still catching up with JOSE activity from the last year or so, so
> > apologies if this has already been discussed.
> > 
> > If I’m reading the specs right, the smallest signature for ML-DSA is
> > almost 2.5KB on its own — about 10x the size of RSA-2048, which is already
> > pushing it, size-wise, for many applications. Compared to Ed25519 we’re
> > looking at an almost 40-fold increase in size. For SPHINCS+ the smallest
> > appears to be about 8KB — ie on its own it is double the maximum total size
> > for cookie storage in a web browser, and that’s before base64-encoding.
> > 
> > Given that the quantum threat for signatures is less pressing than it is
> > for encryption (where you need to worry about collection happening now),
> > maybe it might be worth waiting to see if the ongoing NIST process throws
> > up some candidates that might be more suitable in a JOSE/COSE scenario? (I
> > only have limited experience with COSE, but surely if anything these
> > concerns are even more acute in that case?)
> > 
> 
> Here is a blog post summarizing the NIST candidates:
> https://blog.cloudflare.com/nist-post-quantum-surprise
> 
> Falcon was the smallest, but seems to have not been chosen:
> 
> "Unfortunately, NIST stated on several occasions that it would choose only
> two signature schemes, but not both Falcon and Dilithium"

It is not clear to me why you read second hand opinions instead of
looking at the official statements, but Falcon has been, in fact,
selected.

NIST has announced 4 QR algorithms, 1 for encryption:
- CRYSTALS-Kyber
And 3 for signatures:
- CRYSTALS-Dilithium,
- Falcon
- SPHINCS+

Official Announcement:
https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms

Page with the list of selected algorithms:
https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022

> This is the reason we (cose wg draft authors) have not revised the falcon
> draft which was adopted by the cose wg.

This is quite surprising to be honest, the selection was 1.5 years ago.

> 
> I agree with your comments, but given the trends we see in LAMPS / TLS, I
> feel it's important that when post quantum signatures roll out elsewhere,
> JOSE and COSE have support for them to the same degree that other protocols
> do.
> 
> In case you are more interested in post quantum alignment, I highly
> recommend:
> 
> https://datatracker.ietf.org/wg/pquip/about/
> 
> In particular, since we have just discussed signatures, keys and params, I
> was planning to follow the advice we got regarding limiting registrations
> for SLH-DSA in JOSE and COSE:
> 
> - https://mailarchive.ietf.org/arch/msg/pqc/bi3fNCDk4upbxnxeVNLUp-5EgEE/
> 
> We could even limit further from 12 to 8 to 6 perhaps (3 levels, and 2 hash
> functions).
> 

I would honestly wait for registration until the Standards are released
because NIST is still tweaking some of the parameters.

There is also the possibility, as it happened before with SHA-3 and
AES, that NIST will rename the algorithms on the final official
standard, and it is messy and confusing to use different names in
standards (nobody uses Keccak or Rjiandel in standards, they all refer
to SHA-3 and AES).

HTH,
Simo.

> Regards,
> 
> OS
> 
> 
> 
> 
> > 
> > — Neil
> > 
> > On 12 Jan 2024, at 22:03, Orie Steele <orie@transmute.industries> wrote:
> > 
> > 
> > Hello Post Quantum Enthusiasts,
> > 
> > We apologize for allowing the drafts to expire, that has now been
> > corrected.
> > 
> > We've published new versions and done a tooling migration to the COSE WG
> > GitHub repository:
> > 
> > - https://github.com/cose-wg/draft-ietf-cose-dilithium
> > - https://github.com/cose-wg/draft-ietf-cose-sphincs-plus
> > 
> > Here is a quick summary of what changed, but of course you can see the
> > full diff in the datatracker.
> > 
> > 1. We adjusted the names to reflect FIPS.204 (IPD) and FIPS.205 (IPD)
> > 2. We removed extraneous text on the details of the algorithms, which is
> > better covered in the references noted above.
> > 3. We provided skeletons for examples
> > 
> > We are seeking implementations of ML-DSA and SLH-DSA in order to update
> > the examples sections, with closer to real world data.
> > 
> > We have opted not to migrate Falcon, the parameter sets for sphincs will
> > probably keep us busy for a while.
> > 
> > I'd like to take this opportunity to complain a bit about this part of the
> > FIPS 205 IPD:
> > 
> > " This standard approves 12 parameter sets for use with SLH-DSA. "
> > 
> > I feel this is a mistake, and wonder if there is any opportunity to reduce
> > this to something less than 4x the number defined by ML-DSA.
> > 
> > Even if NIST preserves all 12, we don't have to register all 12 in
> > draft-ietf-cose-sphincs-plus.
> > 
> > ... I really don't want to have to generate 12 key pairs and signature
> > examples, especially because a single key pair with the required line
> > breaks is likely to be longer than the entire draft.
> > 
> > Of course, we will do whatever the working group thinks is correct here...
> > what should we do?
> > 
> > Regards,
> > 
> > OS
> > 
> > --
> > 
> > 
> > ORIE STEELE
> > Chief Technology Officer
> > www.transmute.industries
> > 
> > <https://transmute.industries>
> > _______________________________________________
> > jose mailing list
> > jose@ietf.org
> > https://www.ietf.org/mailman/listinfo/jose
> > 
> > 
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

-- 
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc

v2.23.0 | Report a Bug | By Email