IETF Logo Mail Archive

Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE Agenda Items for IETF 113 in Vienna]

John K <stable.pseudonym@gmail.com> Thu, 10 March 2022 20:31 UTC

Return-Path: <stable.pseudonym@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C17303A1BB3 for <cose@ietfa.amsl.com>; Thu, 10 Mar 2022 12:31:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1o9aXl_zR9hl for <cose@ietfa.amsl.com>; Thu, 10 Mar 2022 12:31:31 -0800 (PST)
Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0569E3A0CD2 for <cose@ietf.org>; Thu, 10 Mar 2022 12:31:31 -0800 (PST)
Received: by mail-qk1-x730.google.com with SMTP id k125so9683qkf.0 for <cose@ietf.org>; Thu, 10 Mar 2022 12:31:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to; bh=yu8HxoIbn8U5bvs4MdBwFoEzS2iguYr4FJ4cj0jpC4M=; b=Jl52vFQPYoJUlRM8aaYNJfUK+LnTuzELNiMTlIVqldwG0W7aFMtcxmUqSQY4T8PAa0 8U3Qpf2rUsOJr81eA62wk3JOzsE1UAFAiTdmeNMiwBeiGqoMJ/ZHYq64XlDuBAWzyDjX 9MzKTsacnuzvvSXY5f5SRJQKUeA9cqAKJL6Ebhn7T7QKrrsckfYAVJEv5drNlttWrYrn 7s+39eA3ttJoFlAh458WEEkhBUKd9w5KaYyYgpZVjUBlHneC9xop9X5Bad4PZIqbQL1x SgyWICWsKmBt5xCumunjediZe8ZI7VQu/jVI4yWk2A9dDWt1iFdEiU/FIbgHAhPc758M aFYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to; bh=yu8HxoIbn8U5bvs4MdBwFoEzS2iguYr4FJ4cj0jpC4M=; b=FhsqoyN0nFquIyvER8vEWvWygGGbe/LcYgsuvV+6CKoCmEXv8rVYQxpGRlv2ssssxY 6rcKBu5wpO8XVZpq6rRzwec+g1fPI4uA8Ey1r2wRo3k2SJw7XFz65chaAvxGtbQgdTlD qfFlImgGAlbcyw1CJJ36xpgnD12qXwjsUjl9QUbSdkf1RbJFB7ZxqZqaVmpSgZOsi+43 X6f0B+eHPYfrc/REZ+1qsIwszRWKXPfkIvTFjJcarV/LUdt0b7BvnmMtvo+TqlbwMxha uAj3uv5GKpTO2DQsUxpH3Dq2ysf6RWfhr2tA+BYFZ8P8jBOXN/oljYnsaSGT5N6iYIFk d+eg==
X-Gm-Message-State: AOAM531uY46Qwyhd7SDo3oRDYbLKb96tN+s8e3gGfAvsIevtyrWsPA6I 3lnn3solTYD4yVvv4a68yq8O48BOIes=
X-Google-Smtp-Source: ABdhPJyTrkvK9vZynjou4ZYya/5LzwFtk2M9EAc8cP/LZHdoUYjaIcWdzZZXV9dUI+5qpfIPTw/sjg==
X-Received: by 2002:a05:620a:34a:b0:663:83c1:fb06 with SMTP id t10-20020a05620a034a00b0066383c1fb06mr4408619qkm.317.1646944289277; Thu, 10 Mar 2022 12:31:29 -0800 (PST)
Received: from [192.168.0.207] (cpe-66-66-241-33.rochester.res.rr.com. [66.66.241.33]) by smtp.gmail.com with ESMTPSA id u3-20020a05622a010300b002dd22803f20sm3755183qtw.46.2022.03.10.12.31.28 for <cose@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 10 Mar 2022 12:31:28 -0800 (PST)
Content-Type: multipart/alternative; boundary="------------T3K1YDHCBvmg002wflALdFWu"
Message-ID: <6b7872bf-92fe-2645-b06e-0df7e6784aec@gmail.com>
Date: Thu, 10 Mar 2022 15:31:27 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-US
To: cose@ietf.org
References: <SA2PR00MB1002092057CE9580A4029532F50B9@SA2PR00MB1002.namprd00.prod.outlook.com>
From: John K <stable.pseudonym@gmail.com>
In-Reply-To: <SA2PR00MB1002092057CE9580A4029532F50B9@SA2PR00MB1002.namprd00.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/EsSQ1b9ovRWbzoc6wJMSwSR6jsQ>
Subject: Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE Agenda Items for IETF 113 in Vienna]
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2022 20:31:36 -0000

I think there are several related items being discussed:

On 3/10/22 12:15, Mike Jones wrote:
>
> As the inventor of “kty”, I’ll say that its intent is to indicate 
> which key syntax is used among keys representations that are 
> syntactically different.  It’s for syntax – not semantics.
>
OK, so kty is intended to be a way of coding how the remaining 
parameters in a JWK should be treated? That is different than the "key 
generation algorithm", or mechanism used to generate the key (ie. which 
curve was used, which shows up in "crv").

> To understand the semantics of how to use the key, you have to also 
> know the “alg” value, as many algorithms may use keys with the same 
> syntax – such as “OKP”.
>
 From my use of JOSE, I would say that 'alg' actually indicates a 
signature *profile* (a combination of algorithms), which may indicate 
both a signature algorithm AND a hashing algorithm, and even some other 
parameters (as in RSA-PSS use of MGF).

Regards,

- johnk

> -- Mike
>
> *From:* Mike Prorock <mprorock@mesur.io>
> *Sent:* Thursday, March 10, 2022 9:06 AM
> *To:* Anders Rundgren <anders.rundgren.net@gmail.com>
> *Cc:* Orie Steele <orie@transmute.industries>es>; Mike Jones 
> <Michael.Jones@microsoft.com>om>; Russ Housley <housley@vigilsec.com>om>; 
> cose@ietf.org
> *Subject:* [EXTERNAL] Re: [COSE] 
> draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE 
> Agenda Items for IETF 113 in Vienna]
>
> Anders,
>
> That read closely matches my interpretation as well, and is part of 
> why i suggested that we might want one new 'kty' for post quantum, or 
> perhaps two in this case (breaking things apart by family of 
> algorithms) - 1) for lattice based algorithms, possibly 'PQL', and 2) 
> for hash based approaches, perhaps 'PQH'
>
> This way the kty is additionally informational in that we are 
> indicating that the algorithms are post quantum in nature, and then 
> the specific family of post quantum approach that is being followed.  
> This could be very beneficial with something like SPHINCS+ where then 
> the 'alg' can break out as required for:
>
> SPHINCS+-SHAKE256-[PARAMETERS]
> SPHINCS+-SHA-256-[PARAMETERS]
> SPHINCS+-Haraka-[PARAMETERS]
>
>
> Mike Prorock
>
> CTO, Founder
>
> https://mesur.io/
>
> On Thu, Mar 10, 2022 at 10:56 AM Anders Rundgren 
> <anders.rundgren.net@gmail.com> wrote:
>
>     Hi Orie,
>
>     TL;DR
>
>     This is my interpretation of how things presumably were intended
>     to work:
>
>     Each "kty" represents a family of related key algorithms.
>
>     Each signature "alg" represents a specific signature algorithm
>     that is compatible with exactly one "kty" family but not
>     necessarily with all of its members.  For ECDH which is
>     polymorphic things gets a little bit more fuzzy since it involves
>     multiple "kty" families.
>
>     Since "kty" is a top-level item you should (IMO...) be free to
>     define within reason :) whatever sub-level items that matches the
>     algorithm specification.  The bottom line is that it must be easy
>     to figure out which specific key- and signature-algorithms that
>     were used, preferably supporting table-driven designs as well.
>
>     However, the existing "kty" definitions should (for not breaking
>     existing software) be regarded as frozen even if EC keys indeed
>     can be used both for ECDH and ECDSA (but the use-cases for that
>     are few if any).
>
>     If there are strong arguments for not using the same key with
>     multiple signature algorithms (assuming it is actually technically
>     feasible as well), the most robust solution would be to define
>     signature and key algorithms as pairs using the same identifier,
>     but not under the same label since "alg" already is reserved for
>     use in "kty"s. You could also just say that "alg" in a "kty" is
>     RECOMMENDED.  A problem here is that this scheme does not
>     necessarily work at the crypto API level and then it becomes
>     useless.  If this problem is for real, I would talk to the
>     algorithms designers to get their view on this as well.  This is
>     obviously history in the making :)
>
>     Cheers,
>     Anders
>
>
>     On 2022-03-10 14:57, Orie Steele wrote:
>     > seems like I should have replied here first... I agree with the
>     comments.
>     >
>     > If we think overloading will cause problems we should avoid it.
>     >
>     > The problem with switching on key type alone is that there are
>     key types used for multiple signature algorithms.
>     >
>     > I would recommend switching on kty + crv when present... but
>     even then, secp256k1 supports both ECDSA (ES256K) and Schnorr
>     (unregistered, but I once proposed SS256K at DIF -
>     https://github.com/decentralized-identity/SchnorrSecp256k1Signature2019
>     <https://github.com/decentralized-identity/SchnorrSecp256k1Signature2019>)...
>     we also have the problem of normalize to lower s in ES256K... we
>     would probably need a new alg to signal that all ES256K signatures
>     had been normalized... so there is a future where a single public
>     key representation might verify many unique signature formats...
>     without the requirement to signal which one it was "meant for".
>     >
>     > Our current approach with dilithium leaves us wishing `alg` were
>     required in all key formats... it's also a best practice not to
>     use the same key material for multiple algorithms... alg needs to
>     be present to help mitigate this, because otherwise any signature
>     that verifies with the key would be acceptable since the key
>     representation does not signal an intention.... depending on your
>     perspective on security, you might think this is a good thing.
>     >
>     > All this to say, if you are only looking at `kty` you might have
>     other issues, at least with certain crv values that are registered
>     today, we should avoid making this problem worse.
>     >
>     > OS
>     >
>     >
>     > On Thu, Mar 10, 2022 at 4:27 AM Mike Prorock <mprorock@mesur.io
>     <mailto:mprorock@mesur.io>> wrote:
>     >
>     >     Thanks Anders,
>     >     This implementation side is exactly why I set kty as a
>     unique value first.  This work started when I was testing an
>     implementation of Dilithium, and then SPHINCS+ with some of our
>     existing code and I wanted a clean way to branch down a path to
>     the new libs without adjusting our existing code that switches on
>     key types.  This was so that we could begin validating our ability
>     to handle post quantum algorithms once NIST finalizes, based on a
>     few customer requests.
>     >
>     >     Mike Prorock
>     > mesur.io <http://mesur.io> <http://mesur.io>
>     >
>     >
>     >
>     > --
>     > *ORIE STEELE*
>     > Chief Technical Officer
>     > www.transmute.industries <http://www.transmute.industries>
>     >
>     > <https://www.transmute.industries>
>
>
> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose

v2.8.7 | Report a Bug | By Email