IETF Logo Mail Archive

Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE Agenda Items for IETF 113 in Vienna]

Mike Prorock <mprorock@mesur.io> Thu, 10 March 2022 17:06 UTC

Return-Path: <mprorock@mesur.io>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 396463A19E2 for <cose@ietfa.amsl.com>; Thu, 10 Mar 2022 09:06:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mesur-io.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DnfoXwE7Ur0V for <cose@ietfa.amsl.com>; Thu, 10 Mar 2022 09:06:42 -0800 (PST)
Received: from mail-vs1-xe32.google.com (mail-vs1-xe32.google.com [IPv6:2607:f8b0:4864:20::e32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18CA53A19E0 for <cose@ietf.org>; Thu, 10 Mar 2022 09:06:41 -0800 (PST)
Received: by mail-vs1-xe32.google.com with SMTP id v62so6715682vsv.1 for <cose@ietf.org>; Thu, 10 Mar 2022 09:06:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mesur-io.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=guhfm+SOBlcacgCIIa99Anso9QdY3hTK5Z07e3Jc4/M=; b=ice9ODt0vSpMy8XVTJiimo6Z4OzIQw8dUHftFAzodmVNbUG7o/eBThafGTGhva849Y DtJ+4tXfh6jzOgpzBNG1Gr+ZL4+2aqyD/3O2+/MBy6C19H5H5sWnS/bvBWkZoV8xrY/b n8s7Tt7pGhOWjuJn/Dwzmfgq+i/BoZPlMtLty9n7G3ufSG2WRIEoNnZ5CY7lfiN3bCUi WND0yQiam298/hwXsgLfKiEA7B1kNdW4NOwBQBKdAq6QEI1faJe4A7FEB7prf0CCOqE5 r7zeJjsNg8/5tDY3q3W7g3NP9Ll0PzJ0LUjIxE1niQi+/u8ljcWKfGev9t2LZaepEk5O cBWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=guhfm+SOBlcacgCIIa99Anso9QdY3hTK5Z07e3Jc4/M=; b=2nV0UQ+QUvvq9vDNB4g5isFMz0o5NcXRUtnU+A2LcmYgV8JYVzIDk2RDs6hOZg8UAC /PbecDi9Vej4Ei1jaOurCv79aveeEPs9xYmEmbqRbzZPANP93dImKHlnZbdIw7800RME +AIatPxD2PRBMBqgtIKUiTKHxIRUvcSDIzpaquZBJCYdrl562zB/1ISeVyrsswmgumaL ZSrnHZBaTxWl3d2t1hXrbBtc5lImQANVXh9h7Bjvw23WXOmxK1z3Gr5fVV/pU22heSD6 93bf6tFkcU4D2j8KLBP9NefWl4VQ7e3zc85Fi0WAbtws8GxofQ5XyNAGQyQhVl04FLxX zARw==
X-Gm-Message-State: AOAM533j0Uw+ErYzdgVQFyrNGnA3hrlYX3cnnxeAkzysb3/P3033G9Rc mI0utgM/feUJT3KfzeIunWNr1QiorsQFngTycX594n4BVi+7
X-Google-Smtp-Source: ABdhPJxwKHnlP9hmMNRgOREGTRr/UxidlkDUaaFN9T+OyLIysOXrTnA7BTAQcYlIA8uWO3b6fhJICsIPrYplSFRfA3U=
X-Received: by 2002:a67:6f87:0:b0:322:79bc:2603 with SMTP id k129-20020a676f87000000b0032279bc2603mr2977198vsc.19.1646932000394; Thu, 10 Mar 2022 09:06:40 -0800 (PST)
MIME-Version: 1.0
References: <SA2PR00MB1002C64FDF9A7CF14E95D135F50B9@SA2PR00MB1002.namprd00.prod.outlook.com> <a730ecbe-bbc5-2df1-ec60-a43353507b93@gmail.com> <CAGJKSNSY5WdXXRrE-GBi7zgsy69ea8MhPsc0P4X7tNB4=JDRtw@mail.gmail.com> <CAN8C-_+6ydynEFqiKvK2ONw9cwDxDX0F8xBXm4x6awvNfHOnkw@mail.gmail.com> <91bb290a-b109-ae35-6188-44568e44197c@gmail.com>
In-Reply-To: <91bb290a-b109-ae35-6188-44568e44197c@gmail.com>
From: Mike Prorock <mprorock@mesur.io>
Date: Thu, 10 Mar 2022 12:06:29 -0500
Message-ID: <CAGJKSNQ-ToZyVeXvf5U+GmN6kunSgydLpRNHLA0-aey-ZTCj_Q@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: Orie Steele <orie@transmute.industries>, Mike Jones <Michael.Jones@microsoft.com>, Russ Housley <housley@vigilsec.com>, cose@ietf.org
Content-Type: multipart/alternative; boundary="000000000000da642d05d9e03c7b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/LWFzYKSfLZcWg5f4OPxQOlqk23o>
Subject: Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE Agenda Items for IETF 113 in Vienna]
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2022 17:06:48 -0000

Anders,
That read closely matches my interpretation as well, and is part of why i
suggested that we might want one new 'kty' for post quantum, or perhaps two
in this case (breaking things apart by family of algorithms) - 1) for
lattice based algorithms, possibly 'PQL', and 2) for hash based approaches,
perhaps 'PQH'
This way the kty is additionally informational in that we are indicating
that the algorithms are post quantum in nature, and then the specific
family of post quantum approach that is being followed.  This could be very
beneficial with something like SPHINCS+ where then the 'alg' can break out
as required for:
SPHINCS+-SHAKE256-[PARAMETERS]
SPHINCS+-SHA-256-[PARAMETERS]
SPHINCS+-Haraka-[PARAMETERS]

Mike Prorock
CTO, Founder
https://mesur.io/



On Thu, Mar 10, 2022 at 10:56 AM Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> Hi Orie,
>
> TL;DR
>
> This is my interpretation of how things presumably were intended to work:
>
> Each "kty" represents a family of related key algorithms.
>
> Each signature "alg" represents a specific signature algorithm that is
> compatible with exactly one "kty" family but not necessarily with all of
> its members.  For ECDH which is polymorphic things gets a little bit more
> fuzzy since it involves multiple "kty" families.
>
> Since "kty" is a top-level item you should (IMO...) be free to define
> within reason :) whatever sub-level items that matches the algorithm
> specification.  The bottom line is that it must be easy to figure out which
> specific key- and signature-algorithms that were used, preferably
> supporting table-driven designs as well.
>
> However, the existing "kty" definitions should (for not breaking existing
> software) be regarded as frozen even if EC keys indeed can be used both for
> ECDH and ECDSA (but the use-cases for that are few if any).
>
> If there are strong arguments for not using the same key with multiple
> signature algorithms (assuming it is actually technically feasible as
> well), the most robust solution would be to define signature and key
> algorithms as pairs using the same identifier, but not under the same label
> since "alg" already is reserved for use in "kty"s.  You could also just say
> that "alg" in a "kty" is RECOMMENDED.  A problem here is that this scheme
> does not necessarily work at the crypto API level and then it becomes
> useless.  If this problem is for real, I would talk to the algorithms
> designers to get their view on this as well.  This is obviously history in
> the making :)
>
> Cheers,
> Anders
>
>
> On 2022-03-10 14:57, Orie Steele wrote:
> > seems like I should have replied here first... I agree with the comments.
> >
> > If we think overloading will cause problems we should avoid it.
> >
> > The problem with switching on key type alone is that there are key types
> used for multiple signature algorithms.
> >
> > I would recommend switching on kty + crv when present... but even then,
> secp256k1 supports both ECDSA (ES256K) and Schnorr (unregistered, but I
> once proposed SS256K at DIF -
> https://github.com/decentralized-identity/SchnorrSecp256k1Signature2019 <
> https://github.com/decentralized-identity/SchnorrSecp256k1Signature2019>)t;)...
> we also have the problem of normalize to lower s in ES256K... we
> would probably need a new alg to signal that all ES256K signatures had been
> normalized... so there is a future where a single public key
> representation might verify many unique signature formats... without the
> requirement to signal which one it was "meant for".
> >
> > Our current approach with dilithium leaves us wishing `alg` were
> required in all key formats... it's also a best practice not to use the
> same key material for multiple algorithms... alg needs to be present to
> help mitigate this, because otherwise any signature that verifies with the
> key would be acceptable since the key representation does not signal an
> intention.... depending on your perspective on security, you
> might think this is a good thing.
> >
> > All this to say, if you are only looking at `kty` you might have other
> issues, at least with certain crv values that are registered today, we
> should avoid making this problem worse.
> >
> > OS
> >
> >
> > On Thu, Mar 10, 2022 at 4:27 AM Mike Prorock <mprorock@mesur.io <mailto:
> mprorock@mesur.io>> wrote:
> >
> >     Thanks Anders,
> >     This implementation side is exactly why I set kty as a unique value
> first.  This work started when I was testing an implementation of
> Dilithium, and then SPHINCS+ with some of our existing code and I wanted a
> clean way to branch down a path to the new libs without adjusting our
> existing code that switches on key types.  This was so that we could begin
> validating our ability to handle post quantum algorithms once NIST
> finalizes, based on a few customer requests.
> >
> >     Mike Prorock
> >     mesur.io <http://mesur.io>
> >
> >
> >
> > --
> > *ORIE STEELE*
> > Chief Technical Officer
> > www.transmute.industries
> >
> > <https://www.transmute.industries>
>
>

v2.8.7 | Report a Bug | By Email