Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE Agenda Items for IETF 113 in Vienna]
Anders Rundgren <anders.rundgren.net@gmail.com> Thu, 10 March 2022 15:57 UTC
Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id F23F53A1685
for <cose@ietfa.amsl.com>; Thu, 10 Mar 2022 07:57:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.109
X-Spam-Level:
X-Spam-Status: No, score=-7.109 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 6pmT2tjFnkkv for <cose@ietfa.amsl.com>;
Thu, 10 Mar 2022 07:56:59 -0800 (PST)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com
[IPv6:2a00:1450:4864:20::42e])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 9C71D3A15EF
for <cose@ietf.org>; Thu, 10 Mar 2022 07:56:59 -0800 (PST)
Received: by mail-wr1-x42e.google.com with SMTP id h15so8671217wrc.6
for <cose@ietf.org>; Thu, 10 Mar 2022 07:56:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=message-id:date:mime-version:user-agent:subject:content-language:to
:cc:references:from:in-reply-to:content-transfer-encoding;
bh=mm2JPi4wTTshZDLRw/QpGeveb39LzvC8E/ig+fkxZUM=;
b=A5JUbsIToL9FMSKsVBnAOmzD4l/eGOKzi8BEm8vtbhClFQfmS7x7KesMqV0qb2FcO5
MExnDkw5PkxG7MZZlsBg6alKWS0fNGLe5go1j/KCJvBr7aI4pjl+qrAyjxQPbhT/ZkB+
/DGNULyHdAhlHudxNr8NeeToDWX5ODtlUVqw8nQ2seVy5mE/tMjVAf6B6p9jV+Wn9B3J
uWDcb0/n2kFY7g/XFoQovAeOnN75ZcyNEArR3uE/ZDvf78Ni8V4NsiQyo2S0uOkTsy0p
sxXqlz1QqUeaHTLGAuYlef3Csw9oGF960HMR6QrqW7uOASls85GX7irEW/LRt8X5oM4R
au5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:message-id:date:mime-version:user-agent:subject
:content-language:to:cc:references:from:in-reply-to
:content-transfer-encoding;
bh=mm2JPi4wTTshZDLRw/QpGeveb39LzvC8E/ig+fkxZUM=;
b=34j7UTRQqmQ4ripsnEq2bJjyADqcfqI5zu/Voijf2E3pS5btuXwvnb2pqnGHCyysDk
n29y95yTjenA1YrG1fcdB4OVWl7JtQzXv7IMrDM2Y39oxcYOkSgdHhdQAcVmqfOd6SYe
5HcAPQc9yCZn5GvdvCSoVBwOGmPBNzk3viKiQ4LR6kU9OkiiBeg3uuQOrVvZTbgvKNUf
N+XNkG3KLUhDToOo54rSAjFaQamuwY2aIyrZjK68u4Rpf4S0rXz5p7c2DLYmBktqv3D6
QcC1pwlmEjxSgAaWsSXsPcTrOg6ZoWNrd9zrgw4qeRoZORLDBAzDUdlAM07rkiYX/YU/
hSNw==
X-Gm-Message-State: AOAM530Rt05oyvEXWgnnj+y6kP+Ke8KtgdEY1Dvh0wPT3b+I8ryn+xNY
3UWyakqf7bNiMsoEvL9hCKcHwrrwUps=
X-Google-Smtp-Source: ABdhPJzc74dzsjoAmhO03BgSuccDq/DQTqgVN7lqEeU6r+pMXPS97YuoNwKm9YAPa9Fkx2CRG5OmVg==
X-Received: by 2002:a5d:590f:0:b0:203:7fca:72a8 with SMTP id
v15-20020a5d590f000000b002037fca72a8mr3946708wrd.310.1646927817472;
Thu, 10 Mar 2022 07:56:57 -0800 (PST)
Received: from [192.168.1.67] (25.131.146.77.rev.sfr.net. [77.146.131.25])
by smtp.googlemail.com with ESMTPSA id
r186-20020a1c2bc3000000b0037bdd94a4e5sm4866870wmr.39.2022.03.10.07.56.56
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Thu, 10 Mar 2022 07:56:56 -0800 (PST)
Message-ID: <91bb290a-b109-ae35-6188-44568e44197c@gmail.com>
Date: Thu, 10 Mar 2022 16:56:55 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
Thunderbird/91.6.2
Content-Language: en-US
To: Orie Steele <orie@transmute.industries>, Mike Prorock <mprorock@mesur.io>
Cc: Mike Jones <Michael.Jones@microsoft.com>,
Russ Housley <housley@vigilsec.com>, cose@ietf.org
References: <SA2PR00MB1002C64FDF9A7CF14E95D135F50B9@SA2PR00MB1002.namprd00.prod.outlook.com>
<a730ecbe-bbc5-2df1-ec60-a43353507b93@gmail.com>
<CAGJKSNSY5WdXXRrE-GBi7zgsy69ea8MhPsc0P4X7tNB4=JDRtw@mail.gmail.com>
<CAN8C-_+6ydynEFqiKvK2ONw9cwDxDX0F8xBXm4x6awvNfHOnkw@mail.gmail.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
In-Reply-To: <CAN8C-_+6ydynEFqiKvK2ONw9cwDxDX0F8xBXm4x6awvNfHOnkw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/MtQuz_64n-v9bLQSv5PGKuzLgxE>
Subject: Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re:
Call for COSE Agenda Items for IETF 113 in Vienna]
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>,
<mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>,
<mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2022 15:57:07 -0000
Hi Orie, TL;DR This is my interpretation of how things presumably were intended to work: Each "kty" represents a family of related key algorithms. Each signature "alg" represents a specific signature algorithm that is compatible with exactly one "kty" family but not necessarily with all of its members. For ECDH which is polymorphic things gets a little bit more fuzzy since it involves multiple "kty" families. Since "kty" is a top-level item you should (IMO...) be free to define within reason :) whatever sub-level items that matches the algorithm specification. The bottom line is that it must be easy to figure out which specific key- and signature-algorithms that were used, preferably supporting table-driven designs as well. However, the existing "kty" definitions should (for not breaking existing software) be regarded as frozen even if EC keys indeed can be used both for ECDH and ECDSA (but the use-cases for that are few if any). If there are strong arguments for not using the same key with multiple signature algorithms (assuming it is actually technically feasible as well), the most robust solution would be to define signature and key algorithms as pairs using the same identifier, but not under the same label since "alg" already is reserved for use in "kty"s. You could also just say that "alg" in a "kty" is RECOMMENDED. A problem here is that this scheme does not necessarily work at the crypto API level and then it becomes useless. If this problem is for real, I would talk to the algorithms designers to get their view on this as well. This is obviously history in the making :) Cheers, Anders On 2022-03-10 14:57, Orie Steele wrote: > seems like I should have replied here first... I agree with the comments. > > If we think overloading will cause problems we should avoid it. > > The problem with switching on key type alone is that there are key types used for multiple signature algorithms. > > I would recommend switching on kty + crv when present... but even then, secp256k1 supports both ECDSA (ES256K) and Schnorr (unregistered, but I once proposed SS256K at DIF - https://github.com/decentralized-identity/SchnorrSecp256k1Signature2019 <https://github.com/decentralized-identity/SchnorrSecp256k1Signature2019>)... we also have the problem of normalize to lower s in ES256K... we would probably need a new alg to signal that all ES256K signatures had been normalized... so there is a future where a single public key representation might verify many unique signature formats... without the requirement to signal which one it was "meant for". > > Our current approach with dilithium leaves us wishing `alg` were required in all key formats... it's also a best practice not to use the same key material for multiple algorithms... alg needs to be present to help mitigate this, because otherwise any signature that verifies with the key would be acceptable since the key representation does not signal an intention.... depending on your perspective on security, you might think this is a good thing. > > All this to say, if you are only looking at `kty` you might have other issues, at least with certain crv values that are registered today, we should avoid making this problem worse. > > OS > > > On Thu, Mar 10, 2022 at 4:27 AM Mike Prorock <mprorock@mesur.io <mailto:mprorock@mesur.io>> wrote: > > Thanks Anders, > This implementation side is exactly why I set kty as a unique value first. This work started when I was testing an implementation of Dilithium, and then SPHINCS+ with some of our existing code and I wanted a clean way to branch down a path to the new libs without adjusting our existing code that switches on key types. This was so that we could begin validating our ability to handle post quantum algorithms once NIST finalizes, based on a few customer requests. > > Mike Prorock > mesur.io <http://mesur.io> > > > > -- > *ORIE STEELE* > Chief Technical Officer > www.transmute.industries > > <https://www.transmute.industries>
- [COSE] Call for COSE Agenda Items for IETF 113 in… Mike Jones
- Re: [COSE] Call for COSE Agenda Items for IETF 11… Mike Jones
- Re: [COSE] Call for COSE Agenda Items for IETF 11… Mike Jones
- Re: [COSE] Call for COSE Agenda Items for IETF 11… Anders Rundgren
- Re: [COSE] Call for COSE Agenda Items for IETF 11… Mike Prorock
- Re: [COSE] Call for COSE Agenda Items for IETF 11… Hannes Tschofenig
- [COSE] draft-prorock-cose-post-quantum-signatures… Ilari Liusvaara
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Anders Rundgren
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Prorock
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Russ Housley
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Jones
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Anders Rundgren
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Ilari Liusvaara
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Prorock
- Re: [COSE] Call for COSE Agenda Items for IETF 11… Göran Selander
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Orie Steele
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Orie Steele
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Anders Rundgren
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Prorock
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Jones
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Prorock
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Ilari Liusvaara
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Ilari Liusvaara
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Rafael Misoczki
- Re: [COSE] draft-prorock-cose-post-quantum-signat… John K
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Anders Rundgren
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Ilari Liusvaara
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Ilari Liusvaara
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Russ Housley
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Anders Rundgren
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Rafael Misoczki
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Russ Housley
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Anders Rundgren
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Ilari Liusvaara
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Russ Housley
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Orie Steele
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Jones
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Orie Steele
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Anders Rundgren
- Re: [COSE] draft-prorock-cose-post-quantum-signat… David Waite
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Prorock
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Anders Rundgren
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Russ Housley
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Orie Steele
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Prorock
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Prorock
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Prorock
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Ilari Liusvaara
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Ilari Liusvaara
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Russ Housley
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Prorock
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Michael Richardson
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Jones
- Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Jones