IETF Logo Mail Archive

[COSE] Re: [jose] Re: WGLC for draft-ietf-cose-dilithium

Orie Steele <orie@transmute.industries> Wed, 11 December 2024 18:02 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D66BC1840FD for <cose@ietfa.amsl.com>; Wed, 11 Dec 2024 10:02:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bCTul05OWMRU for <cose@ietfa.amsl.com>; Wed, 11 Dec 2024 10:02:43 -0800 (PST)
Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93DCBC18DB8B for <cose@ietf.org>; Wed, 11 Dec 2024 10:02:43 -0800 (PST)
Received: by mail-pj1-x102c.google.com with SMTP id 98e67ed59e1d1-2ee67e9287fso6289596a91.0 for <cose@ietf.org>; Wed, 11 Dec 2024 10:02:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1733940163; x=1734544963; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=5prPFeDTmGm38wuPaB7uZFVJxXjeQkf7cDit2oW7hTQ=; b=N/Wf0TKc3IQmPepRQwWql3ca2UbxlLg3KcsqUoxNDlZmZyLaM+R/v7P9KaxMKcT4+t J4gE5EJ8QXujpQdKa8dyLc2hw8zIKmtY9KY6+dENFaS38AwssMuy+vLSH81/484QmJ1e XTXRsWYB52P3l5SOH+ekERkKS8Ii91QSyxpmAVNm5hn1gs6FR+b6myMOLiGK4yLPoo5Q 8oB9bwXQewNuEMVsOXSqM9a/ciODss9cu8gPQzfx6mpQa2ZIHZLyT2ufxFnSuCzaow79 eGuP/FgN4s0wBte93x5w28Y8WBr3KUZ+9XJfG7Akv1i4IzOc102uBcbcnGGB6eX8EszE G0iA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733940163; x=1734544963; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=5prPFeDTmGm38wuPaB7uZFVJxXjeQkf7cDit2oW7hTQ=; b=FmsOC5qBYsf3dEzBjeE/Ccx578Q7HIZCp0n4q778Un+GRtbGcKGZlUEojo5xoD7Ttf 5KXcQzlnS+gLr/kRjwv9L3njQBRaOhLdQKU8w0KbWv7rwSwaB+t8hzQfuXfd5HGCUSsO uxJSNXSt+a3e9+k0tULhRz6tXoR3Nz7hupKj0SQTSkmMzKrTTE8oTph4Gw/vR1rxz7JE H9uOSQ7q8LL+VDYkrGDV4eLrhXtdD8fPB08EiBsDofjwkp6V5f7WIwVTqz/VNOKawNOg Cb9B5nHxtOly4jwGJ9VzJ9wp6PVdNGzGVnlv4UQAZhAzxf43Dr/yP3RKo4wah5YPtf69 8W1A==
X-Forwarded-Encrypted: i=1; AJvYcCWLKxJPglIcsN4BB7qwGxARkfXNUjDnVfjMteVk2JEqQAA+NZPl6/v02hTIKVAZdobs02UR@ietf.org
X-Gm-Message-State: AOJu0Yw9nGlXlDskG5dUXVu/lK4ZG+qnl+HFM5dLAv7ecngDHpaUHBKo CaibFNdO/+u6R0CGDFor5wvzqkGwXbvLlFOlIMrjLtmO3ggqtI5BiTnXdBjAxbH8D7GDxarVIdo +FHEaD+08PsBZjqais+KdHz//M2v1+8lOHcaPYg==
X-Gm-Gg: ASbGncv6rlm8Vxjd3MYBWuxpmCCFYZqttBwqQzkmRgyQP3iBfUwMZ1aOBF2xJMmvTSh bqOk8hYlv5OKwDw1QbQBEW8bm8yuVgOTRJMie8W9zS9TUqgSiFFCJ49HNve/2Cs4r2GwO
X-Google-Smtp-Source: AGHT+IElyaN7s7KVn6meFaf/qq1ABZBBo86ITW7yWn0lFjOqt0DL5ppeYBcKRBcU6OBJ6UJbTu62yCi91ncVdA0xWCY=
X-Received: by 2002:a17:90b:394a:b0:2ee:53b3:3f1c with SMTP id 98e67ed59e1d1-2f13925ad16mr1330278a91.5.1733940161506; Wed, 11 Dec 2024 10:02:41 -0800 (PST)
MIME-Version: 1.0
References: <CA+k3eCTRp5rgBsY70ZXLtjw3JNrevye0AeemrqQPHuiNy8NfQg@mail.gmail.com> <1D66DAA1-56BD-43D4-86FB-81CAE4623631@gmail.com>
In-Reply-To: <1D66DAA1-56BD-43D4-86FB-81CAE4623631@gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Wed, 11 Dec 2024 12:02:30 -0600
Message-ID: <CAN8C-_KJn_c6tqqmRUrqm6ZCuWVStfFZP7KdQ+J0vqLLeaj4Fg@mail.gmail.com>
To: Neil Madden <neil.e.madden@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000638cfe062902670a"
Message-ID-Hash: VJGBIMNOSEBKEQ7XXHPPW6XLSK7ACHPE
X-Message-ID-Hash: VJGBIMNOSEBKEQ7XXHPPW6XLSK7ACHPE
X-MailFrom: orie@transmute.industries
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, Michael Jones <michael_b_jones@hotmail.com>, JOSE WG <jose@ietf.org>, cose@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [COSE] Re: [jose] Re: WGLC for draft-ietf-cose-dilithium
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/Pyja-pj1RYmkdMI2IrUHVRXSmi0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Owner: <mailto:cose-owner@ietf.org>
List-Post: <mailto:cose@ietf.org>
List-Subscribe: <mailto:cose-join@ietf.org>
List-Unsubscribe: <mailto:cose-leave@ietf.org>

Hi Neil (and thanks Brian),

I have started processing your feedback here:

https://github.com/cose-wg/draft-ietf-cose-dilithium/pull/14

Neil, may I add your name (Neil Madden) to the acknowledgements section of
this document?

I have not yet addressed all your comments, and will leave the issue
tracking them open until I can resolve them.

In particular your comment on choice of ctx requires some coordination with
LAMPS:

https://github.com/lamps-wg/dilithium-certificates/issues/24

Thank you for these comments, they are excellent.

Regards,

OS



On Tue, Nov 19, 2024 at 1:33 PM Neil Madden <neil.e.madden@gmail.com> wrote:

> Thanks Brian, I wasn’t aware this was in WGLC.
>
> I doubt this will see much if any real-world use, because ML-DSA
> signatures are so enormous. But I have no objection to it being published.
>
>
> That said, the draft seems *very* underspecified. The definition of the
> AKP key type seems to just be by example. There’s no specification of what
> fields it contains or what format they take. Presumably the idea is that it
> has “pub” and “priv” fields that are arbitrary bytes (base64-encoded for
> JWK) and that beyond that the format is determined by the “alg” field, but
> the draft doesn’t say any of this. The examples are also truncated (without
> saying they are).
>
> It should then say exactly what “pub” and “priv” contain for ML-DSA at
> least! Are they X.509 or what? It appears that the “priv” field contains
> only the 32-byte seed, and that a library will need to call KeyGen_internal
> to convert that into an actual private key to pass to the sign procedure?
> (Which presumably, given the name, might not be exposed by crypto modules?)
>
> Getting on to the actual signature algorithm, FIPS 204 says that signing
> takes a context string. What is this set to for JOSE/COSE?
>
> What is the format of the signature? Presumably it’s the base64url-encoded
> output of the FIPS 204 signing process?
>
> The test vectors should document what the various fields are (some appear
> to be hex, others base64), and maybe the step by step computations. I’m
> also not sure an all-zero private key, and reusing the same key for all
> algorithms, is necessarily a good way to generate test vectors.
>
> Are there really no independent security considerations? At the very least
> perhaps point out that the public keys and signatures are much larger than
> for any other algorithm currently specified. I’d have assumed that was a
> concern for COSE.
>
> I think at the current state of the draft I would not be confident that I
> could implement it and be sure of interoperating with anyone.
>
> — Neil
>
> On 19 Nov 2024, at 18:14, Brian Campbell <bcampbell=
> 40pingidentity.com@dmarc.ietf.org> wrote:
>
> 
> Sending to the JOSE list too in hopes of soliciting some informed review
> from folks in that WG.  As the title suggests "ML-DSA for JOSE and COSE" is
> for JOSE as well as COSE.
>
>
> On Tue, Nov 19, 2024 at 9:47 AM Michael Jones <michael_b_jones@hotmail.com>
> wrote:
>
>> Hi all,
>>
>>
>>
>> This message starts the Working Group Last Call (WGLC) for
>> https://www.ietf.org/archive/id/draft-ietf-cose-dilithium-04.html
>> (ML-DSA for JOSE and COSE), as was discussed at IETF 121 in Dublin.  The
>> WGLC will run for two weeks, ending on Tuesday, December 3, 2024.
>>
>>
>>
>> Please review and send any comments or feedback to the working group.
>> Even if your feedback is “this is ready for publication”, please let us
>> know.
>>
>>
>>
>>                                                                 Thank you,
>>
>>                                                 -- Mike and Ivaylo, COSE
>> Chairs
>>
>>
>> _______________________________________________
>> COSE mailing list -- cose@ietf.org
>> To unsubscribe send an email to cose-leave@ietf.org
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*_______________________________________________
> jose mailing list -- jose@ietf.org
> To unsubscribe send an email to jose-leave@ietf.org
>
> _______________________________________________
> COSE mailing list -- cose@ietf.org
> To unsubscribe send an email to cose-leave@ietf.org
>


-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>

v2.46.0 | Report a Bug | By Email | System Status