### Re: [COSE] Benjamin Kaduk's Discuss on draft-ietf-cose-hash-sig-07: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Thu, 05 December 2019 22:18 UTC

Return-Path: <kaduk@mit.edu>

X-Original-To: cose@ietfa.amsl.com

Delivered-To: cose@ietfa.amsl.com

Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 38E731201A3;
Thu, 5 Dec 2019 14:18:17 -0800 (PST)

X-Virus-Scanned: amavisd-new at amsl.com

X-Spam-Flag: NO

X-Spam-Score: -4.2

X-Spam-Level:

X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001] autolearn=ham autolearn_force=no

Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id kR1fxcZmyZWx; Thu, 5 Dec 2019 14:18:15 -0800 (PST)

Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 08F03120168;
Thu, 5 Dec 2019 14:18:14 -0800 (PST)

Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56)
(User authenticated as kaduk@ATHENA.MIT.EDU)
by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id xB5MI6eW029406
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
Thu, 5 Dec 2019 17:18:09 -0500

Date: Thu, 5 Dec 2019 14:18:06 -0800

From: Benjamin Kaduk <kaduk@mit.edu>

To: Russ Housley <housley@vigilsec.com>

Cc: Jim Schaad <jimsch@augustcellars.com>, IESG <iesg@ietf.org>,
cose <cose@ietf.org>

Message-ID: <20191205221806.GH13890@kduck.mit.edu>

References: <157539486101.24700.12161503456212968239.idtracker@ietfa.amsl.com>
<619FB9BA-BDEB-4E31-BC04-DF265F27E51D@vigilsec.com>
<559B8753-15F1-4C18-A604-686FD0A96215@vigilsec.com>

MIME-Version: 1.0

Content-Type: text/plain; charset=us-ascii

Content-Disposition: inline

In-Reply-To: <559B8753-15F1-4C18-A604-686FD0A96215@vigilsec.com>

User-Agent: Mutt/1.12.1 (2019-06-15)

Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/RpxL9SGXhThL6AkzhuXoC71HT1A>

Subject: Re: [COSE] Benjamin Kaduk's Discuss on draft-ietf-cose-hash-sig-07:
(with DISCUSS and COMMENT)

X-BeenThere: cose@ietf.org

X-Mailman-Version: 2.1.29

Precedence: list

List-Id: CBOR Object Signing and Encryption <cose.ietf.org>

List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>,
<mailto:cose-request@ietf.org?subject=unsubscribe>

List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>

List-Post: <mailto:cose@ietf.org>

List-Help: <mailto:cose-request@ietf.org?subject=help>

List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>,
<mailto:cose-request@ietf.org?subject=subscribe>

X-List-Received-Date: Thu, 05 Dec 2019 22:18:17 -0000

Hi Russ, On Wed, Dec 04, 2019 at 04:06:34PM -0500, Russ Housley wrote: > Ben: > > I am trying to work with Jim Schaad on your DISCUSS comment. He has done an implementation, so I'd like to get his insight. As it happens, I had had the same thought, so I expect he had the answer at hand for you :) > Turning to your comments ... > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > Related to the above Discuss, should we have an explicit statement that we do > > not define a way to convey an HSS/LMS private key in a COSE_Key object? > > (I think it is correct to not define such a thing, since conveying a > > stateful private key is something of a non-sequitur.) > > I agree that we do not want to define such a structure. I'm not sure where to say anything about it. The best place I can see is in Section 5 (Operational Considerations), as something like "Because of the need to maintain state across invocations of the signing algorithm, a COSE Key Type Parameter for encoding the private key (and its state) is deliberately not defined; serializing the state for conveyance presents too great a risk of state reuse to justify any potential benefit from doing so." > > It's not entirely clear to me how much of RFC 8554 we need to duplicate > > in order to give the reader an understanding of the signature structure > > we're using. A few times while reading Sections 2.x I had to > > double-check that I was reading the right document :) > > I tried to achieve a balance. I wanted to have enough to understand HSS, LMS, and LM-OTS. Understood, and I'm deferring to you on judging the balance. > > Section 1.1 > > > > If large-scale quantum computers are ever built, these computers will > > be able to break many of the public-key cryptosystems currently in > > use. A post-quantum cryptosystem [PQC] is a system that is secure > > against quantum computers that have more than a trivial number of > > quantum bits (qubits). It is open to conjecture when it will be > > > > (nit: they're also secure against quantum computers that do have a > > trivial number of bits. Yes, I know this is also true about classical > > signature algorithms with sufficiently large keys, but the text here is > > perhaps not making quite the point we want to make.) > > I suggest: > > If large-scale quantum computers are ever built, these computers will > have more than a trivial number of quantum bits (qubits) and they > will be able to break many of the public-key cryptosystems currently > in use. A post-quantum cryptosystem [PQC] is a system that is secure > against against such large-scale quantum computers. It is open to > conjecture when it will be feasible to build such computers; however, > RSA [RFC8017], DSA [DSS], ECDSA [DSS], and EdDSA [RFC8032] are all > vulnerable if large-scale quantum computers come to pass. A nice solution; thanks! > > Since the HSS/LMS signature algorithm does not depend on the > > difficulty of discrete logarithm or factoring, the HSS/LMS signature > > algorithm is considered to be post-quantum secure. The use of HSS/ > > LMS hash-based signatures to protect software update distribution, > > perhaps using the format that is being specified by the IETF SUIT > > Working Group, will allow the deployment of software that implements > > new cryptosystems. > > > > In light of the genart reviewer's comments, we could recast this as > > "there is desire have HSS/LMS-based signatures available to protect > > software update distribution, including from the IETF SUIT Working > > Group" to place the focus on the desire, which is more easily fixed in > > time, rather than the WG output, which will change with time. > > I suggest: > > Since the HSS/LMS signature algorithm does not depend on the > difficulty of discrete logarithm or factoring, the HSS/LMS signature > algorithm is considered to be post-quantum secure. The use of HSS/ > LMS hash-based signatures to protect software update distribution > will allow the deployment of future software that implements new > cryptosystems. By deploying HSS/LMS today, authentication and > integrity protection of the future software can be provided, even if > advances break current digital signature mechanisms. > > > Section 2.2 > > > > Each tree in the hash-based signature algorithm specified in > > [HASHSIG] uses the Leighton-Micali Signature (LMS) system. LMS > > systems have two parameters. The first parameter is the height of > > the tree, h, which is the number of levels in the tree minus one. > > > > I strongly suggest making it more clear that there are two (types of) > > trees involved -- the HSS tree of Section 2.1, and a tree within a given > > LMS signature (what's being discussed here). Just using an unadorned > > "the tree" is a recipe for confusion. > > Perhaps an introduction sentence is enough: > > Subordinate LMS trees are placed in the the HSS structure discussed > in Section 2.1. Each tree in the hash-based signature algorithm > specified in [HASHSIG] uses the Leighton-Micali Signature (LMS) > system. It seems to be, yes. > > The [HASHSIG] specification defines the value I as the private key > > identifier, and the same I value is used for all computations with > > the same LMS tree. In addition, the [HASHSIG] specification defines > > > > I think RFC 8554 uses I as the identifier for the key pair, not just the > > private key, and it seems that in the COSE context we are more likely to > > be referring to a public key than a private key. > > Section 4.3 of RFC 8554 says that x, I, and q are taken from the private key, so I think this text is accurate. > > To address your point, I suggest: > > The [HASHSIG] specification defines the value I as the private key > identifier, and the same I value is used for all computations with > the same LMS tree. The value I is also available in the public key. > In addition, the [HASHSIG] specification defines the value T[i] as > the m-byte string associated with the ith node in the LMS tree, where > and the nodes are indexed from 1 to 2^(h+1)-1. Thus, T[1] is the > m-byte string associated with the root of the LMS tree. > > > > Section 2.3 > > > > n - The number of bytes output by the hash function. This > > specification supports only SHA-256 [SHS], with n=32. > > > > H - A preimage-resistant hash function that accepts byte strings > > of any length, and returns an n-byte string. This > > specification supports only SHA-256 [SHS]. > > > > Is supporting other n values basically just a matter of allocating from > > a registry? If so, we might want to tweak the wording a bit to leave > > the possibility for such a generalization. > > Good point. I suggest: > > n - The number of bytes output by the hash function. For > SHA-256 [SHS], n=32. > > H - A preimage-resistant hash function that accepts byte strings > of any length, and returns an n-byte string. > > > The LM-OTS signature value can be summarized as the identifier of the > > LM-OTS variant, the random value, and a sequence of hash values (y[0] > > through y[p-1]) that correspond to the elements of the public key as > > described in Section 4.5 of [HASHSIG]: > > > > nit: I'd consider a different wording than "correspond to"; the > > correspondence is a bit hard to describe clearly, but "hash values that > > include as input" (or similar) is IMO fairly clear. > > I suggest: > > The LM-OTS signature value can be summarized as the identifier of the > LM-OTS variant, the random value, and a sequence of hash values (y[0] > through y[p-1]) as described in Section 4.5 of [HASHSIG]: > > u32str(otstype) || C || y[0] || ... || y[p-1] > > > Section 3 > > > > o The 'kty' field MUST be present, and it MUST be 'HSS-LMS'. > > > > (Re. "MUST be present", I note that RFC 8152 already has """The element > > "kty" is a required element in a COSE_Key map.""" > > Yes, but the check is still needed. I suggest: > > o The 'kty' field MUST be 'HSS-LMS'. > > > > > o If the 'alg' field is present, and it MUST be 'HSS-LMS'. > > > > nit: no "and". > > Fixed. > > > Section 5 > > > > To ensure that none of tree nodes are used to generate more than one > > signature, the signer maintains state across different invocations of > > the signing algorithm. Section 12.2 of [HASHSIG] offers some > > practical implementation approaches around this statefulness. In > > > > There is no Section 12.2 in RFC 8554; is perhaps Section 9.2 the > > intended one? > > Yes. Good Catch. Thanks for all the updates! -Ben

- [COSE] Benjamin Kaduk's Discuss on draft-ietf-cos… Benjamin Kaduk via Datatracker
- Re: [COSE] Benjamin Kaduk's Discuss on draft-ietf… Russ Housley
- Re: [COSE] Benjamin Kaduk's Discuss on draft-ietf… Russ Housley
- Re: [COSE] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [COSE] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [COSE] Benjamin Kaduk's Discuss on draft-ietf… Russ Housley
- Re: [COSE] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk