Re: [COSE] Benjamin Kaduk's Discuss on draft-ietf-cose-hash-sig-07: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Thu, 05 December 2019 22:18 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38E731201A3; Thu, 5 Dec 2019 14:18:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kR1fxcZmyZWx; Thu, 5 Dec 2019 14:18:15 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08F03120168; Thu, 5 Dec 2019 14:18:14 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id xB5MI6eW029406 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 5 Dec 2019 17:18:09 -0500
Date: Thu, 5 Dec 2019 14:18:06 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Russ Housley <housley@vigilsec.com>
Cc: Jim Schaad <jimsch@augustcellars.com>, IESG <iesg@ietf.org>, cose <cose@ietf.org>
Message-ID: <20191205221806.GH13890@kduck.mit.edu>
References: <157539486101.24700.12161503456212968239.idtracker@ietfa.amsl.com> <619FB9BA-BDEB-4E31-BC04-DF265F27E51D@vigilsec.com> <559B8753-15F1-4C18-A604-686FD0A96215@vigilsec.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <559B8753-15F1-4C18-A604-686FD0A96215@vigilsec.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/RpxL9SGXhThL6AkzhuXoC71HT1A>
Subject: Re: [COSE] Benjamin Kaduk's Discuss on draft-ietf-cose-hash-sig-07: (with DISCUSS and COMMENT)
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2019 22:18:17 -0000

Hi Russ,

On Wed, Dec 04, 2019 at 04:06:34PM -0500, Russ Housley wrote:
> Ben:
> 
> I am trying to work with Jim Schaad on your DISCUSS comment.  He has done an implementation, so I'd like to get his insight.

As it happens, I had had the same thought, so I expect he had the answer at
hand for you :)

> Turning to your comments ...
> 
> > 
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> > 
> > Related to the above Discuss, should we have an explicit statement that we do
> > not define a way to convey an HSS/LMS private key in a COSE_Key object?
> > (I think it is correct to not define such a thing, since conveying a
> > stateful private key is something of a non-sequitur.)
> 
> I agree that we do not want to define such a structure.  I'm not sure where to say anything about it.

The best place I can see is in Section 5 (Operational Considerations), as
something like "Because of the need to maintain state across invocations of
the signing algorithm, a COSE Key Type Parameter for encoding the private
key (and its state) is deliberately not defined; serializing the state for
conveyance presents too great a risk of state reuse to justify any
potential benefit from doing so."

> > It's not entirely clear to me how much of RFC 8554 we need to duplicate
> > in order to give the reader an understanding of the signature structure
> > we're using.  A few times while reading Sections 2.x I had to
> > double-check that I was reading the right document :)
> 
> I tried to achieve a balance.  I wanted to have enough to understand HSS, LMS, and LM-OTS.

Understood, and I'm deferring to you on judging the balance.

> > Section 1.1
> > 
> >  If large-scale quantum computers are ever built, these computers will
> >  be able to break many of the public-key cryptosystems currently in
> >  use.  A post-quantum cryptosystem [PQC] is a system that is secure
> >  against quantum computers that have more than a trivial number of
> >  quantum bits (qubits).  It is open to conjecture when it will be
> > 
> > (nit: they're also secure against quantum computers that do have a
> > trivial number of bits.  Yes, I know this is also true about classical
> > signature algorithms with sufficiently large keys, but the text here is
> > perhaps not making quite the point we want to make.)
> 
> I suggest:
> 
>    If large-scale quantum computers are ever built, these computers will
>    have more than a trivial number of quantum bits (qubits) and they
>    will be able to break many of the public-key cryptosystems currently
>    in use.  A post-quantum cryptosystem [PQC] is a system that is secure
>    against against such large-scale quantum computers.  It is open to
>    conjecture when it will be feasible to build such computers; however,
>    RSA [RFC8017], DSA [DSS], ECDSA [DSS], and EdDSA [RFC8032] are all
>    vulnerable if large-scale quantum computers come to pass.

A nice solution; thanks!

> >  Since the HSS/LMS signature algorithm does not depend on the
> >  difficulty of discrete logarithm or factoring, the HSS/LMS signature
> >  algorithm is considered to be post-quantum secure.  The use of HSS/
> >  LMS hash-based signatures to protect software update distribution,
> >  perhaps using the format that is being specified by the IETF SUIT
> >  Working Group, will allow the deployment of software that implements
> >  new cryptosystems.
> > 
> > In light of the genart reviewer's comments, we could recast this as
> > "there is desire have HSS/LMS-based signatures available to protect
> > software update distribution, including from the IETF SUIT Working
> > Group" to place the focus on the desire, which is more easily fixed in
> > time, rather than the WG output, which will change with time.
> 
> I suggest:
> 
>    Since the HSS/LMS signature algorithm does not depend on the
>    difficulty of discrete logarithm or factoring, the HSS/LMS signature
>    algorithm is considered to be post-quantum secure.  The use of HSS/
>    LMS hash-based signatures to protect software update distribution
>    will allow the deployment of future software that implements new
>    cryptosystems.  By deploying HSS/LMS today, authentication and
>    integrity protection of the future software can be provided, even if
>    advances break current digital signature mechanisms.
> 
> > Section 2.2
> > 
> >  Each tree in the hash-based signature algorithm specified in
> >  [HASHSIG] uses the Leighton-Micali Signature (LMS) system.  LMS
> >  systems have two parameters.  The first parameter is the height of
> >  the tree, h, which is the number of levels in the tree minus one.
> > 
> > I strongly suggest making it more clear that there are two (types of)
> > trees involved -- the HSS tree of Section 2.1, and a tree within a given
> > LMS signature (what's being discussed here).  Just using an unadorned
> > "the tree" is a recipe for confusion.
> 
> Perhaps an introduction sentence is enough:
> 
>    Subordinate LMS trees are placed in the the HSS structure discussed
>    in Section 2.1.  Each tree in the hash-based signature algorithm
>    specified in [HASHSIG] uses the Leighton-Micali Signature (LMS)
>    system. 

It seems to be, yes.

> >  The [HASHSIG] specification defines the value I as the private key
> >  identifier, and the same I value is used for all computations with
> >  the same LMS tree.  In addition, the [HASHSIG] specification defines
> > 
> > I think RFC 8554 uses I as the identifier for the key pair, not just the
> > private key, and it seems that in the COSE context we are more likely to
> > be referring to a public key than a private key.
> 
> Section 4.3 of RFC 8554 says that x, I, and q are taken from the private key, so I think this text is accurate.
> 
> To address your point, I suggest:
> 
>    The [HASHSIG] specification defines the value I as the private key
>    identifier, and the same I value is used for all computations with
>    the same LMS tree.  The value I is also available in the public key.
>    In addition, the [HASHSIG] specification defines the value T[i] as
>    the m-byte string associated with the ith node in the LMS tree, where
>    and the nodes are indexed from 1 to 2^(h+1)-1.  Thus, T[1] is the
>    m-byte string associated with the root of the LMS tree.
> 
> 
> > Section 2.3
> > 
> >     n -  The number of bytes output by the hash function.  This
> >          specification supports only SHA-256 [SHS], with n=32.
> > 
> >     H -  A preimage-resistant hash function that accepts byte strings
> >          of any length, and returns an n-byte string.  This
> >          specification supports only SHA-256 [SHS].
> > 
> > Is supporting other n values basically just a matter of allocating from
> > a registry?  If so, we might want to tweak the wording a bit to leave
> > the possibility for such a generalization.
> 
> Good point.  I suggest:
> 
>    n -  The number of bytes output by the hash function.  For
>         SHA-256 [SHS], n=32.
> 
>    H -  A preimage-resistant hash function that accepts byte strings
>         of any length, and returns an n-byte string.
> 
> >  The LM-OTS signature value can be summarized as the identifier of the
> >  LM-OTS variant, the random value, and a sequence of hash values (y[0]
> >  through y[p-1]) that correspond to the elements of the public key as
> >  described in Section 4.5 of [HASHSIG]:
> > 
> > nit: I'd consider a different wording than "correspond to"; the
> > correspondence is a bit hard to describe clearly, but "hash values that
> > include as input" (or similar) is IMO fairly clear.
> 
> I suggest:
> 
>    The LM-OTS signature value can be summarized as the identifier of the
>    LM-OTS variant, the random value, and a sequence of hash values (y[0]
>    through y[p-1]) as described in Section 4.5 of [HASHSIG]:
> 
>       u32str(otstype) || C || y[0] || ... || y[p-1]
> 
> > Section 3
> > 
> >     o  The 'kty' field MUST be present, and it MUST be 'HSS-LMS'.
> > 
> > (Re. "MUST be present", I note that RFC 8152 already has """The element
> > "kty" is a required element in a COSE_Key map."""
> 
> Yes, but the check is still needed.  I suggest:
> 
>       o  The 'kty' field MUST be 'HSS-LMS'.
> 
> > 
> >     o  If the 'alg' field is present, and it MUST be 'HSS-LMS'.
> > 
> > nit: no "and".
> 
> Fixed.
> 
> > Section 5
> > 
> >  To ensure that none of tree nodes are used to generate more than one
> >  signature, the signer maintains state across different invocations of
> >  the signing algorithm.  Section 12.2 of [HASHSIG] offers some
> >  practical implementation approaches around this statefulness.  In
> > 
> > There is no Section 12.2 in RFC 8554; is perhaps Section 9.2 the
> > intended one?
> 
> Yes.  Good Catch.

Thanks for all the updates!

-Ben