IETF Logo Mail Archive

Re: [COSE] [jose] ML-DSA & SLH-DSA for JOSE and COSE

Neil Madden <neil.e.madden@gmail.com> Sat, 13 January 2024 14:33 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B60A9C14F6EE; Sat, 13 Jan 2024 06:33:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.202
X-Spam-Level:
X-Spam-Status: No, score=-1.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yOAESJro5cKb; Sat, 13 Jan 2024 06:33:47 -0800 (PST)
Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE9CEC14F6ED; Sat, 13 Jan 2024 06:33:47 -0800 (PST)
Received: by mail-wr1-x435.google.com with SMTP id ffacd0b85a97d-33761776af9so1270825f8f.0; Sat, 13 Jan 2024 06:33:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705156426; x=1705761226; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:from:to:cc:subject:date:message-id :reply-to; bh=o2Or4cVFr6sg+IIM85U1cqI0wS0eOKLQiYYYjMct1Rk=; b=GnXtZHnoxYY9t2GEf8aqnspjUqd0eFygJNL7xe+faXs9lDP7gfeQgyI6CRuLv95t63 LMX8R/VdKYUcIA67h1ntPX0Bx+86DeUCC8ErS9Q7rfoO6aXXzCiOCt8GrW3u5A0Dv/ol pNlmfuo4BqK2RW11ZwSg5N9MNvTGao1vS+hx0hxzZwPTviJO3GlMtNfEUrftlZ3EIftg pTTEyG/8E7ysiSvLkbYuzvfLI6CmwclUGEOxlof5GNs2nAwxo10sqjNbie8ZI4LOiPp1 eQDvzrQz0WXFPuszCv9HbCKj+wyLkuyJhRBsWQGjg8XT3X5uC2tb0itOG6buPTzbtLmN ugUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705156426; x=1705761226; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=o2Or4cVFr6sg+IIM85U1cqI0wS0eOKLQiYYYjMct1Rk=; b=dvvmrp+tIKb/L7FJHZei+2Ou3uLsGf5D/B2+MVXdkmcEWxwvrb9yAir0eFpJ/5zpAx koaD/hxaheQB18nYKivBHD8478pNyY4Ta8iC99ItyU6vfOyqWGEgpfls/Yp3BrhJ6vnW ME0ze/dYe6MVKIrwtGvY7D6MLN7MlPOkoVfsNaVcNb4ybOqkvBcDWglIA0ENduym0eVK KXVnpJgeRyw3ZgRzTGcVIvWR0oOAoyX8I/QZP9gHeeuEzha3zeUeV69jKLKxXC2Cs3Xh TLWUE87eEZIa4nEWRupDIbNPKO6Q+wDYmYEJzR1N7X6R2556+3hf3jDgA/AHLe9Tql51 ZykA==
X-Gm-Message-State: AOJu0Yw7gADNqfP+ZkXFgjeOEW+YoRakffdSwOWL5ioM0MJCplrOyhSY gLfVyoZn4P7QPhKiCSYr2AqVxArvGr8=
X-Google-Smtp-Source: AGHT+IEpzwisNwYavRFyZTPAEt1tdq8+Dn0Wc59bzpFPFMYmXwkSCmkl99/jNdxbygM8r+eWC6OdWw==
X-Received: by 2002:adf:e285:0:b0:337:7598:7f54 with SMTP id v5-20020adfe285000000b0033775987f54mr2789549wri.1.1705156425562; Sat, 13 Jan 2024 06:33:45 -0800 (PST)
Received: from smtpclient.apple (186.75.159.143.dyn.plus.net. [143.159.75.186]) by smtp.gmail.com with ESMTPSA id p19-20020adf9d93000000b003378ea9a7desm6002102wre.33.2024.01.13.06.33.45 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 13 Jan 2024 06:33:45 -0800 (PST)
From: Neil Madden <neil.e.madden@gmail.com>
X-Google-Original-From: Neil Madden <Neil.E.Madden@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-0D3268DA-3730-499B-9F95-BA01BB8929AD"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
Date: Sat, 13 Jan 2024 14:33:34 +0000
Message-Id: <1F043FBA-692F-4BD6-958B-1CFAE808E847@gmail.com>
References: <CAN8C-_K6SOv9s1MG9zw5sbc2sqq5AqJ9eX7av_QUW3-XzGZBQQ@mail.gmail.com>
Cc: JOSE WG <jose@ietf.org>, cose <cose@ietf.org>
In-Reply-To: <CAN8C-_K6SOv9s1MG9zw5sbc2sqq5AqJ9eX7av_QUW3-XzGZBQQ@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
X-Mailer: iPhone Mail (21B101)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/Wdy6DC6g_c40sypTjTsu2gdm080>
Subject: Re: [COSE] [jose] ML-DSA & SLH-DSA for JOSE and COSE
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Jan 2024 14:33:51 -0000

I’m still catching up with JOSE activity from the last year or so, so apologies if this has already been discussed. 

If I’m reading the specs right, the smallest signature for ML-DSA is almost 2.5KB on its own — about 10x the size of RSA-2048, which is already pushing it, size-wise, for many applications. Compared to Ed25519 we’re looking at an almost 40-fold increase in size. For SPHINCS+ the smallest appears to be about 8KB — ie on its own it is double the maximum total size for cookie storage in a web browser, and that’s before base64-encoding. 

Given that the quantum threat for signatures is less pressing than it is for encryption (where you need to worry about collection happening now), maybe it might be worth waiting to see if the ongoing NIST process throws up some candidates that might be more suitable in a JOSE/COSE scenario? (I only have limited experience with COSE, but surely if anything these concerns are even more acute in that case?)

— Neil

On 12 Jan 2024, at 22:03, Orie Steele <orie@transmute.industries> wrote:


Hello Post Quantum Enthusiasts,

We apologize for allowing the drafts to expire, that has now been corrected.

We've published new versions and done a tooling migration to the COSE WG GitHub repository:

https://github.com/cose-wg/draft-ietf-cose-dilithium" rel="nofollow">https://github.com/cose-wg/draft-ietf-cose-dilithium
https://github.com/cose-wg/draft-ietf-cose-sphincs-plus" rel="nofollow">https://github.com/cose-wg/draft-ietf-cose-sphincs-plus

Here is a quick summary of what changed, but of course you can see the full diff in the datatracker.

1. We adjusted the names to reflect FIPS.204 (IPD) and FIPS.205 (IPD)
2. We removed extraneous text on the details of the algorithms, which is better covered in the references noted above.
3. We provided skeletons for examples

We are seeking implementations of ML-DSA and SLH-DSA in order to update the examples sections, with closer to real world data.

We have opted not to migrate Falcon, the parameter sets for sphincs will probably keep us busy for a while.

I'd like to take this opportunity to complain a bit about this part of the FIPS 205 IPD:

" This standard approves 12 parameter sets for use with SLH-DSA. "

I feel this is a mistake, and wonder if there is any opportunity to reduce this to something less than 4x the number defined by ML-DSA.

Even if NIST preserves all 12, we don't have to register all 12 in draft-ietf-cose-sphincs-plus.

... I really don't want to have to generate 12 key pairs and signature examples, especially because a single key pair with the required line breaks is likely to be longer than the entire draft.

Of course, we will do whatever the working group thinks is correct here... what should we do?

Regards,

OS

--


ORIE STEELE
Chief Technology Officer
www.transmute.industries

https://transmute.industries" target="_blank" rel="nofollow">https://ci3.googleusercontent.com/mail-sig/AIorK4xqtkj5psM1dDeDes_mjSsF3ylbEa5EMEQmnz3602cucAIhjLaHod-eVJq0E28BwrivrNSBMBc">

_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email