Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE Agenda Items for IETF 113 in Vienna]

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 15 March 2022 18:57 UTC

Date: Tue, 15 Mar 2022 20:57:50 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "cose@ietf.org" <cose@ietf.org>
Message-ID: <YjDhrsAIjM9zVZGS@LK-Perkele-VII2.locald>
References: <SA2PR00MB1002DE43864B01F70546A691F50F9@SA2PR00MB1002.namprd00.prod.outlook.com> <CAN8C-_Jo_-=Jpava0db6BgR4j_BEyZp_3hN6VEv7MJuBwCsPQA@mail.gmail.com> <3053B653-6F26-421F-8498-1002030F3CD8@alkaline-solutions.com> <CAN8C-_JA2fN2HYVjbOjKUBJhJybo0DcLBZJEDoQpMznVi7Pxng@mail.gmail.com> <CAGJKSNRWfK8T4+zk6mF80KUKyndjoKvTvJiUtzD1u9u8_rSecA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CAGJKSNRWfK8T4+zk6mF80KUKyndjoKvTvJiUtzD1u9u8_rSecA@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/dwP6gQ_pjvPRqQ1ppPuJFhe8gBc>
Subject: Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE Agenda Items for IETF 113 in Vienna]
Precedence: list

On Tue, Mar 15, 2022 at 11:16:34AM -0400, Mike Prorock wrote:
> Orie,
> I think other alternative would be:
> kty: PQL        // post quantum - lattice based
> alg: CRYDI3  // crystals dilithium, parameter set 3
> x: public
> d: private

"Lattice-based post quantum" is not a valid key type. It is not a single
key shape (unlike every kty currently defined). And it does not look to
be helpful even working around algorithm dispatch issues in
implementations, as, e.g., Dilithium and Kyber are both lattice post-
quantum algorithms, but wildly different.

If that kty is supposed to be octet-keypair for given alg, that would
be defensible (mixing algorithms for the same key is unsound), but the
name for that kty would not be PQL.

There is also actual security problem with this: Serious cryptographers
are very unconfortable with unhybridized post-quantum algorithms (with
exception of hash signatures) at the moment. Gaining confidence on such
things will take years at the very least.

> and
> kty: PQH       // post quantum - hash based
> alg: SP-SHAKE256-[n]-[w]-[h]-[d]-[k]-[t]  // SPHINCS+, shake256, parameter
> set as noted
> x: public
> d: private

One really should stay away from those parameters and use parameter
sets made by experts, as at least some of those parameters will
absolutely destroy security if set the wrong way.

And "Hash-based post quantum" is also not a valid key type.

-Ilari

[COSE] Call for COSE Agenda Items for IETF 113 in… Mike Jones
Re: [COSE] Call for COSE Agenda Items for IETF 11… Mike Jones
Re: [COSE] Call for COSE Agenda Items for IETF 11… Mike Jones
Re: [COSE] Call for COSE Agenda Items for IETF 11… Anders Rundgren
Re: [COSE] Call for COSE Agenda Items for IETF 11… Mike Prorock
Re: [COSE] Call for COSE Agenda Items for IETF 11… Hannes Tschofenig
[COSE] draft-prorock-cose-post-quantum-signatures… Ilari Liusvaara
Re: [COSE] draft-prorock-cose-post-quantum-signat… Anders Rundgren
Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Prorock
Re: [COSE] draft-prorock-cose-post-quantum-signat… Russ Housley
Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Jones
Re: [COSE] draft-prorock-cose-post-quantum-signat… Anders Rundgren
Re: [COSE] draft-prorock-cose-post-quantum-signat… Ilari Liusvaara
Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Prorock
Re: [COSE] Call for COSE Agenda Items for IETF 11… Göran Selander
Re: [COSE] draft-prorock-cose-post-quantum-signat… Orie Steele
Re: [COSE] draft-prorock-cose-post-quantum-signat… Orie Steele
Re: [COSE] draft-prorock-cose-post-quantum-signat… Anders Rundgren
Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Prorock
Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Jones
Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Prorock
Re: [COSE] draft-prorock-cose-post-quantum-signat… Ilari Liusvaara
Re: [COSE] draft-prorock-cose-post-quantum-signat… Ilari Liusvaara
Re: [COSE] draft-prorock-cose-post-quantum-signat… Rafael Misoczki
Re: [COSE] draft-prorock-cose-post-quantum-signat… John K
Re: [COSE] draft-prorock-cose-post-quantum-signat… Anders Rundgren
Re: [COSE] draft-prorock-cose-post-quantum-signat… Ilari Liusvaara
Re: [COSE] draft-prorock-cose-post-quantum-signat… Ilari Liusvaara
Re: [COSE] draft-prorock-cose-post-quantum-signat… Russ Housley
Re: [COSE] draft-prorock-cose-post-quantum-signat… Anders Rundgren
Re: [COSE] draft-prorock-cose-post-quantum-signat… Rafael Misoczki
Re: [COSE] draft-prorock-cose-post-quantum-signat… Russ Housley
Re: [COSE] draft-prorock-cose-post-quantum-signat… Anders Rundgren
Re: [COSE] draft-prorock-cose-post-quantum-signat… Ilari Liusvaara
Re: [COSE] draft-prorock-cose-post-quantum-signat… Russ Housley
Re: [COSE] draft-prorock-cose-post-quantum-signat… Orie Steele
Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Jones
Re: [COSE] draft-prorock-cose-post-quantum-signat… Orie Steele
Re: [COSE] draft-prorock-cose-post-quantum-signat… Anders Rundgren
Re: [COSE] draft-prorock-cose-post-quantum-signat… David Waite
Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Prorock
Re: [COSE] draft-prorock-cose-post-quantum-signat… Anders Rundgren
Re: [COSE] draft-prorock-cose-post-quantum-signat… Russ Housley
Re: [COSE] draft-prorock-cose-post-quantum-signat… Orie Steele
Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Prorock
Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Prorock
Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Prorock
Re: [COSE] draft-prorock-cose-post-quantum-signat… Ilari Liusvaara
Re: [COSE] draft-prorock-cose-post-quantum-signat… Ilari Liusvaara
Re: [COSE] draft-prorock-cose-post-quantum-signat… Russ Housley
Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Prorock
Re: [COSE] draft-prorock-cose-post-quantum-signat… Michael Richardson
Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Jones
Re: [COSE] draft-prorock-cose-post-quantum-signat… Mike Jones