IETF Logo Mail Archive

[COSE] Re: [jose] Re: WGLC for draft-ietf-cose-dilithium

Neil Madden <neil.e.madden@gmail.com> Tue, 19 November 2024 19:33 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2DACC1840D9; Tue, 19 Nov 2024 11:33:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.211
X-Spam-Level:
X-Spam-Status: No, score=-1.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PNWROaUaQ3cX; Tue, 19 Nov 2024 11:33:05 -0800 (PST)
Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41CC7C169416; Tue, 19 Nov 2024 11:33:05 -0800 (PST)
Received: by mail-wm1-x333.google.com with SMTP id 5b1f17b1804b1-4314fa33a35so49443425e9.1; Tue, 19 Nov 2024 11:33:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1732044783; x=1732649583; darn=ietf.org; h=to:references:message-id:date:cc:in-reply-to:subject:mime-version :content-transfer-encoding:from:from:to:cc:subject:date:message-id :reply-to; bh=D+6RBnRy7P/pfXex7Bo7XIXroLkqUUV8IA2Lkdvy7Hk=; b=bDn8OjY/YwzClBLxQV6TDamiQ3m776w9jPP0R4b2JkMhqPx2ZMCO5yaag6zDUlL+aR bv3ucBnSgzOawEwZ74UOeYJ3XOg6LZisOTkjBXYPPuqP66/qguta8Wk3H0kb7L22Hjvr 0O5XylfAsuRtv8BmWwyZdgSmxWzaZu+93FgZc27yTlar21wsdNPsQ1r3MhHT7NZ6jzI0 CsqKBMCDV9j9n3dUFHU+rqH4opwrU24yyx3qFJlpTkGxnzI9gWv+z7pWvVb+mH/aCW/h vEgp9aEUWVllEinhtPwWJuMhwMJyEYOqp+Qf/GgNP6lN1DqTjfRGi4lgM19PWFRL9Rr9 yR+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732044783; x=1732649583; h=to:references:message-id:date:cc:in-reply-to:subject:mime-version :content-transfer-encoding:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=D+6RBnRy7P/pfXex7Bo7XIXroLkqUUV8IA2Lkdvy7Hk=; b=UcXidGAXzb2WJDOGn16sM7++KQMPW+OiDf69QYWy6Ske3nCKV0wnE7UI/fVqop/eiR uxKVxka4VO3HZ6iAxMCzhOxKSD4C+2OpijzcFjmhRXPbTifI8jb3hszqh7kcXwp5oq1Q HwM7zCVJFyCHOQllUnIjwFbemD5bSxBtxCydnnhsX/M3EjBCf1GDBgXxTQCbBvs8pqku /hTloccvlbW8gzX/OMMeCId8l3cnRJImtT0JBxJcHW770r/ZdFf74NUSeSaCrYdYUJgd gFv/DKl8fQ6AtpFOQLI4Tdj2hxK8I2BMIwetVR6txvs8pTbVT2GcLvVRbCJl4M5GwYSd VUqQ==
X-Forwarded-Encrypted: i=1; AJvYcCUyPe76qvBWnJQ1olVDTrQISwUH3gzd+ugr9PfVC9NajOdyCzpj35BEG7l6aafnBBahAd35Og==@ietf.org, AJvYcCW8bf+x87W6c48zBbqStUYHVfdkmWY4PGs3zhBicCjBFKg9Mgl6mBgJ5biaJBMnB2syfHXJ@ietf.org
X-Gm-Message-State: AOJu0YwjhP9yEXCg8S6/BDniSGdlVpcLkSYkSKF1nAB2ekKOkf0upRgT tnTnvkpHaRquQJ8j/occ6r2cig31QV7lkd1lMfOCK9HNyvMvH/4ndyqb0g==
X-Google-Smtp-Source: AGHT+IH6BJXkFncMK8UwxFQ/7J6aAOxRUk0a2vl9eC+gRyrH5mmbGfld1vc4KlIVYjuoTE58JQWIwQ==
X-Received: by 2002:a05:600c:4685:b0:42c:b80e:5e50 with SMTP id 5b1f17b1804b1-433489054a7mr1763955e9.0.1732044782804; Tue, 19 Nov 2024 11:33:02 -0800 (PST)
Received: from smtpclient.apple ([77.104.184.200]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-432f64a1059sm30075235e9.1.2024.11.19.11.33.02 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 19 Nov 2024 11:33:02 -0800 (PST)
From: Neil Madden <neil.e.madden@gmail.com>
X-Google-Original-From: Neil Madden <Neil.E.Madden@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-C47C4CF9-3072-4B11-9180-24B4298F505F"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
In-Reply-To: <CA+k3eCTRp5rgBsY70ZXLtjw3JNrevye0AeemrqQPHuiNy8NfQg@mail.gmail.com>
Date: Tue, 19 Nov 2024 19:32:51 +0000
Message-Id: <1D66DAA1-56BD-43D4-86FB-81CAE4623631@gmail.com>
References: <CA+k3eCTRp5rgBsY70ZXLtjw3JNrevye0AeemrqQPHuiNy8NfQg@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (21F90)
Message-ID-Hash: JCCRYQIOATFHO3P3KQ73CZM2BP5I23R3
X-Message-ID-Hash: JCCRYQIOATFHO3P3KQ73CZM2BP5I23R3
X-MailFrom: neil.e.madden@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Michael Jones <michael_b_jones@hotmail.com>, JOSE WG <jose@ietf.org>, cose@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [COSE] Re: [jose] Re: WGLC for draft-ietf-cose-dilithium
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/eA2KV31yXVmnF7PwFG4HnvyO5pc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Owner: <mailto:cose-owner@ietf.org>
List-Post: <mailto:cose@ietf.org>
List-Subscribe: <mailto:cose-join@ietf.org>
List-Unsubscribe: <mailto:cose-leave@ietf.org>

Thanks Brian, I wasn’t aware this was in WGLC. 

I doubt this will see much if any real-world use, because ML-DSA signatures are so enormous. But I have no objection to it being published.   

That said, the draft seems *very* underspecified. The definition of the AKP key type seems to just be by example. There’s no specification of what fields it contains or what format they take. Presumably the idea is that it has “pub” and “priv” fields that are arbitrary bytes (base64-encoded for JWK) and that beyond that the format is determined by the “alg” field, but the draft doesn’t say any of this. The examples are also truncated (without saying they are). 

It should then say exactly what “pub” and “priv” contain for ML-DSA at least! Are they X.509 or what? It appears that the “priv” field contains only the 32-byte seed, and that a library will need to call KeyGen_internal to convert that into an actual private key to pass to the sign procedure? (Which presumably, given the name, might not be exposed by crypto modules?)

Getting on to the actual signature algorithm, FIPS 204 says that signing takes a context string. What is this set to for JOSE/COSE?

What is the format of the signature? Presumably it’s the base64url-encoded output of the FIPS 204 signing process?

The test vectors should document what the various fields are (some appear to be hex, others base64), and maybe the step by step computations. I’m also not sure an all-zero private key, and reusing the same key for all algorithms, is necessarily a good way to generate test vectors. 

Are there really no independent security considerations? At the very least perhaps point out that the public keys and signatures are much larger than for any other algorithm currently specified. I’d have assumed that was a concern for COSE. 

I think at the current state of the draft I would not be confident that I could implement it and be sure of interoperating with anyone. 

— Neil

On 19 Nov 2024, at 18:14, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:


Sending to the JOSE list too in hopes of soliciting some informed review from folks in that WG.  As the title suggests "ML-DSA for JOSE and COSE" is for JOSE as well as COSE.


On Tue, Nov 19, 2024 at 9:47 AM Michael Jones <michael_b_jones@hotmail.com> wrote:

Hi all,

 

This message starts the Working Group Last Call (WGLC) for https://www.ietf.org/archive/id/draft-ietf-cose-dilithium-04.html" target="_blank" rel="nofollow"> https://www.ietf.org/archive/id/draft-ietf-cose-dilithium-04.html (ML-DSA for JOSE and COSE), as was discussed at IETF 121 in Dublin.  The WGLC will run for two weeks, ending on Tuesday, December 3, 2024.

 

Please review and send any comments or feedback to the working group.  Even if your feedback is “this is ready for publication”, please let us know.

 

                                                                Thank you,

                                                -- Mike and Ivaylo, COSE Chairs

 

_______________________________________________
COSE mailing list -- cose@ietf.org
To unsubscribe send an email to cose-leave@ietf.org

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
jose mailing list -- jose@ietf.org
To unsubscribe send an email to jose-leave@ietf.org

v2.46.0 | Report a Bug | By Email | System Status