IETF Logo Mail Archive

Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE Agenda Items for IETF 113 in Vienna]

Rafael Misoczki <rafaelmisoczki@google.com> Thu, 10 March 2022 20:21 UTC

Return-Path: <rafaelmisoczki@google.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42A443A1BED for <cose@ietfa.amsl.com>; Thu, 10 Mar 2022 12:21:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.609
X-Spam-Level:
X-Spam-Status: No, score=-17.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id THBiRJn2C41W for <cose@ietfa.amsl.com>; Thu, 10 Mar 2022 12:20:56 -0800 (PST)
Received: from mail-yb1-xb2f.google.com (mail-yb1-xb2f.google.com [IPv6:2607:f8b0:4864:20::b2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E6763A1B9E for <cose@ietf.org>; Thu, 10 Mar 2022 12:20:56 -0800 (PST)
Received: by mail-yb1-xb2f.google.com with SMTP id w16so13089856ybi.12 for <cose@ietf.org>; Thu, 10 Mar 2022 12:20:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=f6Y3OGL1RltH4+weVPhUodQOvdQEnU/mW98vQrxob9g=; b=P/rcxiAEVKl+31fy0Dn2udrnjo2h2UdkTt3Hs3RbG6PdHtFgpVMhTon6i6VuUj7AEC Wm6nOeMW6s+HSdRPrcCjileZMFZx4itUu7uV5LmUZzRZ8Bmn3Vj7cWdx14gu/WulLoOa gW9wx1dHEvGv1HRO5y3LHq07QqglhFHM37hcB1GOz/AquPm4WSjQVtePaRzQFJHEeQ3h W7NdjAwUO3svQycz+OJvj1ggvyqhZrwrIOELOTm8qIYjqmChLREiMA4/cWYd9gQ48Jna 7ftXj6ci0BqITD52mwNcjOorMMnHDj6NnJlk+6O6tihJ0Zf5qFMr/hogYV5K4vaM94P0 5BoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=f6Y3OGL1RltH4+weVPhUodQOvdQEnU/mW98vQrxob9g=; b=knCMsKOlROGW5Mdks8CHVeuHPhK0ckGh8aQFvrC3ofPHgmrZ+nUuNb8vguinR62Xzf UvLbVEbzQSgRLgjzYA4Zh7zz/FfGDEwoZFMSVpu4BENfHB7iAzYL7i+RHhStWW6XjECF 7WDMsAcQb9Y30XnHh4wd6vDm+W9Hw5diIR6SB/kXfv8SPnqTjXqy/rrYTUcACpRpGKHK Dh39AlqhYjWTMQl9b6G8YG2KdkuSpe1MXIw6rwEyVeASZjtn5oojE42pJrWADQC/O9xV Bkfxo1M0JkZBbbu/gE8WP2LdHB4+OS5MHNtfujISJs1nLZIpP+V8Tr3EOxUg85nNXQDO Fm/g==
X-Gm-Message-State: AOAM533XSSMj1unDPCUSz/31Q+ZJ8tdCqsixRCoNBxgO4DBKUDlTFxo4 fJiG9ohVQ2Xcbqw1Ier21MnqHrMeLenf3MVKySUieV/cOe2rfg==
X-Google-Smtp-Source: ABdhPJxwChnX8rDBE14pNM30Ui+1yT64dN3Rk5a9DYS23Z9qeueVzug+6AI+9ZNDI1egRWztYMBSDHXrrgV/DfE+NJs=
X-Received: by 2002:a05:6902:51:b0:61e:1a26:3243 with SMTP id m17-20020a056902005100b0061e1a263243mr5205797ybh.57.1646943654856; Thu, 10 Mar 2022 12:20:54 -0800 (PST)
MIME-Version: 1.0
References: <SA2PR00MB1002C64FDF9A7CF14E95D135F50B9@SA2PR00MB1002.namprd00.prod.outlook.com> <a730ecbe-bbc5-2df1-ec60-a43353507b93@gmail.com> <CAGJKSNSY5WdXXRrE-GBi7zgsy69ea8MhPsc0P4X7tNB4=JDRtw@mail.gmail.com> <CAN8C-_+6ydynEFqiKvK2ONw9cwDxDX0F8xBXm4x6awvNfHOnkw@mail.gmail.com> <91bb290a-b109-ae35-6188-44568e44197c@gmail.com> <Yio8lfPQ/fHuxU6f@LK-Perkele-VII2.locald>
In-Reply-To: <Yio8lfPQ/fHuxU6f@LK-Perkele-VII2.locald>
From: Rafael Misoczki <rafaelmisoczki@google.com>
Date: Thu, 10 Mar 2022 15:20:43 -0500
Message-ID: <CAHrM0e_HOecDRc4CtXsovrQYoj10XVe7aE7fsw4Jg817A00NrQ@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: cose@ietf.org, Mike Prorock <mprorock@mesur.io>, Orie <orie@transmute.industries>
Content-Type: multipart/alternative; boundary="00000000000083e20b05d9e2f32b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/h_UZ6nAUMgQscKQIuIZteGLMctY>
Subject: Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE Agenda Items for IETF 113 in Vienna]
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2022 20:21:04 -0000

I'm not quite familiar with kty's and OKP's yet (sorry, I hope to ramp up
soon) but from a pure crypto perspective, here are my two cents:

History has shown that anytime we left room for ambiguity in terms of the
primitive being used, we saw some sort of downgrade attacks in the wild.
See for example this attack
<https://www.youtube.com/watch?v=CiH6iqjWpt8&t=1428s> where AES-GCM is
replaced by the weaker AES-CBC, thus being exploited as an efficient
padding oracle.

For PQC, things are even trickier because most of them employ several
cryptographic building blocks. The choice for these building blocks has
critical security implications, so I won't consider them "equivalent".  For
example, SPHINCS+ using SHA256 or the more efficient Haraka are secure but
I won't be so sure if some other (second pre-image vulnerable) hash
function is plugged in.

Again, I'm not very familiar with all the nuances for the kty's design but
being as specific as possible may have some security benefits.




On Thu, Mar 10, 2022 at 1:00 PM Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Thu, Mar 10, 2022 at 04:56:55PM +0100, Anders Rundgren wrote:
> > Hi Orie,
> >
> > TL;DR
> >
> > This is my interpretation of how things presumably were intended to
> > work:
> >
> > Each "kty" represents a family of related key algorithms.
>
> No, each "kty" represents a key format. Each key format may or may not
> have multiple key types.
>
> For example, OKP is the key format with octet string private and public
> keys. It explicitly has nothing to more to do with elliptic curves than
> that initial key types all happened to be based on elliptic cuves.
>
> > Each signature "alg" represents a specific signature algorithm that
> > is compatible with exactly one "kty" family but not necessarily with
> > all of its members.  For ECDH which is polymorphic things gets a
> > little bit more fuzzy since it involves multiple "kty" families.
>
> Each alg is compatible with key types it is compatible with. That might
> include some key types of some key format (happens especially with OKP)
> or it might include entiere key formats (happens especially with EC2),
> or both at once.
>
> That might turn out to be bit problematic if, e.g., some joker defines
> some coordinate-swapped Edwards curve as EC2. Those things work just
> fine for ECDH. Attempting to perform ECDSA technically works, but breaks
> ECDSA specification.
>
> > Since "kty" is a top-level item you should (IMO...) be free to define
> > within reason :) whatever sub-level items that matches the algorithm
> > specification.  The bottom line is that it must be easy to figure out
> > which specific key- and signature-algorithms that were used,
> > preferably supporting table-driven designs as well.
>
> It goes the other way around: Once one has a new key type, one goes to
> see if it has existing key format, or if one should define a new key
> format for it.
>
> > However, the existing "kty" definitions should (for not breaking
> > existing software) be regarded as frozen even if EC keys indeed can
> > be used both for ECDH and ECDSA (but the use-cases for that are few
> > if any).
>
> Not being able to introduce new key types would for example imply that
> new elliptic curves can not be added.
>
> > If there are strong arguments for not using the same key with multiple
> > signature algorithms (assuming it is actually technically feasible as
> > well), the most robust solution would be to define signature and key
> > algorithms as pairs using the same identifier, but not under the same
> > label since "alg" already is reserved for use in "kty"s.  You could
> > also just say that "alg" in a "kty" is RECOMMENDED.  A problem here
> > is that this scheme does not necessarily work at the crypto API level
> > and then it becomes useless.  If this problem is for real, I would
> > talk to the algorithms designers to get their view on this as well.
> > This is obviously history in the making :)
>
> In general,  using the same key with multiple signature algoritihms is
> not cryptographically kosher. In fact, RSA-PKCS#1v1.5 is one of the rare
> exceptions (it has encoded message level indication of hash algorithm
> used).
>
> It depends on algorithm if trying to use mismatching key and algorithm
> is guranteed to blow up as implementation is faced trying to do the
> impossible (e.g., trying to mismatch dilithium2 and dilithium3),  or if
> it is just omittable implementation checks that prevent some
> key/algorithm pair from working (e.g. trying to mismatch ES384 and
> P-256 curve).
>
>
> However, there is no "key says what alg this actually is" alg value in
> COSE and JOSE. However, in current HTTP signatures work, there is such
> value (omitted alg means exactly that).
>
>
>
> -Ilari
>
> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose
>

v2.8.7 | Report a Bug | By Email