IETF Logo Mail Archive

Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE Agenda Items for IETF 113 in Vienna]

Mike Prorock <mprorock@mesur.io> Tue, 15 March 2022 15:38 UTC

Return-Path: <mprorock@mesur.io>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1C963A1588 for <cose@ietfa.amsl.com>; Tue, 15 Mar 2022 08:38:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mesur-io.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S59quAHZoQYc for <cose@ietfa.amsl.com>; Tue, 15 Mar 2022 08:38:01 -0700 (PDT)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6A713A03EC for <cose@ietf.org>; Tue, 15 Mar 2022 08:38:01 -0700 (PDT)
Received: by mail-vs1-xe2e.google.com with SMTP id j128so21211512vsc.9 for <cose@ietf.org>; Tue, 15 Mar 2022 08:38:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mesur-io.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SGytbX8JfXPrekNBrpmNxTSpGQWlT4giyo7u06mTqIM=; b=oxoOE/loBG8cUpbWaHZ4Cb0p1MUaZw34lEaTLXB08jpOqVycNIAYlWX3Je6U9tIYV7 GRIzU+AQI/uqbKbA7fxfUTr1KkCImGz993VCjOiulYmjIEi+J1pdjz+qKWvRhWnManpM n2ekwZSMoJ58+lKtTpx0jX1q3PsBWOJthOhshZWodHfQ8s4P1TK8cwuqKhVu7xfqdtF1 GbupMJ4g3QMuRv4EzDkUA5hux57+JusIn3N1AA5nUr+JP/hv29SzJ5A9cOZmA+6tF1ob sJSjJ3IHRL9+p9SRhPaNhygIMZfKqiVLYT+WeHO5G/7rnu3HugsErr3WrdZWecbfgmSl m69A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SGytbX8JfXPrekNBrpmNxTSpGQWlT4giyo7u06mTqIM=; b=MArqaRe8XAgnCKBVYQFr6/FatyzGKcAVtOrHpXXJT2v2uQv0F3qmKhjD8vURjAw4yn o1qOjdqJB7YD7rlwhHZXpxl0LqADcN5BMSxn//weganU4Y/FszIg8Ann83J8oKz54EwU p0ucodN5gJhiHDSzyG8kyYQQ8StfTf0/Ygl/cT5RPVlbO5n7sq32JVBzZRpt1ERL83FG oaVWXBbBJSGmXsJCHAyhfYR+iUhcBg9AGBkr0cjhcLZIM0IxDhrc0mDJiadUnMf0/TrD tj2sfqboaNib1s8547MSPX67cE7nbMcepQdkCi6Ay9vfHQxkLBjy+aIyVyig4inpUKjc DIxw==
X-Gm-Message-State: AOAM5338OCUao7YbMcMul7im7rLqYUnniDKjinUfTIryC5SNd0TOAsLy RaeJRMXvDYt5Z7VD+Hbnw1PrYF9YqajogPvd/b3w
X-Google-Smtp-Source: ABdhPJwYW6XXaXWzU0UqfhDYLgBq1MLFTJltBW3IiEpd1rAjdYgGnc7rQKqIrid0jhkI88qRhapOR5YzMntVpXegdaU=
X-Received: by 2002:a67:e909:0:b0:322:76b9:d7ad with SMTP id c9-20020a67e909000000b0032276b9d7admr12737732vso.60.1647358680317; Tue, 15 Mar 2022 08:38:00 -0700 (PDT)
MIME-Version: 1.0
References: <SA2PR00MB1002DE43864B01F70546A691F50F9@SA2PR00MB1002.namprd00.prod.outlook.com> <CAN8C-_Jo_-=Jpava0db6BgR4j_BEyZp_3hN6VEv7MJuBwCsPQA@mail.gmail.com> <3053B653-6F26-421F-8498-1002030F3CD8@alkaline-solutions.com> <CAN8C-_JA2fN2HYVjbOjKUBJhJybo0DcLBZJEDoQpMznVi7Pxng@mail.gmail.com> <CAGJKSNRWfK8T4+zk6mF80KUKyndjoKvTvJiUtzD1u9u8_rSecA@mail.gmail.com>
In-Reply-To: <CAGJKSNRWfK8T4+zk6mF80KUKyndjoKvTvJiUtzD1u9u8_rSecA@mail.gmail.com>
From: Mike Prorock <mprorock@mesur.io>
Date: Tue, 15 Mar 2022 11:37:49 -0400
Message-ID: <CAGJKSNSv4SAxn81BOAHStr7kEoQaBKUq234CzMkZ1BbNcSd_AA@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
Cc: David Waite <david@alkaline-solutions.com>, Mike Jones <Michael.Jones@microsoft.com>, Ilari Liusvaara <ilariliusvaara@welho.com>, Russ Housley <housley@vigilsec.com>, "cose@ietf.org" <cose@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f554ba05da439454"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/jzaSBCug3IkW6F1op36V0cg3OJQ>
Subject: Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE Agenda Items for IETF 113 in Vienna]
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2022 15:38:07 -0000

note, with sphincs+ we may wind up with a simplified set of alg definitions
based on known and tested configs, eg something like the following (based
on the reference implementation here: https://github.com/sphincs/sphincsplus
):

SPHINCS+-SHAKE256-128s
SPHINCS+-SHAKE256-128f
SPHINCS+-SHAKE256-192s
SPHINCS+-SHAKE256-192f
SPHINCS+-SHAKE256-256s
SPHINCS+-SHAKE256-256f

Mike Prorock
CTO, Founder
https://mesur.io/



On Tue, Mar 15, 2022 at 11:16 AM Mike Prorock <mprorock@mesur.io> wrote:

> Orie,
> I think other alternative would be:
> kty: PQL        // post quantum - lattice based
> alg: CRYDI3  // crystals dilithium, parameter set 3
> x: public
> d: private
>
> and
> kty: PQH       // post quantum - hash based
> alg: SP-SHAKE256-[n]-[w]-[h]-[d]-[k]-[t]  // SPHINCS+, shake256, parameter
> set as noted
> x: public
> d: private
>
> Mike Prorock
> CTO, Founder
> https://mesur.io/
>
>
>
> On Tue, Mar 15, 2022 at 10:32 AM Orie Steele <orie@transmute.industries>
> wrote:
>
>> The goal in registering new JWK and JWS compatible terms for the family
>> of post quantum crypto systems is to register only what is needed to
>> identify the key and the signature.
>>
>> We are not trying to add any additional parameters, in the abstract, we
>> want to convey "key type", "public key" and "private key", while following
>> the conventions that came before us.
>>
>> So far, we think the OKP style Ed25519 keys are the model to follow, here
>> is a reminder:
>>
>>       "kty": "OKP",
>>       "crv": "Ed25519",
>>       "x": "3ygWe2mas7ZvquJ2E_aNh3wJEcLPsHp_8r0UXoyhBwQ",
>>       "d": "EKCZgwCYoasDC61z5aWR6LqvPbpxWPKFY1PexeW5WSw"
>>
>> https://www.rfc-editor.org/rfc/rfc8037.html#section-2 (reminder that crv
>> is required... so sadly it seems we will need a new key type).
>>
>> this would mean something like this:
>>
>> kty: PQK
>> pset: CRYD3 // handled like "crv" was for kty: OKP, with a new value for
>> every new key type from lattice, hash or isogeny based systems
>> alg: CRYD3 // optional
>> x: pub
>> d: priv
>>
>> another alternative would be:
>>
>> kty: CRYD3 // with a new value for every new key type from lattice, hash
>> or isogeny based systems
>> alg: CRYD3 // optional
>> x: pub
>> d: priv
>>
>> OS
>>
>>
>> On Tue, Mar 15, 2022 at 1:48 AM David Waite <david@alkaline-solutions.com>
>> wrote:
>>
>>>
>>>
>>> On Mar 14, 2022, at 2:19 PM, Orie Steele <orie@transmute.industries>
>>> wrote:
>>>
>>> <snip>
>>>
>>> So for a dilithium example:
>>>
>>> kty: PQK (required)
>>> pset: CRYD3 (required)
>>> x: ... (required)
>>> alg: CRYD3 (optional)
>>>
>>>
>>> Would you expect additional parameters (say “s1” and “s2”) for private
>>> keys?
>>>
>>> Is X consistent within a parameter set, or is there variability (such as
>>> the algorithm to generate the matrix from a seed value, or the option to
>>> include a full matrix)
>>>
>>> Obviously JWK thumbprint will need to be aware of all required fields,
>>> and will need to drop all optional fields in order to be useful.
>>>
>>>
>>> And if those rules aren’t generic and simple, it is possible we have
>>> rolled multiple key types into one “kty”. The “EC” key type allowed just
>>> “X” coordinates for other curves, but my interpretation is that “OKP” was
>>> still created because the public value for Edwards curves was defined with
>>> a different packed binary format.
>>>
>>> I posit it is better to have experimental key types for experimental key
>>> formats, vs the potential for a complex set of key forms in future
>>> production deployments. That is not to say that I have an informed opinion
>>> on stability of any proposal.
>>>
>>> If we don't define something like "pset" and we don't make "alg"
>>> required for "kty:PQK"... the only optional will be to explode based on
>>> mismatched keys / signatures... unless I am missing something... we have
>>> the same problem with P-256 keys today... when "alg" is not present, you
>>> can't tell if the key is for "signing" or "key agreement"... which means
>>> that any JWE / JWS can target that key, and the key representation won't
>>> catch what the key was intended for... unless "alg" and "use" are
>>> present... which nobody can rely on, because they are marked optional.
>>>
>>>
>>> Parameter set seems appropriate, as long as it is the term of art for
>>> the category of key type, and (for a given parameter set name) is in a
>>> non-extensible format.
>>>
>>> WRT the usage of “alg” - there can be multiple algorithms that leverage
>>> the same underlying key object, which means a subtype is a different level
>>> of restrictiveness/specificity than specifying an algorithm. A single
>>> instantiated key of a subtype can be used with multiple algorithms (“RS”
>>> and “PS” families), and a single algorithm can be used with multiple key
>>> subtypes - such as “ECDH-ES” and “EdDSA”.
>>>
>>> This would make the subtype of a key and its algorithmic usage
>>> restrictions orthogonal.
>>>
>>> Take a look at:
>>> https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-set-properties
>>>
>>> Notice that they include "alg" and "use"... if both are optional, why
>>> include them in such an example?
>>>
>>>
>>> FWIW I think making "alg" required is the best thing to do for new key
>>> types moving forward (it addresses future ambiguity / explicit over
>>> implicit makes me feel safer).
>>>
>>>
>>> The “alg” and “use” parameters are restrictions on key object usage,
>>> rather than specifying the key object cryptographic properties themselves.
>>> IMHO, one needs an underlying PKI or just blanket immutability which
>>> restricts a party from changing such parameters over time for them to have
>>> value.
>>>
>>> Historically these have not been “self asserted”, but rather asserted by
>>> an authority in a PKI system who has made an integrity protected statement
>>> about the key (e.g. a public certificate). In this case they may not be
>>> self-imposed restrictions, but restrictions by the trust broker, such as
>>> “they can’t act as a sub-CA” or “check here to see if the authority marked
>>> this key as revoked”.
>>>
>>> Likewise, key usage restrictions are systems-specific. An example would
>>> be key operations (also specified in the JWK RFC, distinct from “use”).
>>> Verification relationships in decentralized identifier documents are
>>> arguably another example of operational restrictions, albeit in a graph
>>> rather than a simple broker hierarchy.
>>>
>>> -DW
>>>
>>
>>
>> --
>> *ORIE STEELE*
>> Chief Technical Officer
>> www.transmute.industries
>>
>> <https://www.transmute.industries>
>> _______________________________________________
>> COSE mailing list
>> COSE@ietf.org
>> https://www.ietf.org/mailman/listinfo/cose
>>
>

v2.8.7 | Report a Bug | By Email