IETF Logo Mail Archive

Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE Agenda Items for IETF 113 in Vienna]

Russ Housley <housley@vigilsec.com> Tue, 15 March 2022 19:27 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2DB33A170F for <cose@ietfa.amsl.com>; Tue, 15 Mar 2022 12:27:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kmPqijlgLq_4 for <cose@ietfa.amsl.com>; Tue, 15 Mar 2022 12:27:38 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 559003A170E for <cose@ietf.org>; Tue, 15 Mar 2022 12:27:38 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id BDCA4159D89; Tue, 15 Mar 2022 15:27:35 -0400 (EDT)
Received: from [10.0.1.2] (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id B05C615987C; Tue, 15 Mar 2022 15:27:35 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <YjDhrsAIjM9zVZGS@LK-Perkele-VII2.locald>
Date: Tue, 15 Mar 2022 15:27:35 -0400
Cc: "cose@ietf.org" <cose@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9032B380-BD85-4D47-82AB-0C0CAC68DB80@vigilsec.com>
References: <SA2PR00MB1002DE43864B01F70546A691F50F9@SA2PR00MB1002.namprd00.prod.outlook.com> <CAN8C-_Jo_-=Jpava0db6BgR4j_BEyZp_3hN6VEv7MJuBwCsPQA@mail.gmail.com> <3053B653-6F26-421F-8498-1002030F3CD8@alkaline-solutions.com> <CAN8C-_JA2fN2HYVjbOjKUBJhJybo0DcLBZJEDoQpMznVi7Pxng@mail.gmail.com> <CAGJKSNRWfK8T4+zk6mF80KUKyndjoKvTvJiUtzD1u9u8_rSecA@mail.gmail.com> <YjDhrsAIjM9zVZGS@LK-Perkele-VII2.locald>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/kX3340OdOZh718TlZRkGmgUYzU4>
Subject: Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE Agenda Items for IETF 113 in Vienna]
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2022 19:27:43 -0000


> On Mar 15, 2022, at 2:57 PM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> 
> On Tue, Mar 15, 2022 at 11:16:34AM -0400, Mike Prorock wrote:
>> Orie,
>> I think other alternative would be:
>> kty: PQL        // post quantum - lattice based
>> alg: CRYDI3  // crystals dilithium, parameter set 3
>> x: public
>> d: private
> 
> "Lattice-based post quantum" is not a valid key type. It is not a single
> key shape (unlike every kty currently defined). And it does not look to
> be helpful even working around algorithm dispatch issues in
> implementations, as, e.g., Dilithium and Kyber are both lattice post-
> quantum algorithms, but wildly different.
> 
> If that kty is supposed to be octet-keypair for given alg, that would
> be defensible (mixing algorithms for the same key is unsound), but the
> name for that kty would not be PQL.
> 
> There is also actual security problem with this: Serious cryptographers
> are very unconfortable with unhybridized post-quantum algorithms (with
> exception of hash signatures) at the moment. Gaining confidence on such
> things will take years at the very least.

Agree.  I am hoping that the key structure is invisible at the COSE level.  It is just an octet string at this level, but the crypto code knows about any internal structure, but not the COSE library.

>> and
>> kty: PQH       // post quantum - hash based
>> alg: SP-SHAKE256-[n]-[w]-[h]-[d]-[k]-[t]  // SPHINCS+, shake256, parameter
>> set as noted
>> x: public
>> d: private
> 
> One really should stay away from those parameters and use parameter
> sets made by experts, as at least some of those parameters will
> absolutely destroy security if set the wrong way.
> 
> And "Hash-based post quantum" is also not a valid key type.

I think the intent is to ony register the alg strings that represent a set of parameters that are intended to be used together, not allow arbitrary values.

Russ

v2.8.7 | Report a Bug | By Email