IETF Logo Mail Archive

Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE Agenda Items for IETF 113 in Vienna]

Orie Steele <orie@transmute.industries> Mon, 14 March 2022 15:20 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E1633A15E7 for <cose@ietfa.amsl.com>; Mon, 14 Mar 2022 08:20:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zU-aZDY65WYp for <cose@ietfa.amsl.com>; Mon, 14 Mar 2022 08:20:10 -0700 (PDT)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CA5E3A0814 for <cose@ietf.org>; Mon, 14 Mar 2022 08:20:10 -0700 (PDT)
Received: by mail-lf1-x12d.google.com with SMTP id w12so27739788lfr.9 for <cose@ietf.org>; Mon, 14 Mar 2022 08:20:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DkXFIYviMejrsle22CLRfC6891IPxqz1QXiWLxEgskg=; b=jYVgXF2oiTruoPpbHJlEK8uH29Cz88P7KuDmvhOerazetrBOFALTeJkQrGu6Gke/RQ ROKxUnCNdla3PRbn/iEQAm84gKPHka117BTQvLs3cjbmqvDTBAhd3Mn9Nvn93+yTLm+L D8Q/JJw8lH8N4DfD2LHFgIutRnHzJfbG22kl9LcKc5hvN5xSPtaYKLjbDpJuw67+hvNF AYkyhs+7INoJbPGEHyFy9WcQPnYbF7weR6R4MEzweAOULiGkipkMpLvIawOJ3uLsbZpW E/vF4+szUQlPK3jgR7Uwd23E5vR20+rl1ilEka1Ymvjzkw00AYycuKolIf3nJLIROIvs tNVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DkXFIYviMejrsle22CLRfC6891IPxqz1QXiWLxEgskg=; b=PvckanUmk+b0GqX7sQZ7sMo78M7+hzvh7TJuLJt11CGMzDVU+9PuZ7ymjvUWdFXWbU L+FD2Ro47GB/zULy20e8wgqMwsCD9wuX2bflxutynaK0OhKAPPRHyK22NE4rBbRk8a0J k4VGp1jw7jpblDD8DiFWp/4wSAFUE6pfOJTNLNqXzqMvYIvv5QDWNYMKIhzGGFhOcq4c uS21jmjiSUbNB4v6OFwUP42iSezu9kI20SOQF5ayJRiQBQ6FsBArpODvRtOBlsnKbSYi BehZQ0T7olIOk88zKpRpCiO3FcgZd0cZvlLUbBE517iIS09fCzbIR1snlbrjDwz8OtC8 xnSg==
X-Gm-Message-State: AOAM533uqHwQXRQ4afA7hrAUoZP592SH6ljvpepEWultzRTtF/429Wmj LIeDaPaTk9Rpfo+4t/D/a9IIjBB+RtZfuw8f6D1oeQ==
X-Google-Smtp-Source: ABdhPJwtb2dy77cXRKVY0H3gcQufPyKWfrtxs+6z2GvN3U+jVFFa7b6TEK9YoYfEUNm98ZLhI875YSt0vhWNeOddABs=
X-Received: by 2002:a05:6512:16a2:b0:448:1fbb:8ca1 with SMTP id bu34-20020a05651216a200b004481fbb8ca1mr14353993lfb.125.1647271208014; Mon, 14 Mar 2022 08:20:08 -0700 (PDT)
MIME-Version: 1.0
References: <SA2PR00MB1002092057CE9580A4029532F50B9@SA2PR00MB1002.namprd00.prod.outlook.com> <CAGJKSNSVuvmsdy9PmUGW7_a2kGqvAxW0fv+hOqSKE6ZfeagSWw@mail.gmail.com> <Yio968v//v87+fTH@LK-Perkele-VII2.locald> <40bf177b-9ac4-f1ed-db05-a0e8636a9363@gmail.com> <Yit0xOrYJSQXxkMy@LK-Perkele-VII2.locald> <F677F35E-8C9B-4FD6-901A-CBEEC36E7E8A@vigilsec.com> <Yixu5IXZKAmNjH7g@LK-Perkele-VII2.locald> <B9AF36AE-DA33-4FAE-B270-21D68CCFD228@vigilsec.com>
In-Reply-To: <B9AF36AE-DA33-4FAE-B270-21D68CCFD228@vigilsec.com>
From: Orie Steele <orie@transmute.industries>
Date: Mon, 14 Mar 2022 10:19:57 -0500
Message-ID: <CAN8C-_Ljys5HR8svMeWDog8=hi-5EgNjFFPtRq7CbcLqiZjNVQ@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: Ilari Liusvaara <ilariliusvaara@welho.com>, "cose@ietf.org" <cose@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000033effc05da2f37e2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/m5qUKKBjuesA9eKtb2jW076Ao0I>
Subject: Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE Agenda Items for IETF 113 in Vienna]
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2022 15:20:16 -0000

Refocusing on the "kty" : "OKP" vs "PQK" issue.

As I understand it, "alg" is optional even when "kty": "OKP"... so a main
reason to choose "kty": "PQK" would be to say that "alg" is now required...
If we think overloading "OKP" would cause harm, we should make the new
"kty" bring more to the table, such as mandating the presence of "alg".

I expect we will be marking "alg" values as forbidden (when the become
unadvisable), and not marking whole "kty" families as forbidden in the
future... having the "alg" be required in "kty" "PQK"  seems like it
provides a better security posture in that context, but eager to hear from
others.

Regards,

OS

On Sun, Mar 13, 2022 at 11:39 AM Russ Housley <housley@vigilsec.com> wrote:

>
>
> > On Mar 12, 2022, at 4:59 AM, Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
> >
> > On Fri, Mar 11, 2022 at 03:34:08PM -0500, Russ Housley wrote:
> >>
> >>
> >>> On Mar 11, 2022, at 11:11 AM, Ilari Liusvaara <
> ilariliusvaara@welho.com> wrote:
> >>>
> >>> NISTPQC signatures would fit into signature keys "subtype", but NISTPQC
> >>> KEMs will not fit into the key agreement keys "subtype", so that would
> >>> be a third "subtype" (all NISTPQC algorithms have OKP-style key format,
> >>> as this was required by NIST).
> >>
> >> Right.  It makes sense to add support for KEM.  We can figure that out
> >> without waiting for NIST to announce Round 3 winners.  We can do the
> >> work based on RFC 5990.
> >
> > One idea how (modelled on ECDH-ES, as operation of KEMs is very similar
> > to ECDH-ES):
> >
> > - Add new alg values KEM+{A{128,192,256}KW,HKDF-{256,512}}, mirroring
> >  the ECDH-ES ones.
> > - Add new new header algorithm parameter "encapsulated ciphertext"
> >  (bstr) that carries the KEM ciphertext.
> > - Sender procedure:
> >  - Select the public key to encrypt to.
> >  - Apply the KEM encapsulate operation to the public key.
> >  - Use the encapsulate secret output as input for key derivation, just
> >    like in ECDH-ES.
> >  - Write the encapsulate ciphertext output into the "encapsulated
> >    ciphertext" header algorithm parameter.
> > - Receiver procedure:
> >  - Retretive the private key to use.
> >  - Read the ciphertext input from the "encapsulated ciphertext" header
> >    algorithm parameter.
> >  - Apply the KEM decapsulate operation to the private key and the
> >    ciphertext. If decapsulate fails, fail.
> >  - Use the decapsulate secret output as input for key derivation,  just
> >    like in ECDH-ES.
> >
> >
> > A word of cauntion: Altough it might seem that the "encapsulated
> > ciphertext" header can be reused for HPKE, there is a subtle issue:
> > This mechanism can not trivially support compressing the ciphertext. So
> > reusing it would require HPKE to define compact NIST curves, so COSE
> > could just forget about key compression.
>
> If you are talking about ECC Point Compression, I agree that COSE should
> ignore it.  For a very long time, the patent kept many implementations from
> supporting it.  Now that patent has expired, but the engineering effort to
> add support for ECC Point Compression is significant, and everyone will
> have to be prepared to encounter implementations that are not yet prepared
> to handle compression.  The savings of 32 bytes does not seem worth the
> transition pain.
>
> Russ
>
> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose
>


-- 
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries

<https://www.transmute.industries>

v2.8.7 | Report a Bug | By Email