IETF Logo Mail Archive

Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE Agenda Items for IETF 113 in Vienna]

Russ Housley <housley@vigilsec.com> Sun, 13 March 2022 16:39 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FB213A0BD3 for <cose@ietfa.amsl.com>; Sun, 13 Mar 2022 09:39:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oEDhEd0YQ9VY for <cose@ietfa.amsl.com>; Sun, 13 Mar 2022 09:39:28 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D5CB3A0E17 for <cose@ietf.org>; Sun, 13 Mar 2022 09:39:28 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 41A6EC12B8; Sun, 13 Mar 2022 12:39:25 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 3635BC178B; Sun, 13 Mar 2022 12:39:25 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <Yixu5IXZKAmNjH7g@LK-Perkele-VII2.locald>
Date: Sun, 13 Mar 2022 12:39:24 -0400
Cc: "cose@ietf.org" <cose@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <B9AF36AE-DA33-4FAE-B270-21D68CCFD228@vigilsec.com>
References: <SA2PR00MB1002092057CE9580A4029532F50B9@SA2PR00MB1002.namprd00.prod.outlook.com> <CAGJKSNSVuvmsdy9PmUGW7_a2kGqvAxW0fv+hOqSKE6ZfeagSWw@mail.gmail.com> <Yio968v//v87+fTH@LK-Perkele-VII2.locald> <40bf177b-9ac4-f1ed-db05-a0e8636a9363@gmail.com> <Yit0xOrYJSQXxkMy@LK-Perkele-VII2.locald> <F677F35E-8C9B-4FD6-901A-CBEEC36E7E8A@vigilsec.com> <Yixu5IXZKAmNjH7g@LK-Perkele-VII2.locald>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/sfmKtqYjWDRVRlkKfGPqmWw9UdI>
Subject: Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE Agenda Items for IETF 113 in Vienna]
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Mar 2022 16:39:33 -0000


> On Mar 12, 2022, at 4:59 AM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> 
> On Fri, Mar 11, 2022 at 03:34:08PM -0500, Russ Housley wrote:
>> 
>> 
>>> On Mar 11, 2022, at 11:11 AM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
>>> 
>>> NISTPQC signatures would fit into signature keys "subtype", but NISTPQC
>>> KEMs will not fit into the key agreement keys "subtype", so that would
>>> be a third "subtype" (all NISTPQC algorithms have OKP-style key format,
>>> as this was required by NIST).
>> 
>> Right.  It makes sense to add support for KEM.  We can figure that out
>> without waiting for NIST to announce Round 3 winners.  We can do the
>> work based on RFC 5990.
> 
> One idea how (modelled on ECDH-ES, as operation of KEMs is very similar
> to ECDH-ES):
> 
> - Add new alg values KEM+{A{128,192,256}KW,HKDF-{256,512}}, mirroring
>  the ECDH-ES ones.
> - Add new new header algorithm parameter "encapsulated ciphertext"
>  (bstr) that carries the KEM ciphertext.
> - Sender procedure:
>  - Select the public key to encrypt to.
>  - Apply the KEM encapsulate operation to the public key.
>  - Use the encapsulate secret output as input for key derivation, just
>    like in ECDH-ES.
>  - Write the encapsulate ciphertext output into the "encapsulated
>    ciphertext" header algorithm parameter.
> - Receiver procedure:
>  - Retretive the private key to use.
>  - Read the ciphertext input from the "encapsulated ciphertext" header
>    algorithm parameter.
>  - Apply the KEM decapsulate operation to the private key and the
>    ciphertext. If decapsulate fails, fail.
>  - Use the decapsulate secret output as input for key derivation,  just
>    like in ECDH-ES.
> 
> 
> A word of cauntion: Altough it might seem that the "encapsulated
> ciphertext" header can be reused for HPKE, there is a subtle issue:
> This mechanism can not trivially support compressing the ciphertext. So
> reusing it would require HPKE to define compact NIST curves, so COSE
> could just forget about key compression.

If you are talking about ECC Point Compression, I agree that COSE should ignore it.  For a very long time, the patent kept many implementations from supporting it.  Now that patent has expired, but the engineering effort to add support for ECC Point Compression is significant, and everyone will have to be prepared to encounter implementations that are not yet prepared to handle compression.  The savings of 32 bytes does not seem worth the transition pain.

Russ

v2.8.7 | Report a Bug | By Email