Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE Agenda Items for IETF 113 in Vienna]

Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 11 March 2022 16:11 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAF7C3A011B for <cose@ietfa.amsl.com>; Fri, 11 Mar 2022 08:11:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wAvMxsFmX6aI for <cose@ietfa.amsl.com>; Fri, 11 Mar 2022 08:11:54 -0800 (PST)
Received: from welho-filter2.welho.com (welho-filter2b.welho.com [83.102.41.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3B103A00E4 for <cose@ietf.org>; Fri, 11 Mar 2022 08:11:53 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 3473CC3F41 for <cose@ietf.org>; Fri, 11 Mar 2022 18:11:50 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id 2p-5EPd4AW5e for <cose@ietf.org>; Fri, 11 Mar 2022 18:11:49 +0200 (EET)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id D5D212315 for <cose@ietf.org>; Fri, 11 Mar 2022 18:11:48 +0200 (EET)
Date: Fri, 11 Mar 2022 18:11:48 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "cose@ietf.org" <cose@ietf.org>
Message-ID: <Yit0xOrYJSQXxkMy@LK-Perkele-VII2.locald>
References: <SA2PR00MB1002092057CE9580A4029532F50B9@SA2PR00MB1002.namprd00.prod.outlook.com> <CAGJKSNSVuvmsdy9PmUGW7_a2kGqvAxW0fv+hOqSKE6ZfeagSWw@mail.gmail.com> <Yio968v//v87+fTH@LK-Perkele-VII2.locald> <40bf177b-9ac4-f1ed-db05-a0e8636a9363@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <40bf177b-9ac4-f1ed-db05-a0e8636a9363@gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/vW953OKv0yot4ShL4n8SNuAgOy4>
Subject: Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: Call for COSE Agenda Items for IETF 113 in Vienna]
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2022 16:11:59 -0000

On Fri, Mar 11, 2022 at 05:23:48AM +0100, Anders Rundgren wrote:
> Before deciding to overload "OKP" for a new crypto system, I would discuss the matter with maintainers of cryptographic libraries and APIs.
> 
> In the Java platform overloading the native counterparts to OKP keys
> [1,2] won't happen because that would break a lot.  I guess the same
> is valid for OpenSSL.

The way it is supposed to work is to use the raw key parts as key
material in underlying cryptographic implementation. Implementations
where that is not possible are just broken.

> It seems to me that reusing OKP would rather create an artificial
> "semantic gap" which doesn't exist today where "kty" indeed is
> synonymous with key type/family (RSA, EC, Ed etc):
> https://datatracker.ietf.org/doc/html/rfc7517#section-4.1

There are already two "subtypes" of OKP keys that are not
interchangeable:

- Key agreement keys.
- Signature keys.

NISTPQC signatures would fit into signature keys "subtype", but NISTPQC
KEMs will not fit into the key agreement keys "subtype", so that would
be a third "subtype" (all NISTPQC algorithms have OKP-style key format,
as this was required by NIST).


This is very different from RSA and EC2, where there are no subtypes,
and all keys are interchangeable.


Another place similar multi-subtype non-interchangeable keys are seen
is symmetric algorithms, as there are at least two "subtypes":

- AE(AD) Encryption keys.
- MAC keys.



-Ilari