Re: [jose] [COSE] Consensus on cryptographic agility in modern COSE & JOSE
AJITOMI Daisuke <ajitomi@gmail.com> Sun, 26 March 2023 13:49 UTC
Return-Path: <ajitomi@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58C7AC14CF1F; Sun, 26 Mar 2023 06:49:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xq6sj1GIIRVO; Sun, 26 Mar 2023 06:49:39 -0700 (PDT)
Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D983C14F721; Sun, 26 Mar 2023 06:49:39 -0700 (PDT)
Received: by mail-yb1-xb32.google.com with SMTP id i7so7426741ybt.0; Sun, 26 Mar 2023 06:49:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1679838578; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=f93GUxmqkOazP7kpd7E7IA436cmIOPgnhlZNk51JgF8=; b=Tod3+LlFkTZD0zvcMXfxNG6egZfLgW44G4VaKf6pZQmf8v6lGBlNVhjzLzC3g/asBN XJRUNSvXysUqr6Sl6QzSRijEdWJBI9SpZy0Tur4sKoBwlfbZMj08Dh4ZATMjWp4ZY6Fp y0QY8yWvyXrg2Bf5kXW+9iTKd0FiW4nTMlK1eOPbdeS2ujvMF0fioiODoUcC3hi4oeyR 23agwhUrFPB3GdxETd7PnDH2pZplvhfiR5t0EqNvnXE4cXr/f+0F26f6ZScGIId+CgcS jb6zGNYCBw7w1SCTbciuJyDHgEHsjI4WbMGHDeQ7w9dtXNCln5+Mfsq4BjElaQ5otPQt OqLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679838578; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=f93GUxmqkOazP7kpd7E7IA436cmIOPgnhlZNk51JgF8=; b=m/+vx1fk54Z3aZZgHy/n4JU5+g0xt4SdwSqMMSfVpdX8CIBKyuB+4u+JbxKcjIo1IC DWeeXAjwZ+tacuf3CwY9zv+0JKjDAW+HuIobH/WEvKHoBqB2Fl+vwEWAPhh2wjZSFm1y q5ajdglKpQ4JehHXqkHuzToHFdZACX+neyOvzIIUcgr3KkC+1rZ1SS8IpucoDw/nFv+n WdZoaXzUBXmibtlDoZwiQBhhC/MDx6U/dikBSRcCI7rnSoaFcxlv8g3cBbuJkcHktq0t Y7b10Floeq2C5LxHXyxgxtzh2ukz6G7cprtoiQ7dVHV9FG/h0ggHmElOOVhvP8pZRSwB kXrA==
X-Gm-Message-State: AAQBX9fvzq71AxZYgfMoZn5rRGHx6uulN11zmmZVo4Z5/pDzrwsniJRF 0YEU6lIRQplZKTvsg+EKzABCLUn854oQcDJIUpM/RE0b8KQb
X-Google-Smtp-Source: AKy350avrQvugDLtqKfTA8jFl1yUwJrvEbol/xMZJkhANEsPkoXStrPsrFkTn5mJe86prk5JYujCBq2cWBwIXoO6iHo=
X-Received: by 2002:a25:688a:0:b0:b46:c5aa:86ef with SMTP id d132-20020a25688a000000b00b46c5aa86efmr3954552ybc.12.1679838578214; Sun, 26 Mar 2023 06:49:38 -0700 (PDT)
MIME-Version: 1.0
References: <CAN8C-_KqEbX10mE=3sNWAJoWUkb8OSG9mDJ82XNaZHBwKNtrYg@mail.gmail.com> <ZCAVE4Wh23lc92kn@LK-Perkele-VII2.locald>
In-Reply-To: <ZCAVE4Wh23lc92kn@LK-Perkele-VII2.locald>
From: AJITOMI Daisuke <ajitomi@gmail.com>
Date: Sun, 26 Mar 2023 22:49:28 +0900
Message-ID: <CAFWvErXg2wxRnZEj-OU6X8rhxK3XDh24UzX33YtM1vP_hubTCw@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: cose <cose@ietf.org>, JOSE WG <jose@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bc0c8605f7cde504"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/3Y0NtkAx0rBwavq4DwlAaMQHNTg>
Subject: Re: [jose] [COSE] Consensus on cryptographic agility in modern COSE & JOSE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Mar 2023 13:49:43 -0000
Hi Orie, Thank you for raising the issue. Taking Ilari's post into account, I would like to take some time to reconsider my proposal and your raised issue. Best, AJITOMI Daisuke 2023年3月26日(日) 18:49 Ilari Liusvaara <ilariliusvaara@welho.com>: > On Sun, Mar 26, 2023 at 07:33:10AM +0900, Orie Steele wrote: > > > Should post quantum keys use "the old way" or "the new way" or > > "both / it depends" ? > > It depends. > > This may sound very anticlimatic, but key types need to be designed > around needs of algorithms, such as: > > a) How are the keys used in COSE / JOSE? Are there multiple uses unified > by some larger family, or only a single use? > b) Is there only a single alg that makes sense with each individual key, > or are there multiple? > c) Are there no parameters, a small set of possible parameter sets, or > more complex parametrization? Is there already registry for possible > parameters? > d) What are the components of private/secret/public key and what are the > types of those components? > e) What hints would be useful (extra info to improve interop, but not > absolutely required for things to work)? > > > Designing key types without knowing how the keys are actually used in > COSE / JOSE is fraught with danger. It is very easy to make a subtle > mistake that ruins the design, but isn't discovered until it is too > late. > > > Let's analyze a number of different things around those axis: > > 1) RSA: > > a) There are multiple different uses, unified around RSA. > b) Multiple. > c) There are no parameters. > d) There are 2 or 7 positive integer components in private key > (depending on if CRT speedup is used or not) and 2 positive integer > components in public key. All the components are potentially large > numbers. > e) There are no hints. > > The RSA key type in COSE / JOSE is designed along these lines. > > > 2) Short-Weierstrass ECC: > > a) There are multiple different uses, unified around ECC. > b) Multiple. > c) There is more compicated parametrization, but only a small set > of parameters in common use. No existing registry. > d) There is one positive integer component in private key, and 2 > nonnegative integer components in public key. > e) There are no hints. > > The EC/EC2 key type in COSE / JOSE is designed along these lines. > > > 3) HSS-LMS: > > a) There is single use, as signature. > b) Single. > c) There is small set of possible parameters. There is already a > registry. > d) Private keys are not representable. Public keys are one byte string > component. > e) There are no hints. > > The HSS-LMS key type in COSE is designed along these lines. > > > 4) X25519/X448: > > a) There is single use, as DH function. > b) Multiple. > c) There are no parameters, > d) Private and public keys are both one byte string component. > e) There are no hints. > > The OKP kty in COSE / JOSE is designed for this type of thing > (b through e) > > > 5) EdDSA: > > a) There is single use, as signature. > b) Single. > c) There is small set of parameters. There is no existing registry. > d) Private and public keys are both one byte string component. > e) There are no hints. > > COSE / JOSE also throw these to OKP, but the design could have been > very different. > > > 6) Kyber: > > a) There is single use, as KEM. > b) Multiple. > c) There is small set of parameters. There is no existing registry. > d) Private and public keys are both one byte string component. > e) There are no hints. > > This is still a great match to what OKP was designed for. However, in > COSE this is likely unnecressary, as PQ HPKE should appear soon. In > JOSE, likely needed, because combining JOSE and HPKE turns out to be > Hard (while the Kyber in JOSE seems straightforward extension of > ECDH-ES). > > > 7) Dilithium, Falcon and Sphincs+: > > a) There is single use, as signature. > b) Single. > c) There is small set of parameters. There is no existing registry. > d) Private and public keys are both one byte string component. > e) There are no hints. > > The answers to questions are identical to EdDSA! The very different > design mentioned in EdDSA is actually what is employed by the COSE / > JOSE PQ signature drafts (split to three ktys with horrible naming). > > > 8) HPKE: > > a) There is single use, as asymmetric encryption. > b) Single in COSE, the JOSE case seems Too Hard. > c) More complex parametrization: A single integer, picked from existing > registry. In some cases, reprurposing other keys is possible. > d) Private and public keys are both one byte string component. > e) Supported KDF and AEAD. In case of converted keys, supported KEM. > > In case of converted keys, this adds common key parameters for the > hints. In case of dedicated keys, this would argue for design like: > > kty: HPKE > kem: uint > priv: bstr (private keys only) > pub: bstr > > Plus common key parameters for KDF / AEAD hints. > > > As for the HPKE JOSE case being too hard, I have come to conclusion that > I don't have any idea on how to integrate HPKE into JOSE in any sort of > even remotely clean manner. Thus, I have given up working on it, at > least until somebody comes up with a breakthrough. > > > > Commenting on the keys from various drafts: > > - PQ signatures work: > > The kty naming is horrible, but otherwise looks good. There is a > decision on if to have one or three kty's. > > > - Kyber: > > OKP can't be used that way. However, if "lat" was replaced by "crv" > (looks odd, but works as intended), it would look good. > > > - HPKE: > > The JOSE case is fraught with danger because it is not clear how HPKE > would be used in JOSE, and if that would need to be reflected in the > key format. > > The COSE case is clear. The current draft has issue where it > mishandles KEM in both dedicated and converted key cases: > > * In dedicated key case, KEM is key subtype, and should not be grouped > together with hints (KDF/AEAD). > * In converted key case, KEM is also a hint, like KDF and AEAD. It can > have mulitple values. > > > > > > -Ilari > > _______________________________________________ > COSE mailing list > COSE@ietf.org > https://www.ietf.org/mailman/listinfo/cose >
- [jose] Consensus on cryptographic agility in mode… Orie Steele
- Re: [jose] [COSE] Consensus on cryptographic agil… Laurence Lundblade
- Re: [jose] Consensus on cryptographic agility in … Ilari Liusvaara
- Re: [jose] [COSE] Consensus on cryptographic agil… AJITOMI Daisuke
- Re: [jose] [COSE] Consensus on cryptographic agil… Manu Sporny
- Re: [jose] [COSE] Consensus on cryptographic agil… Ilari Liusvaara
- Re: [jose] [COSE] Consensus on cryptographic agil… AJITOMI Daisuke
- Re: [jose] [COSE] Consensus on cryptographic agil… Manu Sporny
- Re: [jose] [COSE] Consensus on cryptographic agil… Manu Sporny
- Re: [jose] [COSE] Consensus on cryptographic agil… Orie Steele
- Re: [jose] [COSE] Consensus on cryptographic agil… Ilari Liusvaara
- Re: [jose] [COSE] Consensus on cryptographic agil… Ilari Liusvaara
- Re: [jose] [COSE] Consensus on cryptographic agil… Tobias Looker