[jose] Re: Algorithm identifiers for ML-KEM and ML-DSA
Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 20 August 2024 19:06 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F094C180B58 for <jose@ietfa.amsl.com>; Tue, 20 Aug 2024 12:06:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id acNyy1e_Byr3 for <jose@ietfa.amsl.com>; Tue, 20 Aug 2024 12:06:25 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13305C17C8B0 for <jose@ietf.org>; Tue, 20 Aug 2024 12:06:24 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 926431C3FA for <jose@ietf.org>; Tue, 20 Aug 2024 22:06:21 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id kcLP6NuAN3Ma for <jose@ietf.org>; Tue, 20 Aug 2024 22:06:21 +0300 (EEST)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 602312309 for <jose@ietf.org>; Tue, 20 Aug 2024 22:06:20 +0300 (EEST)
Date: Tue, 20 Aug 2024 22:06:20 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: jose@ietf.org
Message-ID: <ZsTpLC3_LUnLnS7y@LK-Perkele-VII2.locald>
References: <CAMm+LwirtxesE0+4hwUOKgduoPbbqvbZ67qa-kZVSWmkW9GeEg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAMm+LwirtxesE0+4hwUOKgduoPbbqvbZ67qa-kZVSWmkW9GeEg@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Message-ID-Hash: JMWMN3POYDCJYBTYUKQ32NTGRXTKH7TY
X-Message-ID-Hash: JMWMN3POYDCJYBTYUKQ32NTGRXTKH7TY
X-MailFrom: ilariliusvaara@welho.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: Algorithm identifiers for ML-KEM and ML-DSA
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/GLIaIXJ2wcHpk9p_PFPkzYTDQiI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>
On Tue, Aug 20, 2024 at 02:26:00PM -0400, Phillip Hallam-Baker wrote: > > I am looking for guidance on algorithm identifiers for ML-KEM and ML-DSA, I > understand that the drafts are not yet final. But I need to push code that > has PQC roots embedded before that is going to happen and would like to > follow as close as possible to what the final choices are going to be. If not using registered values, JOSE recommends using Collision-Resistant Names. Examples include URLs, OIDs and UUIDs. For ML-KEM keys, use "kty":"OKP" with new crv values (three in total). For algorithms, one needs to patch ECDH-ES/ECDH-ES+A256KW a bit to use a KEM instead of ECDH. The three operations JOSE does with ECDH-ES turn out to exactly correspond to the three standard KEM ops! For ML-DSA keys, things are less clear. The ML-DSA and SLH-DSA drafts define two new key types. However, the algorithms are in the same cryptographic algorithm family (distict from any current family), so should use the same key type. Then there is the is the issue that both ML-DSA and SLH-DSA support pre-hashing. Things would be much simpler if one could just ignore that. > Since I need to ship before the specs are final, I will probably use: > > MLKa1024 > MLDa87 > > I see no need for other identifiers since I cannot imagine anyone who is so > concerned about CRQC robustness as to use PQC not using the highest > strength available at this point. Also, I want to stress test with the > biggest payloads. Those two are the only ones from ML-* approved for secret stuff (up to Top Secret). -Ilari
- [jose] Algorithm identifiers for ML-KEM and ML-DSA Phillip Hallam-Baker
- [jose] Re: Algorithm identifiers for ML-KEM and M… Orie Steele
- [jose] Re: Algorithm identifiers for ML-KEM and M… Orie Steele
- [jose] Re: Algorithm identifiers for ML-KEM and M… Ilari Liusvaara
- [jose] Re: Algorithm identifiers for ML-KEM and M… Ilari Liusvaara
- [jose] Re: Algorithm identifiers for ML-KEM and M… Ilari Liusvaara
- [jose] Re: Algorithm identifiers for ML-KEM and M… Phillip Hallam-Baker
- [jose] Re: Algorithm identifiers for ML-KEM and M… Orie Steele
- [jose] Re: Algorithm identifiers for ML-KEM and M… Michael Prorock