IETF Logo Mail Archive

[jose] Re: Algorithm identifiers for ML-KEM and ML-DSA

Phillip Hallam-Baker <phill@hallambaker.com> Tue, 20 August 2024 20:38 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72DA6C180B69 for <jose@ietfa.amsl.com>; Tue, 20 Aug 2024 13:38:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.641
X-Spam-Level:
X-Spam-Status: No, score=-1.641 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PXP0aT8i6twa for <jose@ietfa.amsl.com>; Tue, 20 Aug 2024 13:37:56 -0700 (PDT)
Received: from mail-oa1-f45.google.com (mail-oa1-f45.google.com [209.85.160.45]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57CBAC151092 for <jose@ietf.org>; Tue, 20 Aug 2024 13:37:56 -0700 (PDT)
Received: by mail-oa1-f45.google.com with SMTP id 586e51a60fabf-2689f749702so3318050fac.3 for <jose@ietf.org>; Tue, 20 Aug 2024 13:37:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724186275; x=1724791075; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=jPx4ahefmAEFzFR+vEF6XkijmN7mEqyPNxQZDfPONCE=; b=DyezSbKcF4E4ZDSqRcq7dr5CCHueR9aMTftVn5m4LY0NsKaEJKn2yT/jM3BDmTzVSZ qHoH/hPkbtHGv3gHrBaELVdgJULz2seudm5r0j9fDAHNfoH97GXV6C0Jz/Bd39ZR3HYf BTZqtIwZYk+voSNuC5q81qljUwPbLcPwjkEmmZjaZ6WnptiWJA+Nd2M/9+5ElGEdrXoS ya8nKKo61PnCLWzShd1ArHftjyQXgCwzWocfdwpLYpm5ArKi1edWyl22OQdFyHEZVJ8f NDjhSIBjCS0N4VPoU1txItMnAbMYDzBWpA40MrrKyIXpECwW/gqXtRubRHFD5XFv8xVv k09g==
X-Gm-Message-State: AOJu0Yz77dO2amarkq27r1Eml7l9Xf9N3ivLk61s/Opa3i7gtAVfoRWV rD3/gg9pV/Vj3EZTqswr1rVtv6dzxpCdUrI+Axpk0SdvBGAj2Mx1J1Qk9Ckjb/zS2d/RtJnAkLV qcXDylfByx+oaNdTXhsbfO0LdfgxW96cl
X-Google-Smtp-Source: AGHT+IFF0pAUJOVJu43F4inX2i0b4s9/cHfKmbhT2g/qSAUe2bu/diAYT0t8VPUOHEFHBea/AjyQloQuKh1EczLf9KY=
X-Received: by 2002:a05:6870:b52a:b0:270:2321:634f with SMTP id 586e51a60fabf-2737ef1a907mr49023fac.18.1724186275159; Tue, 20 Aug 2024 13:37:55 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+LwirtxesE0+4hwUOKgduoPbbqvbZ67qa-kZVSWmkW9GeEg@mail.gmail.com> <CAN8C-_KpyJAzcqiryS8qt_tdoS7z7SSJUCdjP9nX8Z2D7cm58g@mail.gmail.com>
In-Reply-To: <CAN8C-_KpyJAzcqiryS8qt_tdoS7z7SSJUCdjP9nX8Z2D7cm58g@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Tue, 20 Aug 2024 16:37:44 -0400
Message-ID: <CAMm+LwjHnUVnc=xaA_u2DYXZQoAmNj2z+2b389cEhAibNCqSiQ@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
Content-Type: multipart/alternative; boundary="00000000000075283206202366da"
Message-ID-Hash: R3PI3JYZHUERMEYCT5NQTCCMATRKXDS6
X-Message-ID-Hash: R3PI3JYZHUERMEYCT5NQTCCMATRKXDS6
X-MailFrom: hallam@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: jose@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: Algorithm identifiers for ML-KEM and ML-DSA
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/c_3FeSrBnImRXMN7gwuB-05y-Ds>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>

Oh... now I know why I didn't find them, I was searching for the KEM
identifiers assuming if one was defined, both would be.

I suggest we get a stick in the ground on ML-KEM-512 etc post haste, they
had better follow the same pattern.


Could not really care less what the identifiers are. They do make a (small)
difference for my application though.

Currently Mesh profiles are a svelte 1KB or so which is really not bad
given that they are the digital hook for a person's entire digital gestalt.
They contain three Ed448/X448 keys and an X448 signature and a few other
bits, not bad eh?

The X448 key is only used to sign delegations under that profile and the
fingerprint of that ky is the user's life long personal identifier. They
may acquire others in their life but the old one never expires and will
never signify anyone else.


OK so what happens when I add Dilithium? If I just switch to the new
algorithms, the profile increases in size 16x. Ugh... And I am not sure I
want PQC overhead on my IoT interactions.

So for the first release of my system, I am going to modify the profile so
that it specifies a list of root key fingerprints (i.e. 512 bit digest)

roots : [ { "ML-DSA-87", 23kjhdkl3ir...}, { "Ed448", so39ji3jnjf...},  ]

Then take the fingerprint over a canonicalized version of the above. So
adding PQC upgrade capability adds only 80 bytes to each device/user
profile in the binary encoding (the algorithm tag + 64 byte hash +
punctuation). So as I said, it does impact my application but not by enough
to make a difference. Either the profile is small enough to fit easily in a
UDP packet or it isn't.


On Tue, Aug 20, 2024 at 2:48 PM Orie Steele <orie@transmute.industries>
wrote:

> Hey PHB : )
>
> I'm only replying for ML-DSA / SLH-DSA, I'm not on the hook for ML-KEM.
>
> Thanks for trying to keep JWS small... even with massive PQ Signatures.
>
> Current JWS algorithms registry:
>
>
> https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
>
> Current ML-DSA proposal:
>
>
> https://datatracker.ietf.org/doc/html/draft-ietf-cose-dilithium-03#name-the-ml-dsa-algorithm-family
>
> The names were chosen to align with:
>
>
> https://datatracker.ietf.org/doc/html/draft-ietf-lamps-dilithium-certificates-04#section-2
>
> If you search either draft for "ML-DSA-44" you get an exact string match
> in both documents.
>
> I'm not in favor of changing the algorithm names, unless there is strong
> consensus to do so.
>
> I was hoping we might send the document to WGLC, and make some final
> adjustments to test vectors, as soon as a good non -ipd version emerges
> that I can use to generate examples.
>
> Can you live with the current algorithm names?
>
> Are you planning on shipping an implementation, that might be done in time
> to be added as an implementation report per:
> https://www.rfc-editor.org/rfc/rfc7942
>
> I'm happy to add your implementation to the draft if that's the case.
>
> Regards,
>
> OS
>
>
>
> On Tue, Aug 20, 2024 at 1:26 PM Phillip Hallam-Baker <
> phill@hallambaker.com> wrote:
>
>> All,
>>
>> I am looking for guidance on algorithm identifiers for ML-KEM and ML-DSA,
>> I understand that the drafts are not yet final. But I need to push code
>> that has PQC roots embedded before that is going to happen and would like
>> to follow as close as possible to what the final choices are going to be.
>>
>> I did try to look for this info but the work is spread thinly across many
>> forums...
>>
>> My preference is for fully specified algorithms with the strength
>> specified. I am also partial to longer rather than smaller identifiers but
>> that does not seem to be to the taste here. So my IDs would be
>>
>>
>> MLKEM512
>> MLKEM768
>> MLKEM1024
>> MLDSA44
>> MLDSA65
>> MLDSA87
>>
>> If we want to go denser:
>>
>> MLK512
>> MLK768
>> MLK1024
>> MLD44
>> MLD65
>> MLD87
>>
>> Actually, I like the second as they are more readable. I have been
>> reading a large number of tweets by an elderly person who types in all caps
>> online of late...
>>
>>
>> Since I need to ship before the specs are final, I will probably use:
>>
>> MLKa1024
>> MLDa87
>>
>> I see no need for other identifiers since I cannot imagine anyone who is
>> so concerned about CRQC robustness as to use PQC not using the highest
>> strength available at this point. Also, I want to stress test with the
>> biggest payloads.
>>
>> Signing every message with MLD87 turns out to have a very serious impact.
>> And not one I think I can justify for every application when a CRQC is
>> still at least a decade out. So the real goal at this point is to ensure
>> that if people start deploying the system and make use of it today, they
>> know they can transition seamlessly to a PQC version of everything in the
>> future.
>>
>> Turns out that costs only an extra 200 bytes or so in the user profiles!
>>
>> And before folk start whining about me mentioning my work on the Mesh,
>> the point of building a completely green field infrastructure is to test
>> out design approaches which we might attempt to retrofit to PKIX and SAML.
>>
>>
>> _______________________________________________
>> jose mailing list -- jose@ietf.org
>> To unsubscribe send an email to jose-leave@ietf.org
>>
>
>
> --
>
>
> ORIE STEELE
> Chief Technology Officer
> www.transmute.industries
>
> <https://transmute.industries>
>

v2.31.3 | Report a Bug | By Email | System Status