[jose] Re: Algorithm identifiers for ML-KEM and ML-DSA
Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 22 August 2024 20:46 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 993C2C14F6A1 for <jose@ietfa.amsl.com>; Thu, 22 Aug 2024 13:46:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i8iFEAafuhNr for <jose@ietfa.amsl.com>; Thu, 22 Aug 2024 13:46:48 -0700 (PDT)
Received: from welho-filter2.welho.com (welho-filter2b.welho.com [83.102.41.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A6DDC14F61E for <jose@ietf.org>; Thu, 22 Aug 2024 13:46:47 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id EB1403FEB3 for <jose@ietf.org>; Thu, 22 Aug 2024 23:46:44 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id 9tykAbH8LpvR for <jose@ietf.org>; Thu, 22 Aug 2024 23:46:44 +0300 (EEST)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 956CC2309 for <jose@ietf.org>; Thu, 22 Aug 2024 23:46:43 +0300 (EEST)
Date: Thu, 22 Aug 2024 23:46:43 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: jose@ietf.org
Message-ID: <Zsejs0ENsSuwzVhl@LK-Perkele-VII2.locald>
References: <CAMm+LwirtxesE0+4hwUOKgduoPbbqvbZ67qa-kZVSWmkW9GeEg@mail.gmail.com> <CAN8C-_KpyJAzcqiryS8qt_tdoS7z7SSJUCdjP9nX8Z2D7cm58g@mail.gmail.com> <ZsTvEMKx-NQpF1Aq@LK-Perkele-VII2.locald> <CAN8C-_L1kfuR=2TzESa8KZ3pbRd9DGUyXJsiYZe+dB_1USix5Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAN8C-_L1kfuR=2TzESa8KZ3pbRd9DGUyXJsiYZe+dB_1USix5Q@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Message-ID-Hash: V6NJE4BN4CKTS3V5KRYLKDFP2CRMTM4E
X-Message-ID-Hash: V6NJE4BN4CKTS3V5KRYLKDFP2CRMTM4E
X-MailFrom: ilariliusvaara@welho.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: Algorithm identifiers for ML-KEM and ML-DSA
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/opD8KX-pKObA_xJ-ZUExdd13zgE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>
On Tue, Aug 20, 2024 at 03:02:07PM -0500, Orie Steele wrote: > On Tue, Aug 20, 2024 at 2:31 PM Ilari Liusvaara <ilariliusvaara@welho.com> > wrote: > > > On Tue, Aug 20, 2024 at 01:48:41PM -0500, Orie Steele wrote: > > > > > > > > > Current ML-DSA proposal: > > > > > > > > https://datatracker.ietf.org/doc/html/draft-ietf-cose-dilithium-03#name-the-ml-dsa-algorithm-family > > > > As note, there is potential for some confusion in "ML-DSA Algorithm > > Family". > > > > JWK refers to "cryptographic algorithm family", but the meaning is > > rather different, being defined by kind of key used rather than any > > algorithmic similarity. ML-DSA belongs to much larger "cryptographic > > algorithm family", which includes things like SLH-DSA and FALCON. It > > would also include suitably defined pre-quantum algorithms. > > > > > The use of the term is intentionally aligned: > > https://datatracker.ietf.org/doc/html/rfc7517#section-4.1 > https://datatracker.ietf.org/doc/html/draft-ietf-cose-dilithium-03#name-the-ml-dsa-key-type > https://datatracker.ietf.org/doc/html/draft-ietf-cose-dilithium-03#appendix-A.1.1 I think the wording in RFC7517 section 4.1 is really horrible. What "kty" is actually meant for is specifying what other parameters exist, and their types and meanings (e.g., from what registry, how does this map to cryptographic algorithm input?) With legacy stuff like RSA or generic ECC, this does indeed map into sets of related cryptographic algorithms, because the decomposed components vary among non-related algorithms (e.g., e makes sense in RSA, but not generic ECC, and vice versa for y). Modern stuff (e.g., X*, EdDSA, ML-KEM, ML-DSA, SLH-DSA) all use byte strings for keys (important advance!), leaving only how subtyping is done to affect key type. AFAICT, there are three sensible ways to subtype modern stuff: - By alg the key is for (currently no defined kty) - By JOSE registry of key subtypes (this is OKP). - By other registry of key subtypes, one kty per registry (currently there are none). (Then there is the stateful hash signatures that are special case because those don't have private keys in classical sense.) One can get hint of this by considering that all symmetric stuff uses "OCT", despite the wildly different algorithms (this does get annoying with keys that do not have alg). > I think you are arguing that "kty" : "ML-DSA" should be "kty: "PQK", so > that both ML-DSA and SLH-DSA can use the same kty, just with different > algorithms. No, I am arguing that all keys that are: - Subtyped using "alg" - Public key is byte string. - Private key is byte string. Should have the same kty regardless of if those are pre-quantum or post-quantum, what cryptographic algorithm is used, etc... This corresponds to the first part in "ways to subtype" above. Earlier I proposed name "AKP" (Algorithm Key Pair) for such key type. And really the only thing in JOSE such keys are suitable for is non- prehashed signatures. > ... see: > https://datatracker.ietf.org/doc/html/draft-ietf-cose-sphincs-plus-04#appendix-A.1.1 > ... and then we add some "crv" like property to tell ML-DSA and SLH-DSA > apart, like we do for kty OKP and kty EC... Similarly, all keys that are: - Subtyped from JOSE registry other than alg. - Public key is byte string. - Private key is byte string. Should have kty OKP regardless of if those are pre-quantum or post-quantum, what cryptographic algorithm is used, etc... This is the second part in "ways to subtype" above. (Earlier, there was proposed "HPKE" key type, that did not break the above rule because it subtypes using HPKE KEM registry, not JOSE registry. This is the third part of "ways to subtype" above.) -Ilari
- [jose] Algorithm identifiers for ML-KEM and ML-DSA Phillip Hallam-Baker
- [jose] Re: Algorithm identifiers for ML-KEM and M… Orie Steele
- [jose] Re: Algorithm identifiers for ML-KEM and M… Orie Steele
- [jose] Re: Algorithm identifiers for ML-KEM and M… Ilari Liusvaara
- [jose] Re: Algorithm identifiers for ML-KEM and M… Ilari Liusvaara
- [jose] Re: Algorithm identifiers for ML-KEM and M… Ilari Liusvaara
- [jose] Re: Algorithm identifiers for ML-KEM and M… Phillip Hallam-Baker
- [jose] Re: Algorithm identifiers for ML-KEM and M… Orie Steele
- [jose] Re: Algorithm identifiers for ML-KEM and M… Michael Prorock