Re: [jose] [EXTERNAL] COSE and JOSE Keys for Kyber

Mike Ounsworth <Mike.Ounsworth@entrust.com> Tue, 15 November 2022 14:29 UTC

From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Orie Steele <orie@transmute.industries>, cose <cose@ietf.org>, JOSE WG <jose@ietf.org>
CC: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Thread-Topic: [EXTERNAL] COSE and JOSE Keys for Kyber
Thread-Index: AQHY96LzDZ25eovHNkumWuhDpOUKUK5ABVIw
Date: Tue, 15 Nov 2022 14:28:53 +0000
Message-ID: <CH0PR11MB5739F65FA2EC04B562A96EA69F049@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <CAN8C-_LVgq0j5YtFrrO-fWNNXvGSWohQ0874DV5qgfYT4FXT0Q@mail.gmail.com>
In-Reply-To: <CAN8C-_LVgq0j5YtFrrO-fWNNXvGSWohQ0874DV5qgfYT4FXT0Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: JuOKZ46ypO4sQ1IIYlymQQNJNxi65XsKmaYHKbX5W7Z0SEH4oQwHfyb7BJnITPjUE8PlBtG0HDwMWRyiRXORTlGVwjUcDaUJFnsFJORBMSvY5q0uNhpNtyka9EoGRL5SCWxrPwgOtfkoT/kOI3hBYBYPM6AKph1hGJF8HQDCbI1xXOpFcBnVw9W7Rz2SwixjtLpk+Y3pKw8vONfdtdwlXyYShjHxyIlsfRy0iN8+xuu4FlV0yvvizYKqmFf5bks6p118IRh/IHhj1fert9Hq3DC4RbHE1Ai5fX1Z7dWPHY72hQRwavdR8nskOoOAxxE7dcIg4YvOcJ7HoWUHjdo1bgobgPRVQzsP5kc95XAXXdD223pE6qKr6YDv7l/zC6z2Af1o44l0sECeNPTrkUKMoN2Wq4D+/xU/EDeocHotF3ytcK8zMcWTAsW3l005xHKyivH+vz6VVg8XyHJq5MbO1y/JdSfwFtMyMO6wihrRUMaPMpyxssddbMIgdHLZEMnSXtFNayJC71M7svmKqaxTT+S64i0KP14opbMndCmL9n2zgxUCbbqE6d+ALhHY71U+CFzE2KMPOwh9zy/pwWdhdncXIAVaU5KQkeZW4Z9CPTxXygEdMneqACD+vmU9L+L0ZiK9HlX0Ut3qnEq56Pql/HsjkDWSR7QgpLmUH1KMyAV2QbZUKxoLH9I1LNogGqRvaXQuUoTXHekZHU1aP60kDOOBC0fLGH6+g33pQw/UHvzqgJjgkKbyV+P/yq4xOKyBdhzw6WAUSOrFmMiecW0HHSxEp2MHZ3kKQgVKcIYWDlv69aLexdf0onxB3NyaLKw6lI6gLukAzRFxZaOSWV/Df9iiCWSdbYz0jV6BZ0pkO23hKbVBv3ABB8eoAkC+FZx/6T5gnCjkPPZLpzt27VLFxg7mrKxpUXZWX8NjabG4bhCMPUMYvfNokyOgiX/n1GstM+asUWzxXpa0+RS722ZG7+NiRdQybc3Tm7Sitx9trpwjIgAz/QAhzjrPIrpl/y1JcnuP+Dl8TuBBip+FmHp3qDxtEP3aDu7RdCHbg8Zy7vFKEtez6P/8S4TAWe/GvRot78XkFnaLWqfOljGYtF/Atpv9mqrQ+5uh3XK3rARgPUb6xO/2VnngHKtg2azzirgauMTukvYXScuT5db0E38zn+rcLU2KQi3CaaUCmmoqPpgc2+1luMIa2zoFiqK+xtgxcimi0+JzGZYuZaNbjIJQTH4lpWmGoHQeB2ZNhXGE8r0DfLYoOz+T3p3pfunolTzFMcPNRfNjdD365vnQrgmQ0wqWptD6l2lBbZaaCXJxaxKNmcMxHeNWfELIiQ3AcsDxcLEerwQZLXREbBsYD9mUD5Sta3b2yhOD76yqFeqD40yoso06sTKENPKJQSXZwIWz52OMlVmdUPnjClyGanHuMxXQT7RBMQiiIy8lRb1xf7Zir3AknxJYts983Ztw1zEYAy8BqxO55wN4t6htUrF0p6VEcNRJqDGnWzNdM3Ujcl3IONW/JeaPKZQVlENkvWN7f6Q1SU2Cms6BWTg6T8o/Z/yIj5ZTOKWzwVUOpp9ie26ZVs+NrD1odT+wJZVCEWFl
Content-Type: multipart/related; boundary="_004_CH0PR11MB5739F65FA2EC04B562A96EA69F049CH0PR11MB5739namp_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a6f3694b-f16f-4dbe-e82e-08dac715b8c6
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Nov 2022 14:28:53.4474 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OSBN11Hz5V08o7eH2As5QTiAYVIE6ZPsUsVYOAVme/nQZDQIrpLqOoVXu405J8UKMSJvM8W7ob1eNCx7HzpCi2f7pPzfr+LUCwrwnm7kDKo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB4847
X-Proofpoint-ORIG-GUID: 9hm72RVnPlb9m9-B-AtLLjhHnn2o2bYO
X-Proofpoint-GUID: 9hm72RVnPlb9m9-B-AtLLjhHnn2o2bYO
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-11-15_08,2022-11-15_03,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 phishscore=0 impostorscore=0 suspectscore=0 mlxlogscore=999 adultscore=0 lowpriorityscore=0 priorityscore=1501 spamscore=0 bulkscore=0 clxscore=1011 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2211150097
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/toDTvn4E_zl1Zm3d42zpVVr2UmM>
Subject: Re: [jose] [EXTERNAL] COSE and JOSE Keys for Kyber
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Nov 2022 14:29:06 -0000

Hi all,

I admit that I’m an outsider and don’t grok why you need a KTY and an ALG, but the naming proposed below seems odd to me.

I suppose you can group things into “LWE”, “NTRU”, “HASH”, but the various LWE schemes do not have interchangeable key types; a Dilithium3 key is a Dilithium3 key, you can’t use it with any other algorithm, even within the LWE family. So for anyone outside the PQC experts I think this is going to cause more confusion than help, ex.: people trying to use a Dilithium key with Kyber.encaps(), or whatever.

I also don’t love “CRYDI3”. Why not just “DI3”? I would vote for a naming convention of “2-letter + param set” (which Orie suggested in a private email)

FA512 / FA768 / FA1024 / DI3 / DI5 / KY768 / KY1024 / SP256

“SPHINCS+-SHAKE-256s-robust” seems obscene, especially if you’re only supporting one variant. Do “SP256” or “SP256sr”. Also, I’m not a deep SPHINCS+ expert, but the “-robust” is probably overkill for JOSE / COSE. I think Scott Fluhrer suggested that it’s even overkill for 30-year windows code-signing certs, do “-simple” and save yourself 1/2 the bandwidth.

---
Mike Ounsworth
Software Security Architect, Entrust

From: Orie Steele <orie@transmute.industries>
Sent: November 13, 2022 3:00 PM
To: cose <cose@ietf.org>; JOSE WG <jose@ietf.org>; Mike Ounsworth <Mike.Ounsworth@entrust.com>
Subject: [EXTERNAL] COSE and JOSE Keys for Kyber

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
Friends,

Mike O. and I have been discussing the need to represent Kyber keys in JOSE and COSE, especially as we prepare to consider their use with HPKE.

Mike P. and I have previously shared a draft for presenting Dilithium, Falcon and Sphincs - https://datatracker.ietf.org/doc/draft-ietf-cose-post-quantum-signatures/<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-cose-post-quantum-signatures/__;!!FJ-Y8qCqXTj2!fv6kERm44AJw2Rwx8nmq-c7of45L5FbTjlApg70kVdFzo551o2OaOMS0VfKWXe0n1I_43upzNBY1UhZ8UDuIFXLOHms$>

I reviewed the original registries established in: https://www.rfc-editor.org/rfc/rfc7518.html#section-7<https://urldefense.com/v3/__https:/www.rfc-editor.org/rfc/rfc7518.html*section-7__;Iw!!FJ-Y8qCqXTj2!fv6kERm44AJw2Rwx8nmq-c7of45L5FbTjlApg70kVdFzo551o2OaOMS0VfKWXe0n1I_43upzNBY1UhZ8UDuIkFE2gTI$>

I also reviewed the latest "kty" and "alg" registered in https://datatracker.ietf.org/doc/html/rfc8778<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/rfc8778__;!!FJ-Y8qCqXTj2!fv6kERm44AJw2Rwx8nmq-c7of45L5FbTjlApg70kVdFzo551o2OaOMS0VfKWXe0n1I_43upzNBY1UhZ8UDuIVxp-mn8$>

I'm going to stick to JOSE(ish) notation here, my goal is to get a clear answer on "which values for `kty` and `alg` are relevant to kyber".

See the latest editor's draft for additional details: https://github.com/OR13/draft-steele-cose-kyber<https://urldefense.com/v3/__https:/github.com/OR13/draft-steele-cose-kyber__;!!FJ-Y8qCqXTj2!fv6kERm44AJw2Rwx8nmq-c7of45L5FbTjlApg70kVdFzo551o2OaOMS0VfKWXe0n1I_43upzNBY1UhZ8UDuIlrb1NBk$>.

First, let's start with what we have today:

- https://www.iana.org/assignments/cose/cose.xhtml<https://urldefense.com/v3/__https:/www.iana.org/assignments/cose/cose.xhtml__;!!FJ-Y8qCqXTj2!fv6kERm44AJw2Rwx8nmq-c7of45L5FbTjlApg70kVdFzo551o2OaOMS0VfKWXe0n1I_43upzNBY1UhZ8UDuI7xRKz4s$>
- https://www.iana.org/assignments/jose/jose.xhtml<https://urldefense.com/v3/__https:/www.iana.org/assignments/jose/jose.xhtml__;!!FJ-Y8qCqXTj2!fv6kERm44AJw2Rwx8nmq-c7of45L5FbTjlApg70kVdFzo551o2OaOMS0VfKWXe0n1I_43upzNBY1UhZ8UDuIHk5wYN0$>

{ kty: RSA, alg: PS384 / RSAES-OAEP w/ SHA-256}
{ kty: RSA, alg: RS384 / RSAES-OAEP w/ SHA-256}
{ kty: EC2, crv: P-256, alg: ES256 / ECDH-ES+A256KW }
{ kty: OKP, crv: Ed25519, alg: EdDSA } - https://www.rfc-editor.org/rfc/rfc8037#section-2<https://urldefense.com/v3/__https:/www.rfc-editor.org/rfc/rfc8037*section-2__;Iw!!FJ-Y8qCqXTj2!fv6kERm44AJw2Rwx8nmq-c7of45L5FbTjlApg70kVdFzo551o2OaOMS0VfKWXe0n1I_43upzNBY1UhZ8UDuI1uryn64$>
{ kty: OKP, crv: Bls12381G1, alg: ??? } ... https://datatracker.ietf.org/doc/html/draft-ietf-cose-bls-key-representations-01#section-2.1.3<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-ietf-cose-bls-key-representations-01*section-2.1.3__;Iw!!FJ-Y8qCqXTj2!fv6kERm44AJw2Rwx8nmq-c7of45L5FbTjlApg70kVdFzo551o2OaOMS0VfKWXe0n1I_43upzNBY1UhZ8UDuIQW72VRU$>
{ kty: HSS-LMS, alg: HSS-LMS }
{ kty: WalnutDSA, alg: WalnutDSA }

Observations:

1. Although `alg` is optional... It looks especially needed in some cases (RSA), and especially not needed in others (HSS-LMS, WalnutDSA)
2. We appear to have slowly started to encode "Purpose" in the key type (HSS-LMS / WalnutDSA) , which suggests that we are commiting to keeping `alg` optional forever, and also acknowledging that it is best to use a key for a single purpose.
3. It is possible to define a key and NOT define any algorithms for it... (see bls-key draft above).
4. OKP is reserved for Elliptic Curves only.
5. IANA Registries exist for Elliptic Curves but no other "families" such as lattices, stateful hash based schemes, or stateless hash based schemes... based on HSS-LMS not attempting to fix this, it seems we are ok not establishing new IANA registries for lattice or hash types.
6. Walnut encodes parameters as separate values in the key type, but not the algorithm name... similar to RSA... which seems like a step backwards to me.

Here is a proposal for Kyber keys that aligns with the previous proposals and drafts for post quantum signatures:

{ kty: LWE, alg: CRYDI5 }
{ kty: LWE, alg: CRYDI3 }
{ kty: LWE, alg: CRYDI2 }

{ kty: NTRU, alg: FALCON1024 }
{ kty: NTRU, alg: FALCON512 }

{ kty: HASH, alg: SPHINCS+-SHAKE-256s-robust }

{ kty: LWE, alg: Kyber-1024 }
{ kty: LWE, alg: Kyber-768 }
{ kty: LWE, alg: Kyber-512 }

Please focus your comments on establishing consensus for relevant values for `kty` and `alg`.

Regards,

OS



--
ORIE STEELE
Chief Technical Officer
www.transmute.industries<https://urldefense.com/v3/__http:/www.transmute.industries__;!!FJ-Y8qCqXTj2!fv6kERm44AJw2Rwx8nmq-c7of45L5FbTjlApg70kVdFzo551o2OaOMS0VfKWXe0n1I_43upzNBY1UhZ8UDuIUR8efA4$>

[Image removed by sender.]<https://urldefense.com/v3/__https:/www.transmute.industries__;!!FJ-Y8qCqXTj2!fv6kERm44AJw2Rwx8nmq-c7of45L5FbTjlApg70kVdFzo551o2OaOMS0VfKWXe0n1I_43upzNBY1UhZ8UDuIup8-YOU$>
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

Attachment: ~WRD0001.jpg

[jose] COSE and JOSE Keys for Kyber Orie Steele
Re: [jose] [COSE] COSE and JOSE Keys for Kyber Ilari Liusvaara
Re: [jose] [COSE] COSE and JOSE Keys for Kyber Orie Steele
Re: [jose] [COSE] COSE and JOSE Keys for Kyber Ilari Liusvaara
Re: [jose] [COSE] COSE and JOSE Keys for Kyber Orie Steele
Re: [jose] [COSE] COSE and JOSE Keys for Kyber Ilari Liusvaara
Re: [jose] [EXTERNAL] COSE and JOSE Keys for Kyber Mike Ounsworth
Re: [jose] [COSE] COSE and JOSE Keys for Kyber Orie Steele
Re: [jose] [EXTERNAL] COSE and JOSE Keys for Kyber Orie Steele
Re: [jose] [EXTERNAL] COSE and JOSE Keys for Kyber Mike Ounsworth

Re: [jose] [EXTERNAL] COSE and JOSE Keys for Kyber

Attachment: ~WRD0001.jpg