[jose] COSE and JOSE Keys for Kyber
Orie Steele <orie@transmute.industries> Sun, 13 November 2022 21:00 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 933B5C14F727 for <jose@ietfa.amsl.com>; Sun, 13 Nov 2022 13:00:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZClDfbWj6-fu for <jose@ietfa.amsl.com>; Sun, 13 Nov 2022 13:00:19 -0800 (PST)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6621EC14CF17 for <jose@ietf.org>; Sun, 13 Nov 2022 13:00:19 -0800 (PST)
Received: by mail-ed1-x52c.google.com with SMTP id 21so14667366edv.3 for <jose@ietf.org>; Sun, 13 Nov 2022 13:00:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=Nxtevp/V1YadpAqm8izGeXVDnUUychV/3R9CoSFE/Ok=; b=Vgg7w1d1/h7rM+SFBjr7wvVEzkO6SPqpq0rrAfbtDgWGy5CaRr54EwlNuAo/AvKUcr XmFF1M4A8I1qra4qrIG59+8WqWjJHevQqQGp54z1iJ+KmiRwIZFf2KHP/0ASdPxTxZ+X PgxVCNmqK+hfGZD8XbtI4ySYoisjmmpcHY+T+26vfxtnNRGsz+FweOqaeOORISVS/bHh gtVRIqE3jQg54wCT6sbPoeAb7R9fELiFj0IT34P91zx2kYd4RpGofWxuawimWhVXQXtp Q4DRGukLPctCEF+O7xVEtySFt5jIlYKZMqnFFizeMg+A7UaBrbnaJUgrStlC1yXsQqX5 ZI3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Nxtevp/V1YadpAqm8izGeXVDnUUychV/3R9CoSFE/Ok=; b=DieN6u9bdFj84MvduKgXp/yDVjr65MsSoAfSwB0+mzA9Uh0ydYd1sMh+H5Ln2bG5z1 A1Rd8gixvYkcD0AVRWcKXBd07O93Ygit5zR4URCBNmb+u5y1ev0GmsSQ64KExTqirQI5 GS9SaDltuY/ZsYnZoOgr+cEqSAh3d+X18SA20UvGOAgLLNxsqCj7CJFO3k2W0SvA6p+c H+TyB/XS0SvDbTQZo8O58mRhxhE/LaoURo+K2Sd2i9mqsTwGWcKqWhQu0diP7Pj8MCCA aRCxXEHbxPvRxWQtVX0jSMk3JrjpXuO7Nb9oUs18LVzT3dv3Exg3MHkJ1OAY/CPDoL+k zPhg==
X-Gm-Message-State: ANoB5pmXs1YH7KaiivDdoaD9la/G3lowpu9jQi2FBXDML2+4JUdfsIut hhxZWY0rtUty2WOrV3bwEt4BmVMK4UNutw0gNeQb1A==
X-Google-Smtp-Source: AA0mqf5sx3tbGWu6dsDoMClDC67acqIrKH+zFwfbx2vf3wKEubSIz2i7pL6PgI97aW9IG2irj2y4IjpGX552K/1jYAc=
X-Received: by 2002:aa7:cb0d:0:b0:463:ba10:9e2d with SMTP id s13-20020aa7cb0d000000b00463ba109e2dmr9022081edt.43.1668373217013; Sun, 13 Nov 2022 13:00:17 -0800 (PST)
MIME-Version: 1.0
From: Orie Steele <orie@transmute.industries>
Date: Sun, 13 Nov 2022 15:00:06 -0600
Message-ID: <CAN8C-_LVgq0j5YtFrrO-fWNNXvGSWohQ0874DV5qgfYT4FXT0Q@mail.gmail.com>
To: cose <cose@ietf.org>, JOSE WG <jose@ietf.org>, Mike Ounsworth <Mike.Ounsworth@entrust.com>
Content-Type: multipart/alternative; boundary="000000000000f42d2305ed60687c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/u_X6p0_30FsEVn0MwOgJjcX6OOo>
Subject: [jose] COSE and JOSE Keys for Kyber
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Nov 2022 21:00:23 -0000
Friends, Mike O. and I have been discussing the need to represent Kyber keys in JOSE and COSE, especially as we prepare to consider their use with HPKE. Mike P. and I have previously shared a draft for presenting Dilithium, Falcon and Sphincs - https://datatracker.ietf.org/doc/draft-ietf-cose-post-quantum-signatures/ I reviewed the original registries established in: https://www.rfc-editor.org/rfc/rfc7518.html#section-7 I also reviewed the latest "kty" and "alg" registered in https://datatracker.ietf.org/doc/html/rfc8778 I'm going to stick to JOSE(ish) notation here, my goal is to get a clear answer on *"which values for `kty` and `alg` are relevant to kyber".* See the latest editor's draft for additional details: https://github.com/OR13/draft-steele-cose-kyber. First, let's start with what we have today: - https://www.iana.org/assignments/cose/cose.xhtml - https://www.iana.org/assignments/jose/jose.xhtml { kty: RSA, alg: PS384 / RSAES-OAEP w/ SHA-256} { kty: RSA, alg: RS384 / RSAES-OAEP w/ SHA-256} { kty: EC2, crv: P-256, alg: ES256 / ECDH-ES+A256KW } { kty: OKP, crv: Ed25519, alg: EdDSA } - https://www.rfc-editor.org/rfc/rfc8037#section-2 { kty: OKP, crv: Bls12381G1, alg: ??? } ... https://datatracker.ietf.org/doc/html/draft-ietf-cose-bls-key-representations-01#section-2.1.3 { kty: HSS-LMS, alg: HSS-LMS } { kty: WalnutDSA, alg: WalnutDSA } Observations: 1. Although `alg` is optional... It looks especially needed in some cases (RSA), and especially not needed in others (HSS-LMS, WalnutDSA) 2. We appear to have slowly started to encode "Purpose" in the key type (HSS-LMS / WalnutDSA) , which suggests that we are commiting to keeping `alg` optional forever, and also acknowledging that it is best to use a key for a single purpose. 3. It is possible to define a key and NOT define any algorithms for it... (see bls-key draft above). 4. OKP is reserved for Elliptic Curves only. 5. IANA Registries exist for Elliptic Curves but no other "families" such as lattices, stateful hash based schemes, or stateless hash based schemes... based on HSS-LMS not attempting to fix this, it seems we are ok not establishing new IANA registries for lattice or hash types. 6. Walnut encodes parameters as separate values in the key type, but not the algorithm name... similar to RSA... which seems like a step backwards to me. Here is a proposal for Kyber keys that aligns with the previous proposals and drafts for post quantum signatures: { kty: LWE, alg: CRYDI5 } { kty: LWE, alg: CRYDI3 } { kty: LWE, alg: CRYDI2 } { kty: NTRU, alg: FALCON1024 } { kty: NTRU, alg: FALCON512 } { kty: HASH, alg: SPHINCS+-SHAKE-256s-robust } { kty: LWE, alg: Kyber-1024 } { kty: LWE, alg: Kyber-768 } { kty: LWE, alg: Kyber-512 } Please focus your comments on establishing consensus for relevant values for `kty` and `alg`. Regards, OS -- *ORIE STEELE* Chief Technical Officer www.transmute.industries <https://www.transmute.industries>
- [jose] COSE and JOSE Keys for Kyber Orie Steele
- Re: [jose] [COSE] COSE and JOSE Keys for Kyber Ilari Liusvaara
- Re: [jose] [COSE] COSE and JOSE Keys for Kyber Orie Steele
- Re: [jose] [COSE] COSE and JOSE Keys for Kyber Ilari Liusvaara
- Re: [jose] [COSE] COSE and JOSE Keys for Kyber Orie Steele
- Re: [jose] [COSE] COSE and JOSE Keys for Kyber Ilari Liusvaara
- Re: [jose] [EXTERNAL] COSE and JOSE Keys for Kyber Mike Ounsworth
- Re: [jose] [COSE] COSE and JOSE Keys for Kyber Orie Steele
- Re: [jose] [EXTERNAL] COSE and JOSE Keys for Kyber Orie Steele
- Re: [jose] [EXTERNAL] COSE and JOSE Keys for Kyber Mike Ounsworth