[jose] Re: Algorithm identifiers for ML-KEM and ML-DSA
Orie Steele <orie@transmute.industries> Tue, 20 August 2024 18:48 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81789C180B69 for <jose@ietfa.amsl.com>; Tue, 20 Aug 2024 11:48:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 306yiqjWBqgB for <jose@ietfa.amsl.com>; Tue, 20 Aug 2024 11:48:53 -0700 (PDT)
Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19287C14CE22 for <jose@ietf.org>; Tue, 20 Aug 2024 11:48:53 -0700 (PDT)
Received: by mail-pf1-x42b.google.com with SMTP id d2e1a72fcca58-71423273c62so20983b3a.0 for <jose@ietf.org>; Tue, 20 Aug 2024 11:48:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1724179732; x=1724784532; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=0j8zoueNH5D1iRsO2QH+FOgUjjUUkm0XKBdDjAQ848Y=; b=Rhp2H2Lm4RKjXeKa8OyJX0PKkQe5r8cbzBfoHpjcVccbQwntbnT5vG/RRerll173cV h7GkUdhEhcnPVmEO7qsEUUwBP6CCBdZ2yfV04IGNpGiPQL0b7znA8XgyRoBjPu3AKLa6 DVYwYkgS8nB5qvDHb82/GzQsgaP6Y17exTLE/AipLL/ZicTvbFw3l1PPkvLDCokMm2HT xe+dUq9mv0yaRBSOOdhj9B92g2K3Rg9MpaiP4erTYhNxeRvwN0YR7kRLhoaBOofQ15k2 XEy8CSiq2fEJwSXwsYHr5QG8qYWNtLOFW/GiIOjaAHLK6FjXa2JkqmC+eICVVUtuqcXe pWJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724179732; x=1724784532; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=0j8zoueNH5D1iRsO2QH+FOgUjjUUkm0XKBdDjAQ848Y=; b=NmiYyVaN0SdX0QwatI6sfNKgX2bRShIWf79Gvoyb5xIKCu8AZesRUDb6ujdR7Zj6pK fttPa7dq6xTSUhmZwS/FM2aOX9AO/ySLOmju55Lx2giA4TDrWooYOWbhMoTQlMLSqyLV dEJcTdUwfFOukiW6oNpkP0wgmdla1cfqpevlPGhoZ8ZuL+X/8Xr1dYBhdZIHpI9+wAcx 02wif/AXWFeJGmMFHi39a4xos0sjg4fNAy5SUcDT5t6CYC2KD1ttJAUze/ZZaZIUd+mW 4imEfxhZSBZdQtt8LOMOX4tvTJdfd1Efe3xxtA2nUwSBeE9UcS7vinES+ItUqo7jD9TW YzkQ==
X-Gm-Message-State: AOJu0Yw8lyDlrve8n3sCHhrmEzd+MF1TrKXDl5oQ7lzzP/5GTW8ddkE7 0vP0HsSnVoFpxZIUYG2w31vssNhFG/vvm4fsc3UQgwUogiweGuURJc4+h5QpJ0d+mDm901xn2rY 0F6bjtGbkVl9F+LF1J4PavrF44rG7oesRDbms9qwUUXn6RTIj8WM=
X-Google-Smtp-Source: AGHT+IFLnaWB0b83Hnht4H/FLqeYgVABlMOYHt1SKKXuCjWxs5sGsHVWCBsVaXUw0577w8RuTr/hoPMf/yZ9V64B2QQ=
X-Received: by 2002:a05:6a21:3a83:b0:1c4:9397:ff98 with SMTP id adf61e73a8af0-1cad810ce29mr340830637.18.1724179732347; Tue, 20 Aug 2024 11:48:52 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+LwirtxesE0+4hwUOKgduoPbbqvbZ67qa-kZVSWmkW9GeEg@mail.gmail.com>
In-Reply-To: <CAMm+LwirtxesE0+4hwUOKgduoPbbqvbZ67qa-kZVSWmkW9GeEg@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Tue, 20 Aug 2024 13:48:41 -0500
Message-ID: <CAN8C-_KpyJAzcqiryS8qt_tdoS7z7SSJUCdjP9nX8Z2D7cm58g@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: multipart/alternative; boundary="00000000000079dc34062021e0d3"
Message-ID-Hash: JZUBVM3BNN74GJ365I3BZYT3R5BUU5QH
X-Message-ID-Hash: JZUBVM3BNN74GJ365I3BZYT3R5BUU5QH
X-MailFrom: orie@transmute.industries
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: jose@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: Algorithm identifiers for ML-KEM and ML-DSA
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/z80mgugWEL5oj3tvd05QPDFff_Y>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>
Hey PHB : ) I'm only replying for ML-DSA / SLH-DSA, I'm not on the hook for ML-KEM. Thanks for trying to keep JWS small... even with massive PQ Signatures. Current JWS algorithms registry: https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms Current ML-DSA proposal: https://datatracker.ietf.org/doc/html/draft-ietf-cose-dilithium-03#name-the-ml-dsa-algorithm-family The names were chosen to align with: https://datatracker.ietf.org/doc/html/draft-ietf-lamps-dilithium-certificates-04#section-2 If you search either draft for "ML-DSA-44" you get an exact string match in both documents. I'm not in favor of changing the algorithm names, unless there is strong consensus to do so. I was hoping we might send the document to WGLC, and make some final adjustments to test vectors, as soon as a good non -ipd version emerges that I can use to generate examples. Can you live with the current algorithm names? Are you planning on shipping an implementation, that might be done in time to be added as an implementation report per: https://www.rfc-editor.org/rfc/rfc7942 I'm happy to add your implementation to the draft if that's the case. Regards, OS On Tue, Aug 20, 2024 at 1:26 PM Phillip Hallam-Baker <phill@hallambaker.com> wrote: > All, > > I am looking for guidance on algorithm identifiers for ML-KEM and ML-DSA, > I understand that the drafts are not yet final. But I need to push code > that has PQC roots embedded before that is going to happen and would like > to follow as close as possible to what the final choices are going to be. > > I did try to look for this info but the work is spread thinly across many > forums... > > My preference is for fully specified algorithms with the strength > specified. I am also partial to longer rather than smaller identifiers but > that does not seem to be to the taste here. So my IDs would be > > > MLKEM512 > MLKEM768 > MLKEM1024 > MLDSA44 > MLDSA65 > MLDSA87 > > If we want to go denser: > > MLK512 > MLK768 > MLK1024 > MLD44 > MLD65 > MLD87 > > Actually, I like the second as they are more readable. I have been reading > a large number of tweets by an elderly person who types in all caps online > of late... > > > Since I need to ship before the specs are final, I will probably use: > > MLKa1024 > MLDa87 > > I see no need for other identifiers since I cannot imagine anyone who is > so concerned about CRQC robustness as to use PQC not using the highest > strength available at this point. Also, I want to stress test with the > biggest payloads. > > Signing every message with MLD87 turns out to have a very serious impact. > And not one I think I can justify for every application when a CRQC is > still at least a decade out. So the real goal at this point is to ensure > that if people start deploying the system and make use of it today, they > know they can transition seamlessly to a PQC version of everything in the > future. > > Turns out that costs only an extra 200 bytes or so in the user profiles! > > And before folk start whining about me mentioning my work on the Mesh, the > point of building a completely green field infrastructure is to test out > design approaches which we might attempt to retrofit to PKIX and SAML. > > > _______________________________________________ > jose mailing list -- jose@ietf.org > To unsubscribe send an email to jose-leave@ietf.org > -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
- [jose] Algorithm identifiers for ML-KEM and ML-DSA Phillip Hallam-Baker
- [jose] Re: Algorithm identifiers for ML-KEM and M… Orie Steele
- [jose] Re: Algorithm identifiers for ML-KEM and M… Orie Steele
- [jose] Re: Algorithm identifiers for ML-KEM and M… Ilari Liusvaara
- [jose] Re: Algorithm identifiers for ML-KEM and M… Ilari Liusvaara
- [jose] Re: Algorithm identifiers for ML-KEM and M… Ilari Liusvaara
- [jose] Re: Algorithm identifiers for ML-KEM and M… Phillip Hallam-Baker
- [jose] Re: Algorithm identifiers for ML-KEM and M… Orie Steele
- [jose] Re: Algorithm identifiers for ML-KEM and M… Michael Prorock