Re: [Secdispatch] [EXTERNAL]Re: Can Composite sigs move back to LAMPS?

"Markku-Juhani O. Saarinen" <> Sun, 19 January 2020 19:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C8D6D12001E for <>; Sun, 19 Jan 2020 11:22:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.124
X-Spam-Status: No, score=-0.124 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_RHS_DOB=1.514] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ttLfPN0EWK1D for <>; Sun, 19 Jan 2020 11:22:41 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::841]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A0A46120018 for <>; Sun, 19 Jan 2020 11:22:41 -0800 (PST)
Received: by with SMTP id k40so26034968qtk.8 for <>; Sun, 19 Jan 2020 11:22:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0SM6X5+f16bGr2g9WPuZfYZ4qiB7pRQbwyry+Bvm8GI=; b=m40Z5dc+Z8eKib6btTR5aopG3GxtX9X3xE1BTVLRlcU8MPCcYv/ylSUrEa01OoNzw9 c2ruSx638eTmG1Yt+DL73OxTQ+mUCUZ4tJy+dtRa46395oIwN72MWeO/wWqg3BSJQrED 3IvpNc4OXX+72ph/N/2VZYl6TTJvKBnIW8QDR8EaKcDxh3gyXp8k9lbNQHJHDFfwjR7P dwMCGPIU1+fKV/sU4nNaCWLiDO1rlN16q3BTOl7GoZyfU9lSRsnzf/QlnKybsDVhoxua JOLFDwGPBWfCYvZ3MHrMI/KJBvdQGL87BB6zMKqS9Kk3c9APLnUpZmkUgfwawewXvSZb ic8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0SM6X5+f16bGr2g9WPuZfYZ4qiB7pRQbwyry+Bvm8GI=; b=t3svZHfDNICUD3+pO/1dhjfIwkHdyBS3IxNopEdTOpnRCTIdxzi3/yFg8Ci0gb/1Ek DPtQXJtcnB9j9XgaHybC3ZJ1UaPJi/7m6KVEwupjZJ3gah1N5GrX5wwOxm7fsQ7oFy0V diXfsYzy15FbmML8F95s3poZJuhOGmsWyCtjfacIf25onmk4veaN3X+Rz4RrrP9xpZVn 1UlxOtgK5mxhgLO7CzzAMu7HP8fDKfQqZcqwRn9Cfg4kOLhEEVihyksNcBCLuLVSKlUk CA+8ED8Atn5vUd8kLPPDSjmCRGBwfPeYVDKRNCI69kbveWGRE5elpfCf3LpNSYLHwKkA GxfQ==
X-Gm-Message-State: APjAAAWYdj40P76nsItoEbPR39HwSeXgLYv9PEd+UcOswSj0R7GwZbXM fb3ku3gQp10eWbD6o0RpQ+tMxYXKuf95BuNq41ymCsa8Oqc=
X-Google-Smtp-Source: APXvYqxGQLvEEq9Bw5cGu/g+z1lU6DKGIXx5lITV7jvGGA3F7NUD8sMVOricW6alLayBL40Ej8RjrPW6sOGiT20GTT8=
X-Received: by 2002:ac8:709a:: with SMTP id y26mr17342918qto.304.1579461760639; Sun, 19 Jan 2020 11:22:40 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <3140.1579364674@localhost> <> <15967.1579382030@localhost> <> <24181.1579453158@localhost>
In-Reply-To: <24181.1579453158@localhost>
From: "Markku-Juhani O. Saarinen" <>
Date: Sun, 19 Jan 2020 19:22:29 +0000
Message-ID: <>
To: Michael Richardson <>
Cc: Eric Rescorla <>, IETF SecDispatch <>
Content-Type: multipart/alternative; boundary="0000000000002df303059c83196f"
Archived-At: <>
Subject: Re: [Secdispatch] [EXTERNAL]Re: Can Composite sigs move back to LAMPS?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 19 Jan 2020 19:22:44 -0000

On Sun, Jan 19, 2020 at 4:59 PM Michael Richardson <>

> Eric Rescorla <> wrote:
>     mcr> No, it involves two sets of signatures.
>     mcr> The traditional set and the new, yet-to-be-precisely-defined set.
>     > Yes, but I had understood these tbe encoded on the wire as if they
>     > were a new signature algorithm, with the result that such a
>     > certificate would not be verifiable by an existing client.
>     > Perhaps we should resolve this question first.
> I believe that one proposal was to define a new signature type:
>   RSA   -> F { RSA, PQ }
>   ECDSA -> G { ECDSA, PQ }
> and then, as you say, that would not interoperate at all.
> But, I think that another proposal is to introduce the additional
> signatures
> and related book-keeping as extensions, without disrupting the current
> signature mechanisms.


As was noted when this draft was introduced, that PQ-in-extension mechanism
is patented and Isara has indicated to IETF that will not allow it to be
used royalty-free. See their IPR  disclosure:   That tech is out there marketplace
and will probably remain proprietary -- see e.g. DigiCert (

The theory was discussed in "Transitioning to a Quantum-Resistant Public
Key Infrastructure" ( PQCrypto 2017, )
which is related to the OQS implementation that works with OpenSSL and TLS

There's also a separate Java implementation documented in "X.509-Compliant
Hybrid Certificates for the Post-Quantum Transition" (  ).
However the Isara-supported qTesla algorithm discussed in that report has
had some problems and I'm not sure of its current status (
Their customers are happy if they had a hybrid fall-back because it was
already being shipped out.

The OQS implementation seems to currently treat hybrid keys and signatures
simply as OCTET STRING blobs and assigns an arbitrary OID for each such
pair; I got 1.3.9999.2.2 for a  p256_dilithium2 cert I just created. They
emphasize that this is research code and not for production; the OID is of
course not valid and the key/signature format is not properly documented as
far as I know.

This kind of solution would require n*m OIDs -- perhaps this is manageable,
perhaps not -- the number of ciphersuites we used to have in TLS is an
indication that things may get out of hand, especially if we further
consider different hash functions used for signatures. Anyway, the
additional ASN.1 structure bytes introduced by the draft would essentially
document the structure of such blobs and put them under a single and/or a
small number of OIDs. (Correct me if I'm wrong.)

It would seem that the question of hash functions used in conjunction with
the signature algorithms, and how to identify those, needs to be figured
out. It may be reasonable to use SHA3 also in conjunction with the
classical RSA/ECC sigs here ?

Ultimaco also has a commercial toolkit ( )
but I'm not 100% which one they're using. It probably interoperates with
the OQS kit at some level since they've worked with Microsoft to get Picnic
(Microsoft's PQ signature proposal) to work with it. This in turn is used
e.g. with Microsoft's PQ VPN ( for details of cert generation, see

Sorry if I left someone out. There have been PQ X.509 trials at least for 5
years (strongSwan had Bliss in 2015 -- ) but no effort
on serious interop as I am aware.

- markku

Dr. Markku-Juhani O. Saarinen <> PQShield, Oxford UK.