Re: [Secdispatch] [lamps] Pre-draft QSC Key Serialization and Identification
"Markku-Juhani O. Saarinen" <mjos@pqshield.com> Wed, 14 July 2021 11:42 UTC
Return-Path: <mjos@pqshield.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E615D3A03FF for <secdispatch@ietfa.amsl.com>; Wed, 14 Jul 2021 04:42:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pqshield-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0jHPXQEUOlhL for <secdispatch@ietfa.amsl.com>; Wed, 14 Jul 2021 04:42:01 -0700 (PDT)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4F813A0128 for <secdispatch@ietf.org>; Wed, 14 Jul 2021 04:41:53 -0700 (PDT)
Received: by mail-lj1-x236.google.com with SMTP id h4so1656028ljo.6 for <secdispatch@ietf.org>; Wed, 14 Jul 2021 04:41:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pqshield-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=s2rwPkI1rGjaArzPBYSVknUwJsoNdv1jmNIMWsrBS+c=; b=X04zllDP29KkBehx9IC9R47WoC7lj7Q7imNDykDqh2BA6an3uRA6DTZnEoad5TZ51l 9Wj8L8+a4FTUaM4kYCCPz9eVm4eg63puLSCrr68Ss9iVNi7kTxeJ6BcLQGgHmBOd74TD KipTD7qKm6zsvK3wvcvhcLcGRFtTLaTpG+IegHiZEgMFTk+bFbMbtGpLH7mgu1yAwyT0 d1m42LfNCIScmcDRN/tjVtcjPbQI1wPoatap7k2Ulq3YRQDQjN+wRRGISMySRSFcp7uV A9gzRTBeslI/mjDXFjcDedDOBDJkK0iE5DXGuO8lwiYvSBn+yNE/9TGoh7ELmSo/kCNV o1Ew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=s2rwPkI1rGjaArzPBYSVknUwJsoNdv1jmNIMWsrBS+c=; b=fe6apWy5vTu9S/1Og7kwRHCgYlxKrr9BOj9LvB8pdNxKqL/8ERShVpJdv2Z5Y6Qp0K NCbtZSOGnr9ZQsld5hcpzfAtPkweMoc0MtXlTMU1+BKoTB1FUElI1yNiG1jQvk+i4EEL +3FKPhQEenos4ftl2NXbWdzgsF1FEMXdL+WrT/11GEaeQi083Y3rUpl/08PXx/RLS7Ee k4lop63hTrFZewe6BYs/NqKb8r/H+LgBa0oQXRXhFLiZgi8hIpG+wpCNaox05UFLNKuD 5bqMrZ32A7hUZV+Wc5TnrtScApLZFHzVJMLZ+UYeNS8EuQrMD1bH/Gtz/Na+qRfRA0++ U1eQ==
X-Gm-Message-State: AOAM532xcud5DG3xJY4NHzJCanFBWbqTc7AVIwHHgKcr7j0E2p91tcuc G9sRkQTFtpuspL+oCYb7NdJ9VamPg8IfJDXqX8/UOQ==
X-Google-Smtp-Source: ABdhPJyjW6nZyroMjZWKjWIYsNMQv7ZEFb5B0QMHJQqFDxa8QBM4RKObGlBM5o/c4HvhuB1gd1bGy76hi5el8+5RGOw=
X-Received: by 2002:a05:651c:2c1:: with SMTP id f1mr8896384ljo.128.1626262909881; Wed, 14 Jul 2021 04:41:49 -0700 (PDT)
MIME-Version: 1.0
References: <CAHzQBQW298cCA7FC+TANxMoue1AiuVdRBY-HM64MTorEeOLzbQ@mail.gmail.com>
In-Reply-To: <CAHzQBQW298cCA7FC+TANxMoue1AiuVdRBY-HM64MTorEeOLzbQ@mail.gmail.com>
From: "Markku-Juhani O. Saarinen" <mjos@pqshield.com>
Date: Wed, 14 Jul 2021 12:41:38 +0100
Message-ID: <CAPwdP4OHykAh=mf27uurdhiLB3A--gnkJuozUjBA0e3H8jL3Hw@mail.gmail.com>
To: Christine van Vredendaal <cvvrede@gmail.com>
Cc: IETF SecDispatch <secdispatch@ietf.org>, SPASM <spasm@ietf.org>, saag@ietf.org
Content-Type: multipart/alternative; boundary="0000000000000e1e3305c713d7a1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/kDas4PGrspGkoh8xZjUff-2hAZo>
Subject: Re: [Secdispatch] [lamps] Pre-draft QSC Key Serialization and Identification
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jul 2021 11:42:14 -0000
Hi, Some of this commentary is already commented inline in the google doc, but I'll paste it here too for the record. The document proposes OID identifiers for public and private key serialization draft Round3 PQC algorithms, which are likely to change when the NIST standard-writing process. The PQC algorithm specifications and reference implementations already contain serialization methods (that can be used as simple octet strings). The proposal is not using these serialization methods directly (as "octet string blobs" or similar). Suggest including some additional justification for proposing new serialization methods; either efficiency or security. I'd also like to hear comments on the relationship between this proposal and the "RawPublicKey" discussed in the new "KEM-based Authentication for TLS 1.3" draft https://datatracker.ietf.org/doc/draft-celi-wiggers-tls-authkem/ Each NIST Submission comes with a set of KAT test vectors that are used to test compliance and also interoperability. Hence we already have de facto serialization methods for these algorithms, which are efficient, and created by the algorithm design teams (and hence have already had years of security testing). We have also used these serialization methods in hardware modules. If ASN.1 type encoding is desired, a transformation tool between the new ASN.1 format and the standard ones should be provided. Additionally, ASN.1 may introduce serious input validation security issues that must be carefully studied. Note that Elliptic Curve Cryptography has largely chosen to go with simplified octet string encodings for implementation security reasons. One could argue that new ASN.1 serialization a step backward in terms of interoperability and also potentially creates unnecessary security risks? The implementation security aspects arise e.g. in the input validation and constant-time encoding and decoding of KEM public keys, which are part of the PQC key exchange process. Cheers, - markku Dr. Markku-Juhani O. Saarinen <mjos@pqshield.com> PQShield, Oxford UK. On Wed, Jul 14, 2021 at 9:38 AM Christine van Vredendaal <cvvrede@gmail.com> wrote: > Hello all, > > We (folks from NXP, IBM and Utimaco) have been working on a draft > specifying key serializations and OIDs for quantum-safe cryptography to > already start to prepare for the upcoming new public-key standard. > > We shared this with the CFRG for feedback and recommendations and would > now also like to share it for the same purpose in this broader community. > > > At the moment this is a pre-draft in the sense that it is not in an IETF > format yet, but all the content is there. > You can find the link to a comment-only Google Docs version here > <https://docs.google.com/document/d/1MbSf7e9NIZ0XCEpJ9Kpdxe04Z5HlvvgOBTUX4uvM1i0/edit?usp=sharing> > . > > > The abstract of the document is as follows: > > > With the NIST standardization effort still in full swing, companies > implementing post-quantum cryptography now are running into multiple > issues, such as: > > > > 1. Difficulty in managing algorithm versions and the compatibility of > associated keys > 2. Difficulty in interoperability testing > 3. Difficulty in evaluating the impact of integrating algorithms with > higher level standards > > > These difficulties result in delay of many follow-up activities for > algorithm integration and adoption. > > The document `Quantum Safe Key Identification and Serialization’ specifies > the key formats of selected quantum safe algorithms, to hopefully resolve > some of these interoperability issues. > > Additionally it should serve to make choices in future standard clear and > prevent delays in adaption. > > > To this end the document contains parameter identifiers for the Round 3 > finalist parameter sets (specific OIDs in some cases to be added), as well > as key descriptions, byte sizes, and their ASN.1 formatting. > > Open items that we would consider still adding (opinions are welcome) are > the addition of CBOR formats, and the serialization of signatures and > ciphertexts. > > We also note that the current OIDs are not useable or filled in yet. We > are investigating adding temporary OIDs, and in the end permanent OIDs > should be assigned by NIST upon standardization of a set of algorithms. > > > *(Current) authors: *Dieter Bong (Utimaco), Joppe Bos (NXP), Silvio > Dragone (IBM), Basil Hess (IBM), Christopher Meyer (Utimaco), Mike Osborne > (IBM), Christine Cloostermans (NXP, f.k.a. van Vredendaal), Karen > Willbrand (Utimaco) > > > Looking forward to your thoughts and suggestions, > > > Cheers on behalf of the team, > > > Christine > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- [Secdispatch] Pre-draft QSC Key Serialization and… Christine van Vredendaal
- Re: [Secdispatch] [lamps] Pre-draft QSC Key Seria… Markku-Juhani O. Saarinen
- Re: [Secdispatch] [lamps] Pre-draft QSC Key Seria… Markku-Juhani O. Saarinen