IETF Logo Mail Archive

Re: [lamps] Adoption call for draft-housley-lamps-cms-sha3-hash

Michael StJohns <msj@nthpermutation.com> Mon, 30 October 2023 16:56 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A1E2C15170B for <spasm@ietfa.amsl.com>; Mon, 30 Oct 2023 09:56:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.802
X-Spam-Level:
X-Spam-Status: No, score=-6.802 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hUDzYahU23Vb for <spasm@ietfa.amsl.com>; Mon, 30 Oct 2023 09:56:46 -0700 (PDT)
Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27D28C151075 for <spasm@ietf.org>; Mon, 30 Oct 2023 09:56:45 -0700 (PDT)
Received: by mail-yb1-xb33.google.com with SMTP id 3f1490d57ef6-d9a58f5f33dso3964936276.1 for <spasm@ietf.org>; Mon, 30 Oct 2023 09:56:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20230601.gappssmtp.com; s=20230601; t=1698685005; x=1699289805; darn=ietf.org; h=in-reply-to:from:references:to:content-language:subject:user-agent :mime-version:date:message-id:from:to:cc:subject:date:message-id :reply-to; bh=vVr9t0Co568jmFCWupiKXdmB/p7zj+PGRUis0Ruf5fc=; b=FoBwRFv7POuuBW4dVlINiMveZLB4D4IwP+VnboNxuGjsFffEJnHlhju8TrR2RIUFz9 usYGC3fdl6qoN4HODXboJyw2UvwunFsWJr90kBxkGNNEmUPhJ7J7tp8YlcRV/m7gn34d XzQiTS4NBYNvCLWyqQjDlkjc/yuAGYVi3ar5vt+80QOiM+YV/4yFSaoyb+VXzNZrOUrf V2ahfqKJ+0xpcMhgyHQP95ySJ+ABcBqNy3g+tBiFwp0V2YUZWDXDdmEXPP/ywpzZwhPa M+r4OEaGwUg0gS+7V61McMoAhxylxbhpi4Ut11j8ug81AoYEqKisfVufCxtBDYvkFxUW jN4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698685005; x=1699289805; h=in-reply-to:from:references:to:content-language:subject:user-agent :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=vVr9t0Co568jmFCWupiKXdmB/p7zj+PGRUis0Ruf5fc=; b=xJ7PIba0Ojvr84TYrlZCzDy3E6RcmAwVGqn5FWyiD9ukohVzX2eBhoC9U7V1ut7J2F vSjxQk87IOiqmYUEV5WL9jXYzDrQjpiddgblc6QEsnjAdsiSEBuZv/gGpiE4H7wNcjcW ps7dxuJCzgGRlxU5v1/Ki+4alEXlhUGBeK8LyISQaR0uxBGn4uZBFCkCLKgDQJ8kweNJ agerGArPRgZkYiNwQS0a2rMSg36eDfZqLwZG6Sok9jfMIhMBTGhJySQkxNxhk+PTtCT6 6Fnx8RyQrXhFWHL+2ZiVdI4WyxoIZGAveKYc7Rud6iDONJ/YpSavge9DB+4Bfq1BXmZc jkkg==
X-Gm-Message-State: AOJu0YxRGinfqhfs6Qy7UF2yp2gqCRUcI5QpBWjkr+TdHgodgKgRQ4TR nq7+apbZWuyZFOM0KZZNchoR1CJdqHNkw/QP4NM=
X-Google-Smtp-Source: AGHT+IGzehMQZvRk4qrw/wx0+NnTv/IcCK8ytwr66aIaqzDyTfNeI7pVQKNOTSUMoOKk9zhaZilrVg==
X-Received: by 2002:a25:2d14:0:b0:da0:68a0:7cc6 with SMTP id t20-20020a252d14000000b00da068a07cc6mr8502554ybt.17.1698685004483; Mon, 30 Oct 2023 09:56:44 -0700 (PDT)
Received: from [192.168.1.23] (pool-108-31-156-76.washdc.fios.verizon.net. [108.31.156.76]) by smtp.gmail.com with ESMTPSA id c11-20020a0ce14b000000b0065823d20381sm3555111qvl.8.2023.10.30.09.56.43 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 30 Oct 2023 09:56:43 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------xvICePFkU1FcTssURhLQoBRh"
Message-ID: <98f0b71a-dd2a-4d73-9d46-05c9878d1ee9@nthpermutation.com>
Date: Mon, 30 Oct 2023 12:56:42 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: "Kampanakis, Panos" <kpanos@amazon.com>, "spasm@ietf.org" <spasm@ietf.org>
References: <SN7PR14MB64924398A13D7C521AEDF4B283DCA@SN7PR14MB6492.namprd14.prod.outlook.com> <bfa2812c899541cc84f7c5abb38ee435@amazon.com> <597E6452-69BF-41EE-A3EB-19AF0A01304C@vigilsec.com> <CH0PR11MB573915B912FA76F9D2A8B3239FA3A@CH0PR11MB5739.namprd11.prod.outlook.com> <fb2e4bbe95964d8e9015e3787385fa53@amazon.com> <2d75918b-4815-4ec9-9e6f-74472af97a73@nthpermutation.com> <ee119d906d02451495e4b13a3c8bbc67@amazon.com>
From: Michael StJohns <msj@nthpermutation.com>
In-Reply-To: <ee119d906d02451495e4b13a3c8bbc67@amazon.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/1koce1nLWBCz71F9NRlNQgFBA6M>
Subject: Re: [lamps] Adoption call for draft-housley-lamps-cms-sha3-hash
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Oct 2023 16:56:50 -0000

On 10/29/2023 10:02 PM, Kampanakis, Panos wrote:
>
> > try and practice algorithmic pluralism in the way we define things
>
> Personally, I am not sure algorithmic pluralism for the sake of 
> variety is a good idea. Integrating and using only new algorithms that 
> make sense is a better one imo.
>
> I can’t think of a case where SHA-3 would be preferred over SHAKEs, 
> but I am open to suggestions.
>
AFAICT from FIPS202 both are just parameterized instantiations of the 
same KECCAK function and have exactly the same performance (and 
strength).  E.g. from FIPS202

SHA3-256 (M) ::= KECCACK[512](M||01, 256)

SHAKE256 (M,d) ::= KECCACK[512](M||1111, d)

Now RFC8702 says that SHAKE256 should use d = 512 if you're using it as 
a hash/message digest, but I can't find anywhere in the NIST document 
that also use that value as a default.  That worries me with respect to 
future interoperability.

The main advantage of id-sha3-256 in this instance is that the 
definition associated with that OID makes clear that SHA3-256 has a 
fixed output of 256 bits.   If I were going to use SHAKE256-512, I'd 
rather use id-shake256-len as the OID and parameterize it with that 
length in an AlgorithmIdentifer so that it was clear to the receiver 
just what I was doing with the XOF.

> Alg-SHAKE256-LEN ALGORITHM ::= { OID id-shake256-len PARMS 
> ShakeOutputLen }

id-shake256 is an  unparameterized OID and that means I have to figure 
out what the length is from context and hope an implementer didn't miss 
getting to the same context.  RFC8702 section 3.1 notwithstanding.

With respect to pluralism, what I mean is the ability to plug in 
approved algorithms that more closely meet a set of requirements. One of 
the things I dislike about the pq-kem document is that choices like the 
particular KDF to use are implied by the KEM algorithm OID and can't be 
easily substituted without starting over.  Compare and contrast RFC5990 
and the RSA-KEM parameters definition.

Later, Mike



> *From:* Spasm <spasm-bounces@ietf.org> *On Behalf Of * Michael StJohns
> *Sent:* Saturday, October 28, 2023 11:50 PM
> *To:* spasm@ietf.org
> *Subject:* RE: [EXTERNAL] [lamps] Adoption call for 
> draft-housley-lamps-cms-sha3-hash
>
> *CAUTION*: This email originated from outside of the organization. Do 
> not click links or open attachments unless you can confirm the sender 
> and know the content is safe.
>
> IMHO - These are somewhat orthogonal items.   Russ' document is useful 
> irrespective of the Mike's KEM stuff, and I'd like to see it move 
> forward on that basis.
>
> (also, 
> https://csrc.nist.gov/Projects/computer-security-objects-register/algorithm-registration 
> has the OID registration for id-sha3-256, so for the use Mike as 
> asking about, it's unclear his document actually depends on Russ' 
> document.  That said, its usually useful to have an IETF public of the 
> NIST allocations as RFCs tend to be a bit easier to find for our 
> participants).
>
> If you want draft-ietf-lamps-pq-composite-kem to use Shake 
> exclusively, that's more a discussion that needs to happen on the list 
> with respect to that draft.  Alternately, do what is more flexible and 
> define multiple kda-??? KEY-DERIVATION ::={} constructs to support 
> both shake and sha3.
>
> So I'd suggest it may be better to avoid discussions about which is 
> better and try and practice algorithmic pluralism in the way we define 
> things.  In other words, allocate top level OIDs for both a shake and 
> sha3 variant of the KDF and include those in the ASN1.
>
> Later, Mike
>
> On 10/28/2023 10:37 PM, Kampanakis, Panos wrote:
>
>     Hi Mike,
>
>     > I guess this is a design choice that the WG can discuss. We
>     could instead use id-shake-256 from RFC8702, which is usable as a
>     digest algorithm as per section 3.1, but why? If what I actually
>     want is a hash function, then why can’t I have a hash function?
>
>     I suggest to discuss this in IETF-118. SHAKEs are XOFs but can be
>     used just fine as hashes with constant output size. Their
>     performance is better, and generally that is the reason they have
>     be favored and more adopted than SHA-3 (in the same family).
>
>     *From:* Spasm <spasm-bounces@ietf.org>
>     <mailto:spasm-bounces@ietf.org> *On Behalf Of *Mike Ounsworth
>     *Sent:* Saturday, October 28, 2023 2:08 PM
>     *To:* Russ Housley <housley@vigilsec.com>
>     <mailto:housley@vigilsec.com>; Kampanakis, Panos
>     <kpanos@amazon.com> <mailto:kpanos@amazon.com>
>     *Cc:* LAMPS <spasm@ietf.org> <mailto:spasm@ietf.org>
>     *Subject:* RE: [EXTERNAL] [lamps] [EXTERNAL] Re: Adoption call for
>     draft-housley-lamps-cms-sha3-hash
>
>     *CAUTION*: This email originated from outside of the organization.
>     Do not click links or open attachments unless you can confirm the
>     sender and know the content is safe.
>
>     Panos,
>
>     Specifically, draft-ietf-lamps-pq-composite-kem instantiates
>     RSA-KEM (RFC5990bis) with:
>
>     keyDerivationFunction  kda-kdf3 with id-sha3-256
>
>     See:
>
>     https://datatracker.ietf.org/doc/html/draft-ietf-lamps-pq-composite-kem-02#name-rsa-kem-parameters
>
>     Therefore, I need an OID for id-sha3-256.
>
>     I guess this is a design choice that the WG can discuss. We could
>     instead use id-shake-256 from RFC8702, which is usable as a digest
>     algorithm as per section 3.1, but why? If what I actually want is
>     a hash function, then why can’t I have a hash function?
>
>     - Mike Ounsworth
>
>     ------------------------------------------------------------------------
>
>     *From:*Spasm <spasm-bounces@ietf.org> on behalf of Russ Housley
>     <housley@vigilsec.com>
>     *Sent:* Saturday, October 28, 2023 10:44:57 AM
>     *To:* Panos Kampanakis <kpanos@amazon.com>
>     *Cc:* LAMPS <spasm@ietf.org>
>     *Subject:* [EXTERNAL] Re: [lamps] Adoption call for
>     draft-housley-lamps-cms-sha3-hash
>
>     Panos: Mike Ounsworth needs these OIDs to be available, and the
>     easiest solution was to just publish the previously abandoned I-D.
>     Russ On Oct 27, 2023, at 11: 00 PM, Kampanakis, Panos
>     <kpanos=40amazon. com@ dmarc. ietf. org>
>     <mailto:kpanos=40amazon. com@ dmarc. ietf. org> wrote: Hi Russ,
>
>     Panos:
>
>     Mike Ounsworth needs these OIDs to be available, and the easiest
>     solution was to just publish the previously abandoned I-D.
>
>     Russ
>
>         On Oct 27, 2023, at 11:00 PM, Kampanakis, Panos
>         <kpanos=40amazon.com@dmarc.ietf.org> wrote:
>
>         Hi Russ,
>
>         I was under the impression that SHAKEs for CMS and X.509 would
>         suffice for introducing the Keccak family to these standards.
>         SHAKEs have the same security and better performance. I
>         thought that was the reason
>         draft-turner-lamps-adding-sha3-to-pkix never made it.
>
>         Is there a reason why someone would use SHA-3 in CMS instead
>         of SHAKE128 or SHAKE256 (RFC8702)?
>
>         *From:*Spasm <spasm-bounces@ietf.org
>         <mailto:spasm-bounces@ietf.org>>*On Behalf Of*Tim Hollebeek
>         *Sent:*Friday, October 27, 2023 11:39 AM
>         *To:*SPASM <spasm@ietf.org <mailto:spasm@ietf.org>>
>         *Subject:*[EXTERNAL] [lamps] Adoption call for
>         draft-housley-lamps-cms-sha3-hash
>
>         *CAUTION*: This email originated from outside of the
>         organization. Do not click links or open attachments unless
>         you can confirm the sender and know the content is safe.
>
>         Hello,
>
>         Russ has asked for an adoption call for this short document
>         that explains how to
>
>         use SHA-3 with CMS.  Since people may be traveling to IETF
>         118, we’ll do a three
>
>         week adoption call.
>
>         https://datatracker.ietf.org/doc/html/draft-housley-lamps-cms-sha3-hash-00
>         <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-housley-lamps-cms-sha3-hash-00__;!!FJ-Y8qCqXTj2!btMHx3oQg1XcdsmiDk3zQn-HVGxUExFHzJp0v2bwunfFVR3P8235FQ_QH4pzRkyD49fJSywzek8dgSw-P9DqGArWDMhf$>
>
>         Abstract
>
>            This document describes the conventions for using the four
>         one-way
>
>            hash functions in the SHA3 family with the Cryptographic
>         Message
>
>            Syntax (CMS).
>
>         Please indicate whether you support adoption, and optionally
>         indicate why, on
>
>         the list by 17 November 2023.
>
>         For the chairs,
>
>         -Tim
>
>         _______________________________________________
>         Spasm mailing list
>         Spasm@ietf.org <mailto:Spasm@ietf.org>
>         https://www.ietf.org/mailman/listinfo/spasm
>         <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!btMHx3oQg1XcdsmiDk3zQn-HVGxUExFHzJp0v2bwunfFVR3P8235FQ_QH4pzRkyD49fJSywzek8dgSw-P9DqGMDI1k9b$>
>
>     /Any email and files/attachments transmitted with it are intended
>     solely for the use of the individual or entity to whom they are
>     addressed. If this message has been sent to you in error, you must
>     not copy, distribute or disclose of the information it contains.
>     _Please notify Entrust immediately and delete the message from
>     your system._/
>
>
>
>     _______________________________________________
>
>     Spasm mailing list
>
>     Spasm@ietf.org
>
>     https://www.ietf.org/mailman/listinfo/spasm
>

v2.23.0 | Report a Bug | By Email