Re: [lamps] Do we have a FALCON draft yet?
"Markku-Juhani O. Saarinen" <mjos@pqshield.com> Mon, 21 November 2022 12:08 UTC
Return-Path: <mjos@pqshield.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93A2CC1524C1 for <spasm@ietfa.amsl.com>; Mon, 21 Nov 2022 04:08:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.786
X-Spam-Level:
X-Spam-Status: No, score=-1.786 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pqshield-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kNU5wgbrRNBA for <spasm@ietfa.amsl.com>; Mon, 21 Nov 2022 04:08:41 -0800 (PST)
Received: from mail-yb1-xb2a.google.com (mail-yb1-xb2a.google.com [IPv6:2607:f8b0:4864:20::b2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E86B0C1524C2 for <spasm@ietf.org>; Mon, 21 Nov 2022 04:08:40 -0800 (PST)
Received: by mail-yb1-xb2a.google.com with SMTP id f201so13311759yba.12 for <spasm@ietf.org>; Mon, 21 Nov 2022 04:08:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pqshield-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7EU3zB+x2mQnWSLhHsadhC/Zk7zxmdAVLq/qtl65wks=; b=UJ5gg0aZDFoxhNAw11XhbHFwOT97HoseClP8xR7zYagOiTyx/gu885podH12v0B6Wv Dkp+Bb7QaKBG0Qj2jRk3vbk3ZzYMQ+erC9oMjCZotwAZU1UkU/ONReP1TLJOwA+5o6pr UlN9ahSsp7sSEGVJMzHnfPgx6KibNAyDbT6jG+AZ428Rl9iikHuS9cT2JwyYS1p3fSaA WGyazd0ehKo5wTEuiRXpgKEun0XVdXfVZq1w2mYQF2F5tniJzQDzvUPluidf3aCZX7e1 Cv5iIZUBVYU5kyhI9TEhv40jT6bq/st1cLQizbfKsLao0pv9aIz4B6PGZZcPyz4r28Em TqhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7EU3zB+x2mQnWSLhHsadhC/Zk7zxmdAVLq/qtl65wks=; b=LuMwdbfMX/+mMtyQ7osOdvwnViV6/ji3gLtwWAyCHtYnnOXpXUB0QultUz/mq7kIP+ 56KrnNf7Oa3hv3pV/zbvjDempMi2O+Wo/i5SbfhyWcGEEEhJ01/dpSt7PgJyjUcH6rE5 zTAUQItgGlKUWJkOH86avx/lGy73Jx40Uw9XzwcerziJS6N8oOcmbGRxViFP760W1UYt 9zlj30bzVfH3uwOUFdBQ1I19+WrW9dXommJcVTTEtE4L0p+F9JwpbVaxVN1lCgen7t2U enFUOQiXgBgnHOW9BVx1MKQNXWO3BaecAXTa/IFjCQlwZwiOCgXyWHSqrlNShR0tCMuB M1IA==
X-Gm-Message-State: ANoB5pn9k1cZJAArBHH5rPKAmz9/f9oVW1uNnqYOv8rRgZeQnThDICOj C/aWFJVgf0fyV5Ra07WqS3wD+oPxsIFS6YC5QqK+1xB5IDJMOg==
X-Google-Smtp-Source: AA0mqf6+VUkMjh3D2jUWLAfpr6F0wPMvOVZ6nd1IdjExbhqqQAgsrEdBYD5poLQ9R9RhFkIPzSEtmkrYzZe5jzIFblE=
X-Received: by 2002:a25:8182:0:b0:695:9214:536 with SMTP id p2-20020a258182000000b0069592140536mr6488483ybk.388.1669032519609; Mon, 21 Nov 2022 04:08:39 -0800 (PST)
MIME-Version: 1.0
References: <CAMjbhoUUKjuU1rMJ--21TDz4h6MxMdghGZPVVVJjGaSyCNAgLQ@mail.gmail.com> <F17215D0-255B-4DD5-8410-4F5FDA250658@ll.mit.edu>
In-Reply-To: <F17215D0-255B-4DD5-8410-4F5FDA250658@ll.mit.edu>
From: "Markku-Juhani O. Saarinen" <mjos@pqshield.com>
Date: Mon, 21 Nov 2022 12:08:28 +0000
Message-ID: <CAPwdP4P7A+rcGTm3k603KcftigV5Hg-fS0XGpgXv3N5=MzOaYA@mail.gmail.com>
To: LAMPS <spasm@ietf.org>
Cc: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Content-Type: multipart/alternative; boundary="0000000000007342c005edf9eaea"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/7FOU3p3PR0XSEby9H1DVhkzcpAY>
Subject: Re: [lamps] Do we have a FALCON draft yet?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2022 12:08:45 -0000
Hi, I have been looking at possibly preparing an I-D for Falcon, but the technical details are currently in flux. I've been in contact with members of the Falcon design team, and I hear that they're getting around to revising the algorithm for standardization (my understanding from NIST is that they will try to get the Dilithium specs in shape before moving on to address Falcon -- this is private communication and not official.) One of the issues is that there is a yet another twist to message hash processing with Falcon (surprise, surprise!) Falcon spec (v1.2, 1 Oct 2020), Sect 3.11.3:* "A Falcon signature consists of two strings r and s. They may conceptually be encoded separately, because the salt r must be known before beginning to hash the message itself, while the s value can be obtained or verified only after the whole message has been processed. In a format that supports streamed processing of long messages, the salt r would normally be encoded before the message, while the s value would appear after the message bytes. However, we here define an encoding that includes both r and s."* For purposes of, say, PKI formats having the concatenated pair (r,s) as the signature obviously makes more sense than having the signature in two parts. The second issue is that SHAKE-256 XOF output is used directly. Unless this is changed, Falcon will be yet another case for API architects to consider: 0. For classical (PKCS #1) RSA or ECDSA you can just hash a message and pass the H(m) to the signing function. 1. For Dilithium, you prefix the message "m" with a hash of Dilithium pub key tr=H(pk) and use that as a prefix to compute H(tr | m). You don't need the signature to start verification, just the public key (the "tr" hash can also be found in the private key). 2. For Falcon verification, it's different again. You grab "r' from the signature (not the keys) and prefix the message with it; str = (r | m). If you're singing, you need to throw dice and get a random r before starting to hash the message. But that's not all; HashToPoint() function uses SHAKE256 XOF output directly -- there is no actual upper bound to the number of bytes needed (albeit statistical ones are easy to work out.) One can also pass the entire Keccak context (200 bytes, containing the prefix r and the mixed message m) to the signing/verification function. This is a compatibility-breaking issue, unlike the randomized vs. non-randomized aspects of Dilithium singing. As the Falcon spec says, *"Of course, any variant deviating from the procedure expressed in algorithm 3 implies that the same message will hash to a different value, which breaks interoperability." *This will have to be addressed by the design team. Ps. I agree that eliminating potential timing oracles from the current Falcon is trickier/costlier than with most other algorithms. Masking and other electromagnetic (DPA/DEMA) countermeasures for hardware implementations are even trickier -- as required for platform security, smart cards, etc. Unless there is a major design change concerning floating point operations in the Gaussian sampler, this appears to be an "inherent" security consideration for Falcon and, indeed, needs to be discussed in the I-D/RFC. Cheers, - markku Dr. Markku-Juhani O. Saarinen Staff Cryptography Architect PQShield Ltd M: +44 0 7548 620723 E: mjos@pqshield.com W: www.pqshield.com On Sun, Nov 20, 2022 at 10:13 PM Blumenthal, Uri - 0553 - MITLL < uri@ll.mit.edu> wrote: > Completely agree with Bas. > > Regards, > Uri > > On Nov 20, 2022, at 07:14, Bas Westerbaan <bas= > 40cloudflare.com@dmarc.ietf.org> wrote: > > > Not that I know of. If someone picks this up, may I urge them to add a > warning to the following effect in the earliest draft. > > > The Falcon signing procedure is difficult to implement in constant time > because of its use of floating point arithmetic. By default, it should be > assumed that the timing of the creation of the signature leaks the private > key. Thus, without careful consideration, it should not be used when > signatures are created on-the-fly such as for TLS handshakes. It is safe if > floating-point emulation is used (which comes at a performance penalty) or > a (custom) FPU with sufficient constant-time guarantees. Verification does > not use floating-point arithmetic and does come with the same concerns. > > > Best, > > Bas > > > > On Sun, Nov 20, 2022 at 12:56 AM Mike Ounsworth <Mike.Ounsworth= > 40entrust.com@dmarc.ietf.org> wrote: > >> For completeness, we also have Kyber [3]. >> >> >> >> [3]: >> https://datatracker.ietf.org/doc/draft-ietf-lamps-kyber-certificates/ >> >> >> >> --- >> >> *Mike* Ounsworth >> >> >> >> *From:* Spasm <spasm-bounces@ietf.org> *On Behalf Of * Mike Ounsworth >> *Sent:* November 19, 2022 5:53 PM >> *To:* 'LAMPS' <spasm@ietf.org> >> *Subject:* [EXTERNAL] [lamps] Do we have a FALCON draft yet? >> >> >> >> WARNING: This email originated outside of Entrust. >> DO NOT CLICK links or attachments unless you trust the sender and know >> the content is safe. >> ------------------------------ >> >> Hi LAMPS, >> >> >> >> We have drafts for SPHINCS+ [1] and Dilithium [2] in LAMPS. >> >> >> >> Has anyone started one for FALCON yet? (I need something to >> cross-reference the composite draft against) >> >> >> >> >> >> [1]: https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-sphincs-plus/ >> <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-lamps-cms-sphincs-plus/__;!!FJ-Y8qCqXTj2!fJ0iZFzue-XVZBbJ18itKI-6e6y12C3g-v1B6dzJyGsg9sgUnSr-uGDYsyjTI-fvpuSJoWVhNP0h3vCR5xxUkcbW4I-VqfjlT2DqrQ8jQA$> >> >> [2]: >> https://datatracker.ietf.org/doc/draft-massimo-lamps-pq-sig-certificates/ >> <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-massimo-lamps-pq-sig-certificates/__;!!FJ-Y8qCqXTj2!fJ0iZFzue-XVZBbJ18itKI-6e6y12C3g-v1B6dzJyGsg9sgUnSr-uGDYsyjTI-fvpuSJoWVhNP0h3vCR5xxUkcbW4I-VqfjlT2A2XHyKVQ$> >> >> --- >> Mike Ounsworth >> Software Security Architect, Entrust >> >> >> >> *Any email and files/attachments transmitted with it are confidential and >> are intended solely for the use of the individual or entity to whom they >> are addressed. If this message has been sent to you in error, you must not >> copy, distribute or disclose of the information it contains. Please notify >> Entrust immediately and delete the message from your system.* >> _______________________________________________ >> Spasm mailing list >> Spasm@ietf.org >> https://www.ietf.org/mailman/listinfo/spasm >> > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- [lamps] Do we have a FALCON draft yet? Mike Ounsworth
- Re: [lamps] Do we have a FALCON draft yet? Mike Ounsworth
- Re: [lamps] Do we have a FALCON draft yet? Bas Westerbaan
- Re: [lamps] Do we have a FALCON draft yet? Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Do we have a FALCON draft yet? Markku-Juhani O. Saarinen
- Re: [lamps] Do we have a FALCON draft yet? Ilari Liusvaara
- Re: [lamps] Do we have a FALCON draft yet? Massimo, Jake
- Re: [lamps] [EXTERNAL] Re: Do we have a FALCON dr… Mike Ounsworth