IETF Logo Mail Archive

Re: [lamps] Call for adoption ofdraft-massimo-lamps-pq-sig-certificates

"Markku-Juhani O. Saarinen" <mjos@pqshield.com> Thu, 08 September 2022 09:23 UTC

Return-Path: <mjos@pqshield.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 341BDC1524B0 for <spasm@ietfa.amsl.com>; Thu, 8 Sep 2022 02:23:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.895
X-Spam-Level:
X-Spam-Status: No, score=-6.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pqshield-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XN8I8gkG1mGP for <spasm@ietfa.amsl.com>; Thu, 8 Sep 2022 02:23:11 -0700 (PDT)
Received: from mail-yw1-x112a.google.com (mail-yw1-x112a.google.com [IPv6:2607:f8b0:4864:20::112a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA49FC1526E9 for <spasm@ietf.org>; Thu, 8 Sep 2022 02:23:10 -0700 (PDT)
Received: by mail-yw1-x112a.google.com with SMTP id 00721157ae682-346cd4c3d7aso66656217b3.8 for <spasm@ietf.org>; Thu, 08 Sep 2022 02:23:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pqshield-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=X2UqW3S3t8RU35tN+i7cpRGWaHb0kuomFIF9QLGlRQw=; b=hq5hUc9XQfmOqf4xQ2O0fUZlizvyCGzgW/0W0i63bCGARmwSwpqEMY4iCA1iXGLVNZ xMc3TwHrkZ25Ur3ACp30aI5XXO7wlCMesUBvIJmFBF9Op7n3BZdSIZmWoJX4ZJWBKfXq WxV6oD5YYF1z5iMuYmmEhwacvsIjryw4Bz5NHazqc3H347rJHDfcYjtvU3WKlGRJgsGm CPgONcF6y3VJzJa5Rk85OLea3j9MWjuXVGHnMx5IdMo8yigsZqCrA1aVILhKQPAdFwnH WNk+caX1il214H1tQYcBZuCGYHAyA0zMxTme624RRa1ZYoFZmEO4VJSrqJ+39Co9LVSd r64g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=X2UqW3S3t8RU35tN+i7cpRGWaHb0kuomFIF9QLGlRQw=; b=kGzrifIvT5KhWnXpyYSaop4B2rkuiTmZlqRo7p7jiiuGHlXa/od007aC1pm5BjSy5z AARNRJbhsF4BDJxLvKSGFOUHZavZ8pT/Ox4zx8dc/uHW+J9O7A6VqFB8y/LGZ77fJ+5F vBA8fC9NpEnzSFXjMzzcNRilhCbp6y99yMXuam0S0ZT/H/qVd/Pggd9xMONA1bl8ZF7N sd4fyMeXsmmp2u8/jsd2OennkUmgXTprJaU3zypMp6kUt07nlTOrLljersWdtZMsgHWC xaRHeL+331uEMtVm7uBD5udSE2BsQhXzBOpY1o5EXn7btnABcjKr5wMAi+DafoKJ2/tH BEJA==
X-Gm-Message-State: ACgBeo1TVFHwtMuLq3gX3+IlGWc2wfu8L48fItH6GwYB5952tseMSdzQ u9iWRiCbW9ymzsGR8VXVytHdNcs1EUgJcttV5ZZtNQ==
X-Google-Smtp-Source: AA6agR4xHBbxyWu3Kmj55qC0XLE0OW9oBe3LwVNnAJ3QPYbIflY/Q4YO2Nx43lVjTrrWdRuFHen0rZ3CVfcv+vpyJz8=
X-Received: by 2002:a0d:d896:0:b0:345:814d:38ad with SMTP id a144-20020a0dd896000000b00345814d38admr6655369ywe.251.1662628989738; Thu, 08 Sep 2022 02:23:09 -0700 (PDT)
MIME-Version: 1.0
References: <PH0PR00MB10003EC6A096FE0A363BBFB9F5459@PH0PR00MB1000.namprd00.prod.outlook.com> <PH0PR00MB10002A7A2850A1333B4F6C00F54A9@PH0PR00MB1000.namprd00.prod.outlook.com> <59CE53DE-A8A6-4494-B7DF-5E022B831516@vigilsec.com> <CAPwdP4MsmwnC28sYU=a--8bikbAX0zsKwKuAc9QAnQHeHb1RKg@mail.gmail.com> <3ecac634-5afb-0360-cc53-b4330bb6445e@iaik.tugraz.at>
In-Reply-To: <3ecac634-5afb-0360-cc53-b4330bb6445e@iaik.tugraz.at>
From: "Markku-Juhani O. Saarinen" <mjos@pqshield.com>
Date: Thu, 08 Sep 2022 10:22:58 +0100
Message-ID: <CAPwdP4P6KfM8pogaFtHAxWcXmmU+1x=MaWc3fp4aMipJx7m_nQ@mail.gmail.com>
To: Simon Guggi <simon.guggi@iaik.tugraz.at>
Cc: spasm@ietf.org
Content-Type: multipart/alternative; boundary="00000000000053b48205e826fa83"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/8SiKMHxC1Igk-KHw0sogMvHc_u0>
Subject: Re: [lamps] Call for adoption ofdraft-massimo-lamps-pq-sig-certificates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2022 09:23:15 -0000

On Thu, Sep 8, 2022 at 8:32 AM Simon Guggi <simon.guggi@iaik.tugraz.at>
wrote:

> Hi,
>
> There is a de facto key transport encoding for secret keys, defined by the
> algorithm designers and used in KAT tests, that doesn't have ASN.1 encoding
> of individual components. It can be simply taken as an OCTET STRING, just
> like the public key in this I-D. The lengths in Appendix B match that
> encoding, not the completely new encoding in Section 5.
>
>
> - I also support the byte array encoding for the private key proposed by
> the algorithm designers. It is an already defined encoding, so I think it
> makes sense to take that one.
> Also the public key is encoded as an array (but as a BIT STRING instead,
> because of rfc 5912), so I think to be at least somewhat consistent the
> private and public key should be
> encoded as an OCTET STRING and BIT STRING respectively.
>
>     - On that note I just wanted to add that I think it would make more
> sense that the public key is also encoded as an OCTET STRING, but I guess
> that can't happen because of backward-compatibility.
>
>
Hi Simon and all,

I guess it can be a BIT STRING, but it clearly must be of a specific
length. For verification purposes, the algorithm identifiers for
Dilithium2, Dilithium3, and Dilithium5 should be explicit. Determining that
from the public key length is a hack and could be a security issue. Just
noting that for completeness; the current "id-dilithiumTBD" is clearly
temporary. Anyway, a Dilithium-in-PKI I-D would need very clear
verification rules related to this issue.

Whatever format the public key is wrapped in, the "raw concatenated
sequence of bytes" (without any ASN.1 tags, as defined for algorithm
designers for public keys) is actually used inside the signature process
itself: the thing being signed is always prefixed by its hash: mu = H(
H(pk) | m ). One obviously can't sign or verify in an interoperable fashion
if one doesn't use that specific raw format for the hash prefix H(pk), also
denoted "tr" in the spec. It is encoded into the secret key just to tie the
public key with the secret key: Key import functions must check that the
"tr" hash matches.

Cheers,
- Markku

Dr. Markku-Juhani O. Saarinen
Staff Cryptography Architect
PQShield Ltd



M:             +44 0 7548 620723

E:              mjos@pqshield.com
W:             www.pqshield.com

>
>
> On 06.09.22 12:56, Markku-Juhani O. Saarinen wrote:
>
> On Mon, Sep 5, 2022 at 7:47 PM Russ Housley <housley@vigilsec.com> wrote:
>
>> There has been some discussion of
>> https://datatracker.ietf.org/doc/draft-massimo-lamps-pq-sig-certificates/.
>> During the discussion at IETF 114, it was agreed that a separate document
>> would be written for each NIST PQC algorithm.  As a result, this document
>> will cover CRYSTALS-DILITHIUM.
>>
>> Should the LAMPS WG adopt “Algorithms and Identifiers for Post-Quantum
>> Algorithms in the Internet X.509 Public Key Infrastructure” in
>> draft-massimo-lamps-pq-sig-certificates-00?
>>
>> Please reply to this message by Monday, 19 September 2022 to voice your
>> support or opposition to adoption.
>>
>
> Hi,
>
> I'd *support* LAMPS adopting this. I assume that the new title will be
> something like "Algorithms and Identifiers for CRYSTALS-DILITHIUM in the
> Internet X.509 Public Key Infrastructure.”
>
> *Misc comments:*
>
> - The document should more clearly identify the version of Dilithium: 3.1.
> If there are more versions, those would have different identifiers. There
> has been compatibility-breaking changes after the version submitted as a
> Finalist to Round 3, which is still on the NIST website (we've had
> customers try to match our implementation with those v3.0 KATs, requiring
> explanations). The changes from 3.0 to 3.1 include a security fix (at Level
> 5), so compatibility with the latest version is important. See Vadim
> Lyubashevsky's explanation, February 8, 2021:
> https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/BjfjRMIdnhM/m/W7kkVOFDBAAJ
> Note that there were several other internal changes in from 3.0. to 3.1
> apart from the hash lengths.
>
> - A note about the signing process would be helpful; Dilithium 3.1
> computes a signature for mu = H2( H1(pk) | M ), where H1 is SHAKE-256
> truncated to 32 bytes -- a hash of the public key, also denoted "tr" -- and
> H2 is SHAKE-256 truncated to 64 bytes. The number designation of SHAKE of
> course indicates security level, not the output length, as SHAKE is an XOF.
>
> - I suggest the document also includes signature sizes for (detached)
> signatures: 2420, 3293, and 4595 bytes. Currently, only public and private
> key sizes are reported in Appendix B of the I-D.
>
> - The secret key lengths in Appendix B match with v3.1 (v3.0 has 16 bytes
> longer private keys), but do not account for ASN.1 encoding of the SEQUENCE
> in Section 5 of the same I-D. Even section 5 itself does not seem to
> account for this as it reports "the size necessary to hold all private key
> elements." There is a de facto key transport encoding for secret keys,
> defined by the algorithm designers and used in KAT tests, that doesn't have
> ASN.1 encoding of individual components. It can be simply taken as an OCTET
> STRING, just like the public key in this I-D. The lengths in Appendix B
> match that encoding, not the completely new encoding in Section 5.
>
> - Section 5 states "The randomized version can be invoked by leaving K as
> EMPTY." Private key formats are determined by application requirements and
> should not be used as "APIs" to affect functionality as suggested.
> Side-channel secure implementations will only use this type of plaintext
> ASN.1 encoding for backup/transport (never actively) and are likely to
> always perform randomized signing. Some other implementations (perhaps
> without trustworthy RNGs) may always perform deterministic signing; this
> does not break the interoperability of signatures. The explanation for the
> "tr" field in that private key format is not accurate (see above).
>
> Cheers,
> - markku
>
> Dr. Markku-Juhani O. Saarinen
> Staff Cryptography Architect
> PQShield Ltd
>
>
>
> M:             +44 0 7548 620723
>
> E:              mjos@pqshield.com
> W:             www.pqshield.com
>
>
>>
>> On behalf of the LAMPS WG Chairs,
>> Russ
>>
>> _______________________________________________
>> Spasm mailing list
>> Spasm@ietf.org
>> https://www.ietf.org/mailman/listinfo/spasm
>>
>
> _______________________________________________
> Spasm mailing listSpasm@ietf.orghttps://www.ietf.org/mailman/listinfo/spasm
>
>
> --
> Simon Guggi
> SIC - Software Engineer
> Phone: +43 (316) 873 - 5562
> SIC Homepage: https://jce.iaik.tugraz.at/
> IAIK Homepage: https://www.iaik.tugraz.at/
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>

v2.36.0 | Report a Bug | By Email | System Status