Re: [lamps] I-D Action: draft-ietf-lamps-dilithium-certificates-03.txt
Bas Westerbaan <bas@westerbaan.name> Tue, 05 March 2024 02:16 UTC
Return-Path: <bas@westerbaan.name>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F1D7C180B6F; Mon, 4 Mar 2024 18:16:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=westerbaan.name
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E1lfYA_AOYMY; Mon, 4 Mar 2024 18:16:28 -0800 (PST)
Received: from vinnana.westerbaan.name (westerbaan.name [95.217.81.216]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7F74C180B6A; Mon, 4 Mar 2024 18:16:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=westerbaan.name; s=2014; t=1709604980; bh=bhoJKQAXvhvOEzWG4zOW6KnF4OPwU3tMkaK1zUMWCPA=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=CVGtgz8v2TWds2kNz9Aasl8+i6AHtX1VqIJtjJQdbaJm1zYz5517zjSZx90SzgaZ0 0GksQnJlC+fARH5zgR3Q+OocOU5hpguyR3AqG6kHY9akMv4VRbOJyZLG7qaPuyLVb/ +ek3FcyGKPlfqlieZsZEseMC8gAb79aAiIwrc7LI=
Received: from smtpclient.apple (59-120-6-153.hinet-ip.hinet.net [59.120.6.153]) by vinnana.westerbaan.name (Postfix) with ESMTPSA id 9FCCB3E4D4B; Tue, 5 Mar 2024 03:16:18 +0100 (CET)
From: Bas Westerbaan <bas@westerbaan.name>
Message-Id: <F9D522DA-CEC6-4657-8953-0E5F32EBC597@westerbaan.name>
Content-Type: multipart/alternative; boundary="Apple-Mail=_32D282FC-10A4-4E64-8E67-083415ED214F"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\))
Date: Tue, 05 Mar 2024 10:16:06 +0800
In-Reply-To: <0152f5099e694918955e97acf9005f09@amazon.com>
Cc: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, "draft-ietf-lamps-dilithium-certificates@ietf.org" <draft-ietf-lamps-dilithium-certificates@ietf.org>
To: "Kampanakis, Panos" <kpanos@amazon.com>
References: <GVXPR07MB96781119C659B4016F2B5F8E89582@GVXPR07MB9678.eurprd07.prod.outlook.com> <0152f5099e694918955e97acf9005f09@amazon.com>
X-Mailer: Apple Mail (2.3774.400.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/C8ojrDGOhnb_Ip3Vs0ogPlbfwgE>
Subject: Re: [lamps] I-D Action: draft-ietf-lamps-dilithium-certificates-03.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 02:16:32 -0000
> On 29 Feb 2024, at 11:51, Kampanakis, Panos <kpanos@amazon.com> wrote: > > Thanks John. > > We are tracking your suggestions in git issuehttps://github.com/lamps-wg/dilithium-certificates/issues/12 We will fix them in the next iteration. > > Regarding SLH-DSA in X.509, https://datatracker.ietf.org/doc/draft-gazdag-x509-slhdsa/ was recently spun off from draft-gazdag-x509-hash-sigs, so it should cover it. > > +1 about PQ HPKE vs ECIES. We had written a paper exploring it inhttps://ia.cr/2022/414 and Bas has https://datatracker.ietf.org/doc/draft-westerbaan-cfrg-hpke-xyber768d00/ which combines x25519 with Kyber768. I think it is based on X-Wing. Personally, I would stir the Kyber768 ciphertext in the KDF in order to have a more straightforward path to CCA2 security, but regardless, it is PQ HPKE. The draft you linked predates X-Wing and does mix in the Kyber ciphertext (but uses round 3 Kyber.) Best, Bas > > > > From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> On Behalf Of John Mattsson > Sent: Wednesday, February 28, 2024 5:02 PM > To: spasm@ietf.org <mailto:spasm@ietf.org> > Subject: RE: [EXTERNAL] [lamps] I-D Action: draft-ietf-lamps-dilithium-certificates-03.txt > > CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. > > > Review of draft-ietf-lamps-dilithium-certificates-03 > > Hi, > > I am very supportive of this work. I hope it will be published soon after FIPS 204 (ML-DSA) is published. Let me know if I can help. Ericsson plans to make sure that 5G introduces ML-DSA and ML-KEM everywhere public key cryptography is used. 5G uses IETF protocols for almost all public key cryptography, the exception is IMSI encryption, which uses ECIES specified by SECG. Quantum-resistant IMSI encryption will likely use HPKE. > > - I would very much like to see a similar draft as this for SLH-DSA published shortly after NIST published FIPS 205. > > - In addition to Certificates and CRLs, 5G uses the following RFC 2986, 4210, 6090. > Can we make sure that this document works with RFC 2986, 4210, and 6960 as well? Maybe it already does, then it should be good to mention that. > > - Would be good if the document started referring to Draft FIPS 204, so that the final update is just a reference update. Right now thing like the names ML-DSA-44, ML-DSA-65, ML-DSA-87, and "security categories 2, 3 and 5" do not have any reference to NIST. > > - "It describes the encoding of digital signatures and public keys generated with quantum-resistant signature algorithm ML-DSA." > > The keys are not generated with ML-DSA maybe "encoding of public keys and digital signatures generated with" > > - "copmatible" -> "compatible" > > - “The signatureValue field contains the corresponding ML-DSA signature computed upon the ASN.1 DER encoded tbsCertificate [RFC5280 <https://www.ietf.org/archive/id/draft-ietf-lamps-dilithium-certificates-03.html#RFC5280>].” > > This is only true for certificates. In certificate lists it is calculated over tbsCertList. > > -“The public parameters for ML-DSA are based upon a polynomial ring R_q for prime q. A (k*l) public matrix A is produced, consisting of polynomials whose coefficients are sampled uniformly at random from the integers modulo q. This sampling is performed by expanding a nonce (rho) using an XOF.” > > I think this could be removed. This document can just refer to FIPS 204. > > - “k+l)*ceiling(log(2*eta+1))+13*k]” > |=======+=======+=====+========+========+========| > | Level | (k,l) | eta | Sig. | Public | Private| > | | | | (B) | Key(B) | Key(B) | > |=======+=======+=====+========+========+========| > | 2 | (4,4) | 2 | 2420 | 1312 | 2528 | > | 3 | (6,5) | 4 | 3293 | 1952 | 4000 | > | 5 | (8,7) | 2 | 4595 | 2592 | 4864 | > |=======+=======+=====+========+========+========| > > I think it is preferable to remove the formula and eta. People are not expected to make their own ML-DSA variants. I think the information in the table should be only: > > ML-DSA-44 | 2 | 2420 | 1312 | 2528 | > ML-DSA-65 | 3 | 3293 | 1952 | 4000 | > ML-DSA-87 | 5 | 4595 | 2592 | 4864 | > > - “modeled under existentially unforgeable digital signatures with respect to an adaptive chosen message attack (EUF-CMA).” > > ML-DSA is designed to be strongly existentially unforgeable under chosen message attack (SUF-CMA) i.e., it is expected that even if an adversary can get the honest party to sign arbitrary messages, the adversary cannot create any additional valid signatures based on the signer’s public key, including on messages for which the signer has already provided a signature). This property is not provided by classical signature schemes such as ECDSA > > Cheers, > John Preuß Mattsson
- [lamps] I-D Action: draft-ietf-lamps-dilithium-ce… internet-drafts
- Re: [lamps] I-D Action: draft-ietf-lamps-dilithiu… John Mattsson
- Re: [lamps] I-D Action: draft-ietf-lamps-dilithiu… Kampanakis, Panos
- Re: [lamps] I-D Action: draft-ietf-lamps-dilithiu… Bas Westerbaan