Re: [lamps] I-D Action: draft-ietf-lamps-dilithium-certificates-03.txt
"Kampanakis, Panos" <kpanos@amazon.com> Thu, 29 February 2024 03:52 UTC
Return-Path: <prvs=78289516a=kpanos@amazon.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEBB4C14F73F; Wed, 28 Feb 2024 19:52:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.101
X-Spam-Level:
X-Spam-Status: No, score=-7.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A9oejDAqwPJW; Wed, 28 Feb 2024 19:51:59 -0800 (PST)
Received: from smtp-fw-52003.amazon.com (smtp-fw-52003.amazon.com [52.119.213.152]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73080C14F74A; Wed, 28 Feb 2024 19:51:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1709178720; x=1740714720; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=ml5U2yREBHUnwrLjfdSJquqiLwS8IHbEN3+npJpse3k=; b=ssVQFdk1EU3PzXtbNnN13U2b1nSrZpwmqySdpMwERMgWzwUSO+t32RH5 x9PqonBDLNIjnzoVg2Qoaxnnb2KnrMWOLcDo3yORm8EvOVA7XeEMt6XUG 2WtAKpLc0GRFJ4bztIqkJrId62v7MaFzFNW8Avmdn0F4xaDhpRHV7bsPW o=;
X-IronPort-AV: E=Sophos;i="6.06,192,1705363200"; d="scan'208,217";a="641256785"
Thread-Topic: [lamps] I-D Action: draft-ietf-lamps-dilithium-certificates-03.txt
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev) ([10.43.8.6]) by smtp-border-fw-52003.iad7.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Feb 2024 03:51:57 +0000
Received: from EX19MTAUWA002.ant.amazon.com [10.0.21.151:64888] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.5.207:2525] with esmtp (Farcaster) id cee92c7a-537a-4946-b015-81603a806cf9; Thu, 29 Feb 2024 03:51:56 +0000 (UTC)
X-Farcaster-Flow-ID: cee92c7a-537a-4946-b015-81603a806cf9
Received: from EX19D001ANA002.ant.amazon.com (10.37.240.136) by EX19MTAUWA002.ant.amazon.com (10.250.64.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Thu, 29 Feb 2024 03:51:56 +0000
Received: from EX19D001ANA001.ant.amazon.com (10.37.240.156) by EX19D001ANA002.ant.amazon.com (10.37.240.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.28; Thu, 29 Feb 2024 03:51:55 +0000
Received: from EX19D001ANA001.ant.amazon.com ([fe80::4f78:75cd:3117:8055]) by EX19D001ANA001.ant.amazon.com ([fe80::4f78:75cd:3117:8055%5]) with mapi id 15.02.1258.028; Thu, 29 Feb 2024 03:51:55 +0000
From: "Kampanakis, Panos" <kpanos@amazon.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
CC: "draft-ietf-lamps-dilithium-certificates@ietf.org" <draft-ietf-lamps-dilithium-certificates@ietf.org>
Thread-Index: AQHaapEFOc9peFd+gUS7NQqmbrPAcrEgrK/w
Date: Thu, 29 Feb 2024 03:51:55 +0000
Message-ID: <0152f5099e694918955e97acf9005f09@amazon.com>
References: <GVXPR07MB96781119C659B4016F2B5F8E89582@GVXPR07MB9678.eurprd07.prod.outlook.com>
In-Reply-To: <GVXPR07MB96781119C659B4016F2B5F8E89582@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.37.240.172]
Content-Type: multipart/alternative; boundary="_000_0152f5099e694918955e97acf9005f09amazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/EIZhxd_EP0VB4uuVGLlRNNhfamk>
Subject: Re: [lamps] I-D Action: draft-ietf-lamps-dilithium-certificates-03.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Feb 2024 03:52:05 -0000
Thanks John. We are tracking your suggestions in git issue https://github.com/lamps-wg/dilithium-certificates/issues/12 We will fix them in the next iteration. Regarding SLH-DSA in X.509, https://datatracker.ietf.org/doc/draft-gazdag-x509-slhdsa/ was recently spun off from draft-gazdag-x509-hash-sigs, so it should cover it. +1 about PQ HPKE vs ECIES. We had written a paper exploring it in https://ia.cr/2022/414 and Bas has https://datatracker.ietf.org/doc/draft-westerbaan-cfrg-hpke-xyber768d00/ which combines x25519 with Kyber768. I think it is based on X-Wing. Personally, I would stir the Kyber768 ciphertext in the KDF in order to have a more straightforward path to CCA2 security, but regardless, it is PQ HPKE. From: Spasm <spasm-bounces@ietf.org> On Behalf Of John Mattsson Sent: Wednesday, February 28, 2024 5:02 PM To: spasm@ietf.org Subject: RE: [EXTERNAL] [lamps] I-D Action: draft-ietf-lamps-dilithium-certificates-03.txt CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. Review of draft-ietf-lamps-dilithium-certificates-03 Hi, I am very supportive of this work. I hope it will be published soon after FIPS 204 (ML-DSA) is published. Let me know if I can help. Ericsson plans to make sure that 5G introduces ML-DSA and ML-KEM everywhere public key cryptography is used. 5G uses IETF protocols for almost all public key cryptography, the exception is IMSI encryption, which uses ECIES specified by SECG. Quantum-resistant IMSI encryption will likely use HPKE. - I would very much like to see a similar draft as this for SLH-DSA published shortly after NIST published FIPS 205. - In addition to Certificates and CRLs, 5G uses the following RFC 2986, 4210, 6090. Can we make sure that this document works with RFC 2986, 4210, and 6960 as well? Maybe it already does, then it should be good to mention that. - Would be good if the document started referring to Draft FIPS 204, so that the final update is just a reference update. Right now thing like the names ML-DSA-44, ML-DSA-65, ML-DSA-87, and "security categories 2, 3 and 5" do not have any reference to NIST. - "It describes the encoding of digital signatures and public keys generated with quantum-resistant signature algorithm ML-DSA." The keys are not generated with ML-DSA maybe "encoding of public keys and digital signatures generated with" - "copmatible" -> "compatible" - "The signatureValue field contains the corresponding ML-DSA signature computed upon the ASN.1 DER encoded tbsCertificate [RFC5280<https://www.ietf.org/archive/id/draft-ietf-lamps-dilithium-certificates-03.html#RFC5280>]." This is only true for certificates. In certificate lists it is calculated over tbsCertList. -"The public parameters for ML-DSA are based upon a polynomial ring R_q for prime q. A (k*l) public matrix A is produced, consisting of polynomials whose coefficients are sampled uniformly at random from the integers modulo q. This sampling is performed by expanding a nonce (rho) using an XOF." I think this could be removed. This document can just refer to FIPS 204. - "k+l)*ceiling(log(2*eta+1))+13*k]" |=======+=======+=====+========+========+========| | Level | (k,l) | eta | Sig. | Public | Private| | | | | (B) | Key(B) | Key(B) | |=======+=======+=====+========+========+========| | 2 | (4,4) | 2 | 2420 | 1312 | 2528 | | 3 | (6,5) | 4 | 3293 | 1952 | 4000 | | 5 | (8,7) | 2 | 4595 | 2592 | 4864 | |=======+=======+=====+========+========+========| I think it is preferable to remove the formula and eta. People are not expected to make their own ML-DSA variants. I think the information in the table should be only: ML-DSA-44 | 2 | 2420 | 1312 | 2528 | ML-DSA-65 | 3 | 3293 | 1952 | 4000 | ML-DSA-87 | 5 | 4595 | 2592 | 4864 | - "modeled under existentially unforgeable digital signatures with respect to an adaptive chosen message attack (EUF-CMA)." ML-DSA is designed to be strongly existentially unforgeable under chosen message attack (SUF-CMA) i.e., it is expected that even if an adversary can get the honest party to sign arbitrary messages, the adversary cannot create any additional valid signatures based on the signer's public key, including on messages for which the signer has already provided a signature). This property is not provided by classical signature schemes such as ECDSA Cheers, John Preuß Mattsson
- [lamps] I-D Action: draft-ietf-lamps-dilithium-ce… internet-drafts
- Re: [lamps] I-D Action: draft-ietf-lamps-dilithiu… John Mattsson
- Re: [lamps] I-D Action: draft-ietf-lamps-dilithiu… Kampanakis, Panos
- Re: [lamps] I-D Action: draft-ietf-lamps-dilithiu… Bas Westerbaan