Re: [lamps] WG Action: Rechartered Limited Additional Mechanisms for PKIX and SMIME (lamps)
Dieter Bratko <Dieter.Bratko@iaik.tugraz.at> Wed, 09 June 2021 09:52 UTC
Return-Path: <dieter.bratko@iaik.tugraz.at>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F208F3A1908 for <spasm@ietfa.amsl.com>; Wed, 9 Jun 2021 02:52:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.295
X-Spam-Level:
X-Spam-Status: No, score=-4.295 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=tugraz.at
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q_K3nOQTGNqJ for <spasm@ietfa.amsl.com>; Wed, 9 Jun 2021 02:52:03 -0700 (PDT)
Received: from orelay.tugraz.at (orelay.tugraz.at [129.27.2.230]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64F893A1888 for <spasm@ietf.org>; Wed, 9 Jun 2021 02:52:02 -0700 (PDT)
Received: from mx01.iaik.tugraz.at (nat-hiding.iaik.tugraz.at [129.27.152.126]) by mrelayout.tugraz.at (Postfix) with ESMTPSA id 4G0Mp46QZmz8qmd; Wed, 9 Jun 2021 11:51:56 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 mrelayout.tugraz.at 4G0Mp46QZmz8qmd
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at; s=mailrelay; t=1623232317; bh=HErYNMClcBfmc5Hix9VSea8vSS9ocTOPKl0SJdrZO3c=; h=Subject:To:References:From:CC:Date:In-Reply-To:From; b=O9BbbO/ph5JwlJbcA/w0WBJ3x1jnqzLtGTXf3bf197AmYaRptDs3ry7avr3jg8LEB 5RGvZOAITUe5henW79ZGA9f/X0jw7GR/tVlbmvdkvrz4nG35e4x+eqJPWzZCwXg2OE EhQw+VWz95D2263wqfiSj9yYaXkVrlm9GvnbrOfs=
Received: from [10.0.0.1] (217.149.163.153) by srvEXMBD2.iaik.tugraz.at (10.27.152.6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.858.12; Wed, 9 Jun 2021 11:51:56 +0200
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, Ludovic Perret <ludovic.perret@cryptonext-security.com>, "spasm@ietf.org" <spasm@ietf.org>
References: <162197839888.7001.14038013572109016245@ietfa.amsl.com> <em1cc0ae3e-147b-4e9b-a7e1-ea78e82c1a7d@desktop-8g465ua> <CH0PR11MB5739DCEDF80918186DF5F5729F379@CH0PR11MB5739.namprd11.prod.outlook.com>
From: Dieter Bratko <Dieter.Bratko@iaik.tugraz.at>
CC: Franco Nieddu <franco.nieddu@iaik.tugraz.at>, Simon Guggi <simon.guggi@iaik.tugraz.at>
Message-ID: <3633b97a-f70c-6b33-ea53-ff9cff4b5e10@iaik.tugraz.at>
Date: Wed, 09 Jun 2021 11:51:55 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <CH0PR11MB5739DCEDF80918186DF5F5729F379@CH0PR11MB5739.namprd11.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------C8E748F4D39306F7D3ABCECD"
X-Originating-IP: [217.149.163.153]
X-ClientProxiedBy: srvEXEDGE1.iaik.tugraz.at (129.27.152.212) To srvEXMBD2.iaik.tugraz.at (10.27.152.6)
X-TM-AS-Product-Ver: SMEX-14.0.0.3080-8.6.1012-26184.003
X-TM-AS-Result: No-10--6.346600-4.000000
X-TMASE-MatchedRID: 0+daXaNUWRU4HKI/yaqRm3V7tdtvoiba4OB3iDG6iklSMKT1gdNFdl2d sxCRbuoBjR7M9OAF3B4C3U6IhW4BegAiqNgvtX7AIVybEvvop47g02I3oyGU8JaSFUyM7s8kP/b UDB8FrMQiwaT/WWQizJXBiw7NP4CJrVRnwv1YxAfece0aRiX9WvmXzp/t9r6w3FJULPGBSs7SdY mBzD8gM7RetJN7cJRZqQUFOL0tEEH7bklTHFVB70jBb8q+S/OC3WFaxVW7M2j22R14ijZDjDde1 8J/6zdzD/zIqLJmZ+R444Vp3HAhxFGkPFPB4CMJc7NKwtVBYz0iJN3aXuV/oVOr/+udyw1Z5OFm U1QeGGeKbJjRgBP8qTI0KhkyB8ZLbm740T0C0t7IJ4SICnnphuci+V4Pc5BOU1tzTgJwKWUFNR0 P+eINImlEewrbX3QnXe5nypMgnpY25XOhnouJ5Qi0LLplf+UvqwU71dzr0StP0rL0CMv7cjojJH 9oiMoVNTcc+FGtHL13ZVcbJy0H7vCDFvXZFmYyYrc32n84WHoWmcHo0eQZf4qxMBrs575iLFlXZ d2HA7CdfbUqhtxNN68kzL3Kx6B5VY78k/m9Ad3kGAR1SqoA1EWXj/zo+GllAhn751acftvz0/3X Dt7kSV5MyqobPoe0myiLZetSf8my5/tFZu9S3JliLZn/uXCC73L+X3f/F1NKdDgyPBo71zaIE0Z B4oHcFHjNjfZpqNDVhNEnDZgUkTVv4FwFu8+dD1IUUTWx4w7E/zIEzxl9jDBpMUhzUwisq48BGG 0v001XzANQ1tn3CMUDbDdCTuuTk+nfxz9QeEgQ2Evu5rLcPHlz5A4rBg3NY5rJ9WsyYsV9TXHS9 TAbLbWQktQLJW4jdxk6B03nUEXBFWeTfmaNHHEKslWisZRlwL6SxPpr1/I=
X-TM-AS-User-Approved-Sender: Yes
X-TM-AS-User-Blocked-Sender: No
X-TMASE-Result: 10--6.346600-4.000000
X-TMASE-Version: SMEX-14.0.0.3080-8.6.1012-26184.003
X-TM-SNTS-SMTP: ED45E6CD8F265A5BB3630C2CAF7DFDAFE87D186EC7DE9490BAB2D86A6019D0792002:9
X-TUG-Backscatter-control: biYb0C0m31NH2O/F2I9vDw
X-Spam-Scanner: SpamAssassin 3.003001
X-Spam-Score-relay: -1.9
X-Scanned-By: MIMEDefang 2.74 on 129.27.10.116
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/LBRccaEi5DDjtdreJAnIw7nSIn4>
Subject: Re: [lamps] WG Action: Rechartered Limited Additional Mechanisms for PKIX and SMIME (lamps)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jun 2021 09:52:09 -0000
Hello, > As for defining algorithmID OIDs, parameters, etc for Sphincs+, Falcon, > Dilithium, Kyber, etc, I haven't seen any drafts yet. A while ago Scott Fluhrer has posted a hint to an industry draft (https://docs.google.com/document/d/19XfdzkVdHS69rqin-XV72Cn2FjrpEbiyERg7F1lKIVs/edit?usp=sharing <https://docs.google.com/document/d/19XfdzkVdHS69rqin-XV72Cn2FjrpEbiyERg7F1lKIVs/edit?usp=sharing>) on this list, and we wanted to suggest an alternative apporach: The industry draft specifies one algorithm id for each parameter set. These ids are used as key and signature/kem algorithm ids, too. Taking the Dilithium signature algorithm as example the draft specifies three ids (with the algorithm name as optional parameter): dilithium-4x4-r3 (1.3.6.1.4.1.2.267.7.4.4) for the security-level 2 parameter set, dilithium-6x5-r3 (1.3.6.1.4.1.2.267.7.6.5) for the security-level 3 parameter set, and dilithium-8x7-r3 (1.3.6.1.4.1.2.267.7.8.7) for the security-level 5 parameter set, each of them used as key and signature algorihtm id, too. If there is no absolute requirement to bound the parameter set to the signature/kem algorithm, too, we would like to propose an alternative approach for defining the algorithm/parameter ids. The approach is leant on the parameter/algorithm id specification used by Elliptic Curve Cryptography. EC uses separate ids for keys and (e.g. signature) algorithms, and the curve (and thus parameter set) is propageted as parameter of the key algorithm id. For the Dilithium example this could be done by keeping the three parameter (example) ids dilithium-4x4-r3 (1.3.6.1.4.1.2.267.7.4.4), dilithium-6x5-r3 (1.3.6.1.4.1.2.267.7.6.5), dilithium-8x7-r3 (1.3.6.1.4.1.2.267.7.8.7) and defining two additional ids, one for the key algorithm (e.g. 1.3.6.1.4.1.2.267.7.1) and one for the signature algorithm (e.g. 1.3.6.1.4.1.2.267.7.2) for Dilithium (or Shake256withDilithium -- to be open for alternative XOFs). The parameter field of the key algorithm id must contain the id of the corresponding parameter set: AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, -- OID: key algorithm parameters PQParameterSet } PQParameterSet ::= OBJECT IDENTIFIER The encoding of the signature (or kem) algorithm id by default should omit the parameter field, except for if the specific signature (or kem) algorithm id may have to carry some additional information. For Dilithium, e.g., the parameter field could be used to tell the verifier whether the signer has used AES (instead of SHAKE) to expand the public matrix. We think that this approach would be more convenient to implement and use. McEliece, for instance, defines ten parameter sets. Typically an user will have only one McEliece key(pair) which (in the EC-style approach) (s)he could use with the McEliece KEM (or. Shake256McEliece) algorithm id, regardless of which parameter-set is bound to the key. In the current (industry draft) approach the user would have to take care to select the right KEM algorithm ID among a set of ten KEM algorithm ids to ensure to use her/his, for instance, mceliece460896 key with the corresponding mceliece460896 KEM algorithm id. Regards, Dieter Bratko -------- Dieter Bratko mailto:Dieter.Bratko@iaik.tugraz.at <mailto:Dieter.Bratko@iaik.tugraz.at> SIC/IAIK – Graz University Of Technology, Inffeldgasse 16A, 8010 Graz, Austria, http://jce.iaik.tugraz.at <http://jce.iaik.tugraz.at> On 08.06.2021 at 23:57 Mike Ounsworth wrote: > As for defining algorithmID OIDs, parameters, etc for Sphincs+, Falcon, Dilithium, Kyber, etc, I haven't seen any drafts yet.
- [lamps] WG Action: Rechartered Limited Additional… The IESG
- Re: [lamps] WG Action: Rechartered Limited Additi… Ludovic Perret
- Re: [lamps] WG Action: Rechartered Limited Additi… Mike Ounsworth
- Re: [lamps] WG Action: Rechartered Limited Additi… Dieter Bratko
- Re: [lamps] WG Action: Rechartered Limited Additi… Ryan Sleevi