Re: [lamps] Multiple drafts with PQ algorithm key encodings that are not compatible.
"Markku-Juhani O. Saarinen" <mjos@pqshield.com> Thu, 29 September 2022 17:25 UTC
Return-Path: <mjos@pqshield.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE711C14F724 for <spasm@ietfa.amsl.com>; Thu, 29 Sep 2022 10:25:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pqshield-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id elSvYShS2sD3 for <spasm@ietfa.amsl.com>; Thu, 29 Sep 2022 10:25:51 -0700 (PDT)
Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1147C14CE2E for <spasm@ietf.org>; Thu, 29 Sep 2022 10:25:50 -0700 (PDT)
Received: by mail-yb1-xb33.google.com with SMTP id s14so2385439ybe.7 for <spasm@ietf.org>; Thu, 29 Sep 2022 10:25:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pqshield-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=8YdJzhwDb8d9ULF8/HtGUqrO2SRhCdJJqA08GVU2CmQ=; b=YUUXn+nMt5c3r/chV0qaB91rksOL2iB3Pks31COduC7LHXJ8sioo0VswbXf297lW+m zIaikDUhe9aXSBRbDPYv+2AxmTkNfxrGzU4frZwmfFcC6Sis3J6CYhJmVkqYSMQ3ywW9 8fycr5tLtLXPhbKrYL3/KUU4opsBihs/BiRfsp71ew18q6fwv7k775us2KiJhq5VBpcd 1Vtt1CYLEPrfpOhdxBjZtCzrQr+uMUYh8PF33lAGqIuejqWSSRZSnPIjYg62UbXIiztY vXEcapdD/08U/FWWPe43eoNDtkwcuoQObK4NErUV9Mqqx3SxawiWyeS2q38AymnKAQT5 II5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=8YdJzhwDb8d9ULF8/HtGUqrO2SRhCdJJqA08GVU2CmQ=; b=DX5gM1Xn4cADG3nsyP2eEOu68PnHX0s7I8LZJRRTmP+OxscwEHD+ztI1rBPfhUTMiH n890wDUc8SEq++/zw0eE5UEzsGHNE3XHVspaioJPkf8e8ixwTqpkmJHtxN11rwz4/f/Y vpn1uMqtl5+5oi320UYLYe5Cn9VA8GMB+ns2MKhDwKemilnAF1YcjP/uX+xf7J2yVLuQ LJIeFe7hFH4SPsTal9PRF7xWCAxcwKKhYs4UYb+auOUs6sg5j3YGHs5MAWsi4Sb08Pxh sxP82U9c9kuQjSYSqjN7Nin78HZe1jmGseQ7K5KbVCkDJsQ9kU7sD3nEGyJw6t3Z0rZv i2wQ==
X-Gm-Message-State: ACrzQf0z3zjihTKhzWarHq91u2BW7lP3lOy4QcONfdqshUb9U5sghezM xtElKsNHVWRHor3BUJO23rNobpq3DJdrm+2x/cocRQ==
X-Google-Smtp-Source: AMsMyM6Fnq5gu89LSdvUko0uJ7QPiSijI3DRdhQpupEXWD+EOhOW16K0sGZJXMJQrKf1OkUmXOhcdsY2dvNMBTJooIc=
X-Received: by 2002:a25:7a01:0:b0:6b0:820:dd44 with SMTP id v1-20020a257a01000000b006b00820dd44mr4022248ybc.387.1664472349816; Thu, 29 Sep 2022 10:25:49 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR11MB25852643FB14014E92A5CFE1EA549@DM6PR11MB2585.namprd11.prod.outlook.com>
In-Reply-To: <DM6PR11MB25852643FB14014E92A5CFE1EA549@DM6PR11MB2585.namprd11.prod.outlook.com>
From: "Markku-Juhani O. Saarinen" <mjos@pqshield.com>
Date: Thu, 29 Sep 2022 18:25:38 +0100
Message-ID: <CAPwdP4M74afMngjdus_y6SHkuK4cJ_i3GgsQwzF2+sC10kRKdg@mail.gmail.com>
To: John Gray <John.Gray=40entrust.com@dmarc.ietf.org>
Cc: "pqc@ietf.org" <pqc@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, "cfrg@ietf.org" <cfrg@ietf.org>, "Massimo, Jake" <jakemas@amazon.com>, "Panos Kampanakis (pkampana)" <pkampana@cisco.com>, Sean Turner <sean@sn3rd.com>, "bas@westerbaan.name" <bas@westerbaan.name>, "cvvrede@gmail.com" <cvvrede@gmail.com>, "sid@zurich.ibm.com" <sid@zurich.ibm.com>, "bhe@zurich.ibm.com" <bhe@zurich.ibm.com>, "tvi@zurich.ibm.com" <tvi@zurich.ibm.com>, "osb@zurich.ibm.com" <osb@zurich.ibm.com>, "dieter.bong@utimaco.com" <dieter.bong@utimaco.com>, "joppe.bos@nxp.com" <joppe.bos@nxp.com>
Content-Type: multipart/alternative; boundary="00000000000026508805e9d42b15"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/LiWdwXMzH7hgRGsz0UYW7ZpWNpI>
X-Mailman-Approved-At: Thu, 29 Sep 2022 11:53:39 -0700
Subject: Re: [lamps] Multiple drafts with PQ algorithm key encodings that are not compatible.
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Sep 2022 17:25:55 -0000
On Thu, Sep 29, 2022 at 2:51 PM John Gray <John.Gray= 40entrust.com@dmarc.ietf.org> wrote: > We are doing some interoperability testing with different vendors using > the new Dilithium, Falcon and SPHINCS+ algorithms. We have come across at > least two drafts which are trying to specify the ASN.1 encoding formats for > these algorithms. However, the encoding formats are not compatible with > each other. I imagine the authors of these drafts should get together and > come up with a common format (I have copied them on this email). This > means we must choose one or the other, or even worse, support multiple > formats (which can lead to bugs). Initially I started more than a year > ago using my own encoding format for internal prototyping, but now need to > interoperate with others outside of our organization, so a common format is > definitely needed at this point. 😊 > Indeed it is remarkable that various people have been trying to create "exploded" ASN.1 encodings for Dilithium keys, none of which are compatible with each other, *or the actual Dilithium specification, reference implementation, and the test vectors*. Section 5.4 of the specification defines it as a concatenated byte sequence, or as a 32-byte seed value. For ASN.1 these can be naturally expressed as a simple OCTET STRING. https://pq-crystals.org/dilithium/data/dilithium-specification-round3-20210208.pdf *"Secret key. The secret key contains ρ, K , tr, s1 , s2 and t0 and is also stored as theconcatenation of the bit-packed representation of these quantities in the given order.Consequently, a secret key requires 32 + 32 + 32 + 32((k + `) · dlog(2η + 1)e + 13k) bytes.As mentioned previously, the signer also has the option of simply storing the 32-byte valueζ and then simply re-deriving all the other elements of the secret key."* The public key is similarly defined. There is no practical advantage of exploding it into individual components -- repacking would always be needed for both signing and signature verification. Best Regards, - markku Dr. Markku-Juhani O. Saarinen Staff Cryptography Architect PQShield Ltd M: +44 0 7548 620723 E: mjos@pqshield.com W: www.pqshield.com > > > We fully realize the OID values will be changing once official OIDs are > registered, (changing those are trivial), but the ASN.1 formats of the > public and private keys is kind of important as well… 😊 > > > For example: > > > > The LAMPS group has a specification of Dilithium public keys in this draft: > > https://datatracker.ietf.org/doc/draft-massimo-lamps-pq-sig-certificates/ > > > > the public key format is this: > > > > The Dilithium public key MUST be encoded using the ASN.1 type > > DilithiumPublicKey: > > > > DilithiumPublicKey ::= OCTET STRING > > > > The private key format is this: > > > > DilithiumPrivateKey ::= SEQUENCE { > > rho BIT STRING, - nonce/seed > > K BIT STRING, - key/seed > > tr BIT STRING, - PRF bytes (CRH in spec.) > > s1 BIT STRING, - vector l > > s2 BIT STRING, - vector k > > t0 BIT STRING, - encoded vector > > PublicKey IMPLICIT DilithiumPublicKey OPTIONAL > > } > > > > > > In this draft: > > https://datatracker.ietf.org/doc/draft-uni-qsckeys/01/ > > > > Dilithium keys have this encoding: > > > > > > DilithiumPublicKey ::= SEQUENCE { > > rho OCTET STRING, > > t1 OCTET STRING > > } > > > > > > DilithiumPrivateKey ::= SEQUENCE { > > version INTEGER {v0(0)} -- version (round 3) > > nonce BIT STRING, -- rho > > key BIT STRING, -- key/seed/D > > tr BIT STRING, -- PRF bytes (CRH in spec) > > s1 BIT STRING, -- vector(L) > > s2 BIT STRING, -- vector(K) > > t0 BIT STRING, > > publicKey [0] IMPLICIT DilithiumPublicKey OPTIONAL > > -- see next section > > } > > > > The draft-uni-qsckeys does not cover SPHINCS+, it does cover Falcon, but > I don’t know of another draft that specifies Falcon. > > > > There are also encodings for Kyber mentioned in two documents that I see. > There is an early > https://datatracker.ietf.org/doc/draft-ietf-lamps-kyber-certificates/ > draft which mentions it is up to the document defining Kyber to give more > details. In the draft-uni-qsckeys draft it is more specific. > > > > https://datatracker.ietf.org/doc/draft-uni-qsckeys/01/ > > > > KyberPrivateKey ::= SEQUENCE { > > version INTEGER {v0(0)} -- version (round 3) > > s OCTET STRING, -- sample s > > publicKey [0] IMPLICIT KyberPublicKey OPTIONAL, > > -- see next section > > hpk OCTET STRING -- H(pk) > > nonce OCTET STRING, -- z > > } > > > > Partial public key encoding: > > > > KyberPrivateKey ::= SEQUENCE { > > version INTEGER {v0(0)} -- version (round 3) > > s OCTET STRING, -- EMPTY > > publicKey [0] IMPLICIT KyberPublicKey OPTIONAL, > > -- see next section > > hpk OCTET STRING -- EMPTY > > nonce OCTET STRING, -- d > > } > > > > Full public key encoding: > > > > KyberPublicKey ::= SEQUENCE { > > t OCTET STRING, > > rho OCTET STRING > > } > > > > Is https://datatracker.ietf.org/doc/draft-uni-qsckeys/01/ meant to become > the document that defines the key formats for all the PQ keys that will be > standardized? If not, then it should probably just refer to whatever > documents will define the formats so that we can at least agree on one > common format for the PQ keys. > > > > > > Cheers, > > > > John Gray > > Entrust > *Any email and files/attachments transmitted with it are confidential and > are intended solely for the use of the individual or entity to whom they > are addressed. If this message has been sent to you in error, you must not > copy, distribute or disclose of the information it contains. Please notify > Entrust immediately and delete the message from your system.* > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- [lamps] Multiple drafts with PQ algorithm key enc… John Gray
- Re: [lamps] [EXTERNAL] [Pqc] Multiple drafts with… Mike Ounsworth
- Re: [lamps] [Pqc] Multiple drafts with PQ algorit… Massimo, Jake
- Re: [lamps] [Pqc] Multiple drafts with PQ algorit… Bas Westerbaan
- Re: [lamps] [EXTERNAL] Re: [Pqc] Multiple drafts … Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: [Pqc] Multiple drafts … Christine Cloostermans
- Re: [lamps] [EXTERNAL] Re: [Pqc] Multiple drafts … Mike Ounsworth
- Re: [lamps] Multiple drafts with PQ algorithm key… Russ Housley
- Re: [lamps] Multiple drafts with PQ algorithm key… Tim Hollebeek
- Re: [lamps] Multiple drafts with PQ algorithm key… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Multiple drafts with PQ algorithm key… Russ Housley
- Re: [lamps] Multiple drafts with PQ algorithm key… Tim Hollebeek
- Re: [lamps] Multiple drafts with PQ algorithm key… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] [EXTERNAL] Re: [Pqc] Multiple drafts … Christine Cloostermans
- Re: [lamps] Multiple drafts with PQ algorithm key… Markku-Juhani O. Saarinen
- Re: [lamps] [EXTERNAL] Re: Multiple drafts with P… John Gray
- Re: [lamps] Multiple drafts with PQ algorithm key… Kampanakis, Panos
- Re: [lamps] Multiple drafts with PQ algorithm key… Mike Ounsworth
- Re: [lamps] Multiple drafts with PQ algorithm key… Kris Kwiatkowski
- Re: [lamps] [EXTERNAL] Re: Multiple drafts with P… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: Multiple drafts with P… Tomas Gustavsson
- Re: [lamps] [Pqc] Multiple drafts with PQ algorit… Dieter Bratko