[lamps] Re: [EXT] Re: Seed as private key for ML-DSA and ML-KEM
Sophie Schmieg <sschmieg@google.com> Wed, 21 August 2024 16:58 UTC
Return-Path: <sschmieg@google.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6516BC151096 for <spasm@ietfa.amsl.com>; Wed, 21 Aug 2024 09:58:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.608
X-Spam-Level:
X-Spam-Status: No, score=-17.608 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4FpLXNV6qesC for <spasm@ietfa.amsl.com>; Wed, 21 Aug 2024 09:58:46 -0700 (PDT)
Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F6E1C14CF18 for <spasm@ietf.org>; Wed, 21 Aug 2024 09:58:46 -0700 (PDT)
Received: by mail-qt1-x829.google.com with SMTP id d75a77b69052e-44fee2bfd28so6071cf.1 for <spasm@ietf.org>; Wed, 21 Aug 2024 09:58:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1724259525; x=1724864325; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=DhP/DYh5ovKddEWy3k8jIGvRbOuGn/qRLmlD+m8Rv7U=; b=nb9iIb0bljudvuP1qCBLvZaCwPlzWarDZBWbCVy4pvuflKeDga8izCp/nFebjOutkt 5FW0ECi/L3CBJAuF2YQvDYEtT8Oh8xJcYw/UzK4X/NndQbTttK7Z8DMStXP7U0b3ujwF aYSM03bmmgGlVIU4nT1mwYOrMZBA67nqLMTgyR2Dd1TJZoZBh++DuXflqNMTGPD6HAnt 0rYswFgj3zB6AtYx8BRC8bIskVv/TKPVbPV97JtJLI1APND0o+ZxAY4WEMcxsT+GSyIi 9tY6NF20rv+qp+nVyjWIxyh1LW5HBDfRzmUY4xAmJ1I04+GencHKvalg5l3Rz7VxsVXM +CHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724259525; x=1724864325; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=DhP/DYh5ovKddEWy3k8jIGvRbOuGn/qRLmlD+m8Rv7U=; b=TqzyuEOnOulTL3IKO2DK82fvr6xhXEDReB2OXXYwqrAdfggkjRO9uJ+/tjyaJR60PX sc3rzNXUaoQBd0P/vzix0amQj7y4wRkbo6G84Z074wKO3FHSgxnVd04uyASp+isWV0tB CQcIFr9UwVIz85lgywPkovUqizLl9BEsXhUOp5CLBzhTX9qJ5zODjpPEHwVu0VyQiyPy mo/Q2eBI9NoJftII/jjyGU4v+KXb6v6U2m4tRe5V278T7ShztLVgd1r1AfU+3gpux9lO lA6IoCoct9eeYNEEc6LoTIZbYDQZuLopy+bfMVN0RQ/ShYnR2Fxyqp62/rFO0bu7yMZj s4tQ==
X-Forwarded-Encrypted: i=1; AJvYcCVNYt7SUbOvu2IUpjIhy/OSEJkxG9JJuVxYRSmTcgKC3dgHvd2Uj6GgDBUz1KlmKFw9GQrECQ==@ietf.org
X-Gm-Message-State: AOJu0Yx4LsL9tHuJjn2BWj2Ujqn1jZ/0LFvGNn6Ua61q/wdVkoUjeV0m lmQ5C2Gfpqw39fDs8x+ZSDetk+7P9yYrSwBFFopWZqO0hFJ9o0blY8RZ1Bpkcn9MyG39lj5meGd x5+gqLZIZMRji1mDebiyJwyE5A/ypjtC0fCO82VRZSCr4aOaA0SHw8mI=
X-Google-Smtp-Source: AGHT+IEK6dACfblABt5F/y+TQwVVrt5neVGR8UhZGLQrMMFGqY/M6iZPdgzzwVrnjJCkBuhDbL/ZscS/HqA2AJ+TSzI=
X-Received: by 2002:a05:622a:5b8e:b0:453:5668:444e with SMTP id d75a77b69052e-454e69c45d7mr6660131cf.2.1724259524985; Wed, 21 Aug 2024 09:58:44 -0700 (PDT)
MIME-Version: 1.0
References: <AE5C0B7F-16E3-4829-966F-E4AA68F00BC6@vigilsec.com> <ABECBF09-EA31-4B99-885E-12C77244120E@ll.mit.edu>
In-Reply-To: <ABECBF09-EA31-4B99-885E-12C77244120E@ll.mit.edu>
From: Sophie Schmieg <sschmieg@google.com>
Date: Wed, 21 Aug 2024 09:58:31 -0700
Message-ID: <CAEEbLAbBhNcynsdtAS1GruiULTQQETwzJihTaohzC7S2Bb0b6w@mail.gmail.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Content-Type: multipart/alternative; boundary="0000000000007d42d30620347464"
Message-ID-Hash: XXVP2VH7QCZ6JZNO7UFUMVJQXGV54YQ5
X-Message-ID-Hash: XXVP2VH7QCZ6JZNO7UFUMVJQXGV54YQ5
X-MailFrom: sschmieg@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spasm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Russ Housley <housley@vigilsec.com>, Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>, LAMPS <spasm@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [lamps] Re: [EXT] Re: Seed as private key for ML-DSA and ML-KEM
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Ti60zudgPgmbBb2cmyTCFvtPjV4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Owner: <mailto:spasm-owner@ietf.org>
List-Post: <mailto:spasm@ietf.org>
List-Subscribe: <mailto:spasm-join@ietf.org>
List-Unsubscribe: <mailto:spasm-leave@ietf.org>
I definitely prefer 4. Just using seeds simplifies things, and addresses misbinding issues, allowing us to sidestep any discussion of whether they are important or not. The half-expanded format for ML-KEM private keys is IMHO an artifact of the way microbenchmarks are defined, and do not align with realistic usage of ML-KEM, where the private key either is never serialized (ephemeral setting) or deserialized once and then used multiple times over the lifetime of a process, amortizing deserialization costs (static setting). On top of that, the half-expanded private key does not cache the most expensive operation of expanding the matrix anyways, so the performance difference is fairly marginal as is. Note that "always use seeds" does not imply that implementations cannot have their own expanded in-memory representation (in fact it all but requires that), and that by extension hardware implementation might also operate on an expanded representation of the key material, even if it is not strictly speaking in RAM. The seed is used for the serialized transport only. See also Fillipo's write-up: https://words.filippo.io/dispatches/ml-kem-seeds/#fnref5 On Wed, Aug 21, 2024 at 9:13 AM Blumenthal, Uri - 0553 - MITLL < uri@ll.mit.edu> wrote: > I prefer option 2, followed by option 4. > > Thanks > — > Regards, > Uri > > Secure Resilient Systems and Technologies > MIT Lincoln Laboratory > > > On Aug 21, 2024, at 12:02, Russ Housley <housley@vigilsec.com> wrote: > > > > !-------------------------------------------------------------------| > > This Message Is From an External Sender > > This message came from outside the Laboratory. > > |-------------------------------------------------------------------! > > > > Bas: > > > > I also prefer option 4. That is, always thranser as a seed, but allow > an implementation to internal store in whatever works best for them. > > > > Russ > > > >> On Aug 21, 2024, at 11:50 AM, Bas Westerbaan <bas= > 40cloudflare.com@dmarc.ietf.org> wrote: > >> > >> Hi all, > >> > >> NIST allows two formats in which private keys are stored ML-DSA and > ML-KEM. > >> > >> 1. Seed. 32 bytes for ML-DSA; 64 bytes for ML-KEM. > >> 2. Expanded private key. Multiple kilobytes depending on instance. > >> > >> An expanded private key is obtained from the seed by calling the > KeyGen_internal function. > >> > >> In contrast to RSA, key generation for these algorithms is very fast. > In fact, if you use spinning disks, then using a seed is probably faster > than the expanded private key. > >> > >> Another advantage is that we do not need to worry about private key > validation. NIST specified a few checks to perform, but there are more we > could do (eg. whether the decoded coefficients of \hat{s} are bounded.) > >> > >> Of course a big advantage is storage space: the seeds are much smaller. > >> > >> Now, how do we want to proceed? I see a few options. > >> > >> 1. Ignore the seed as private key. > >> > >> 2. Allow both seed and the expanded private key. > >> > >> 3. Assign separate algorithm for seed-as-private-key. > >> > >> 4. Switch to seed as private key only. > >> > >> I prefer 4, and would otherwise go for 1. > >> > >> The downside of 2 is that it adds complexity without the gain of > simplifying verification. If one only cares about size savings, then one > can use seed-as-private-key without needing a portable format for it. > >> > >> So I'd prefer 4 and 1 second. > >> > >> Best, > >> > >> Bas > >> _______________________________________________ > >> Spasm mailing list -- spasm@ietf.org > >> To unsubscribe send an email to spasm-leave@ietf.org > > > > _______________________________________________ > > Spasm mailing list -- spasm@ietf.org > > To unsubscribe send an email to spasm-leave@ietf.org > _______________________________________________ > Spasm mailing list -- spasm@ietf.org > To unsubscribe send an email to spasm-leave@ietf.org > -- Sophie Schmieg | Information Security Engineer | ISE Crypto | sschmieg@google.com
- [lamps] Seed as private key for ML-DSA and ML-KEM Bas Westerbaan
- [lamps] Re: Seed as private key for ML-DSA and ML… Russ Housley
- [lamps] Re: [EXT] Re: Seed as private key for ML-… Blumenthal, Uri - 0553 - MITLL
- [lamps] Re: [EXT] Re: Seed as private key for ML-… Sophie Schmieg
- [lamps] Re: Seed as private key for ML-DSA and ML… Deirdre Connolly
- [lamps] Re: Seed as private key for ML-DSA and ML… Phillip Hallam-Baker
- [lamps] Re: Seed as private key for ML-DSA and ML… David Benjamin
- [lamps] Re: Seed as private key for ML-DSA and ML… Phillip Hallam-Baker
- [lamps] Re: Seed as private key for ML-DSA and ML… Phillip Hallam-Baker
- [lamps] Re: Seed as private key for ML-DSA and ML… Sophie Schmieg
- [lamps] Re: Seed as private key for ML-DSA and ML… Sophie Schmieg
- [lamps] Re: Seed as private key for ML-DSA and ML… David Benjamin
- [lamps] Re: Seed as private key for ML-DSA and ML… David Benjamin
- [lamps] Re: Seed as private key for ML-DSA and ML… Phillip Hallam-Baker
- [lamps] Re: [EXTERNAL] Re: Seed as private key fo… Mike Ounsworth
- [lamps] Re: [EXT] Re: [EXTERNAL] Re: Seed as priv… Mike Ounsworth
- [lamps] Re: Seed as private key for ML-DSA and ML… Alicja Kario
- [lamps] Re: [EXTERNAL] Re: Seed as private key fo… Bas Westerbaan
- [lamps] Re: [EXT] Re: [EXTERNAL] Re: Seed as priv… David Benjamin
- [lamps] Re: [EXTERNAL] Re: Seed as private key fo… Phillip Hallam-Baker
- [lamps] Re: [EXTERNAL] Re: Seed as private key fo… Mike Ounsworth
- [lamps] Re: [EXTERNAL] Re: Seed as private key fo… Carl Wallace
- [lamps] Re: Seed as private key for ML-DSA and ML… Phillip Hallam-Baker
- [lamps] Re: [EXTERNAL] Re: Seed as private key fo… Phillip Hallam-Baker
- [lamps] Re: [EXT] Re: [EXTERNAL] Re: Seed as priv… Blumenthal, Uri - 0553 - MITLL
- [lamps] Re: [EXT] Re: [EXTERNAL] Re: Seed as priv… Bas Westerbaan
- [lamps] Re: Seed as private key for ML-DSA and ML… Russ Housley
- [lamps] Re: Seed as private key for ML-DSA and ML… Sophie Schmieg
- [lamps] Re: Seed as private key for ML-DSA and ML… Scott Fluhrer (sfluhrer)
- [lamps] Re: Seed as private key for ML-DSA and ML… Scott Fluhrer (sfluhrer)
- [lamps] Re: Seed as private key for ML-DSA and ML… Scott Fluhrer (sfluhrer)
- [lamps] Re: Seed as private key for ML-DSA and ML… Phillip Hallam-Baker
- [lamps] Re: [EXT] Re: [EXTERNAL] Re: Seed as priv… Blumenthal, Uri - 0553 - MITLL
- [lamps] Re: [EXT] Re: [EXTERNAL] Re: Seed as priv… Blumenthal, Uri - 0553 - MITLL
- [lamps] Re: [EXT] Re: [EXTERNAL] Re: Seed as priv… Mike Ounsworth
- [lamps] Re: [EXT] Re: [EXTERNAL] Re: Seed as priv… Blumenthal, Uri - 0553 - MITLL
- [lamps] Re: [EXT] Re: [EXTERNAL] Re: Seed as priv… Phillip Hallam-Baker
- [lamps] Re: [EXT] Re: [EXTERNAL] Re: Seed as priv… Phillip Hallam-Baker
- [lamps] Re: [EXT] Re: [EXTERNAL] Re: Seed as priv… Deirdre Connolly
- [lamps] Re: [EXT] Re: [EXTERNAL] Re: Seed as priv… Blumenthal, Uri - 0553 - MITLL