[lamps] Re: Responding to ISSUE #2 with additional questions
Mike Ounsworth <Mike.Ounsworth@entrust.com> Thu, 22 August 2024 16:40 UTC
Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4014BC1654F3; Thu, 22 Aug 2024 09:40:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.804
X-Spam-Level:
X-Spam-Status: No, score=-2.804 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z6EBLFlubdIO; Thu, 22 Aug 2024 09:40:37 -0700 (PDT)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) by ietfa.amsl.com (Postfix) with ESMTP id 1FFC0C151066; Thu, 22 Aug 2024 09:40:36 -0700 (PDT)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 47M98u32018727; Thu, 22 Aug 2024 11:40:35 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=mail1; bh=A8oy4H1e9KcHw4pxZd7CJT+29ret f5UPJnnNzkSTdS0=; b=NN6VoHCKDeu18IGWEDqrDE4YUVOJPH4e9UDA60pxu+vk pZ2ixT7LCwPEh1Wb7wM3drJarOvwYacnkygnzJYjd/b9/k3U7qJ3LeIVvYSZeZMc nmKRhQ7ENL5QxJa8AWnCzGSW3ZEi2ktCfDrXOpFXtbeuSBJvl3pPugw4TgR8/efo qIQi89yUT+3eV5R/9hiRqE3I8ah31Q+ZFoitQ4sUfooQvBEMyclB98I89mg+SxfD x1i61GSt0wfqZyOH6THGlY2PNKdBPkmt/yfGFSRYJFotLBj7wm8CakWV0D5Fl668 l5tQ0AZUZaCo4KDIcILfpVbjg/Q/UeH2o4z9PpN9+g==
Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2042.outbound.protection.outlook.com [104.47.70.42]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 412pum4r8c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 22 Aug 2024 11:40:34 -0500 (CDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=acCcboTjKosbZ4FduUXsdI4tXBYxkylb9aZzi8q240b/jh+9hGMetYcZ7Id+jOZNhhR/R4qO+W+mn8MuJEki5PHKL3lYWXXwNGc8MwB8g8hFdtE+n4GTNjmkLssCWsrZoaqNCQt0hmIJHRKdculwsI6qgLXXT+yHLmBP9oAh6nUzo4inv6lO4Erz2E1e/N7JzAHttMTd2lVAt1lnB/Q76UD64Iqte2DQioJ5H+aQx6xbe9YRCIHUzuLiZ2UpgsF4+Ib2Ng8yJ0OTNqdgPbLumjRjLiAPb4d10AIs1kRIbU5TZX/vequjsiQnyhFUjxqTpItDu9kl//TMqWQIkexJng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uR30RwvHS/TvOQGp9tA878kutMAIxdRH6vBYILgNpfQ=; b=I3Ffu+GhMgb7dw/S+FEBzUJ4zz+pqXA/CsEwiPqkM2UqV5OA1O166RSx14dDmUC9gL2yCupNMj7wmkX/3UdIVfh72FLPJqTgTw5qzKfPfq/XNJmD6yGTXg8vbWI8RjwYpJXFjgf3gfKG8HxTtU0DRTj8tAFaLBJb8D/DOzvaY75yL7PCgksEu/YCgT9UEop1ljOHELd/w6KHa3eYRJh0a0sqs1592U8hq2UGH1pyES7hqGoKBnnshxUf9zRZ9GB1LQBtJjzgc6r0M/ys7IvcPbL2O/4BnopoYXRyyHg/b0kzD377nQNlCvlw+pEXFkUbv4EYVri75plRzwle9gUlhg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by PH7PR11MB6836.namprd11.prod.outlook.com (2603:10b6:510:1ef::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7897.17; Thu, 22 Aug 2024 16:40:29 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::b93d:b2d:3ad8:9702]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::b93d:b2d:3ad8:9702%4]) with mapi id 15.20.7897.014; Thu, 22 Aug 2024 16:40:28 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: "Kaliski, Burt" <bkaliski=40verisign.com@dmarc.ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: Responding to ISSUE #2 with additional questions
Thread-Index: AQHa8+Ez06gi66aZpk26bOosvoXvhLIzeS5g
Date: Thu, 22 Aug 2024 16:40:28 +0000
Message-ID: <CH0PR11MB573958612FCBAE3A1F1CC8549F8F2@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <DM6PR11MB2585D0402FACFACBBAA2D7BBEAB22@DM6PR11MB2585.namprd11.prod.outlook.com> <90f3c9c07a274b6cac7e4d71e289b68a@verisign.com>
In-Reply-To: <90f3c9c07a274b6cac7e4d71e289b68a@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|PH7PR11MB6836:EE_
x-ms-office365-filtering-correlation-id: cb983c59-50d5-40a4-0452-08dcc2c92199
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|376014|1800799024|38070700018;
x-microsoft-antispam-message-info: e25ruzrQ/ssvXvxZZc7ym74Ey9Xp+9qtGoWx6J6k78JJ58J8oVhDLnfbtbG/zeVc1xSdStcN56e81w74CJGVMiqZSCVy0lkxV4BBgdOxvu5MYhZdtdc1ZrDt7sDX/NeTjEksaTVcuDHzlMNyKjLlyfkG1u3totQU6hyyR5FIW7Nw+Lda/mRfBEYkHP1QYgH2KltDSO8ZOKL8pRv+JmdRG47WZgge/AY90YUFcfBlUTpxPvqDSbEQZS3X706CIJv81kWLfReS1T4ljeCTSoKtlugJKNwEAQJE1l0DpSvkXsr/j4dy2K3vXYMeSOkfQIxvPxFTCkUMj/GjsM2NOsANfmXzNorqe6xWQtrCO06cE1kbLTlS7wxnenJDdfzfeOkqyPXmWZ6tSpreNznFSkmyKgrvQi6E0vjg/oxNtuaH0dQ4tYcpgCaNyVdz3Rk5p+iHGroFxOrBKlhG4zrwo9nLmptnAa6zn2D8j5RSgkIwFxnhqp1vM0gKto/avH/bzRLwyb2JqFv379GlYu4F8dYXVdrrNwSYPYxa8xn9Dj2dK8nt+93f5yXeDbPQvc6kxVLPUHy325on1mZoHbsRnpZ75nX1k6iBkn2NGztqwG1YK48rWtTNx+eQ+CO57ATFiDoDbCD9O39oPZl6hpx/qEwUHZ9NvvXiVg2fd12WsxLmsJc/W5c5pYtrQrLl+a7lILDXle9ENdIGtvAr1PEo5uB1w4Vx8rhbwyvDQZzcuhtde22fcJqtVAOLvsAxDhExREOhYX3Yl4i1HxsxWcC/ERUr8DFk7mjfGf/DyGiYIf2VvUVDP6O44Qy7x767/4gewS5nuflJfx0GjQMJh8xlRvD9ef4i0ATDZzowQOvg4Vkt2ubNDIuP9xnqNNgQYjdUbgwjEOJA3IygTNUVg+m9cRqGvRQxzTZpt5FImMU8wjKAfUYZcJE3teDAhPq+SKXIyfz4o00cXHGZO+EMbBoKOyuWHK2d+j2AGUb3A7T0ImYPN20NULu3dIw/UVwkPchZe+tE9WSzEAkKrcJ0G7leW9XyDUJ1fauMe8EfQdK6NcVw47XDIzuTGN0wwN2mn336YAbgfBocufPuuEmIQQ5hhEoKltlHdbgO5dvO5jOeMt5PU5X+zr2TVSAdFaTBhD6TRcLvh/4JHeVmSUIxxPJVfgDMAdXLIWqR6TVVkR1iKhCNUVp44/fEa4fdXgNWCnl4Xu2tgfTpnUBcDKSb/iabbX28IlfhK1/Y4gtQHdH0AMWbDTN1E1XXz0p6f0eEVASqjMkZFsZ+xEtKUT1JfalL/+8lXhBln/b/3Z4wiaMVd208yAwvVAuv/EGvklMsvDXvJvfFX1yz97DIZUFTxwzHWLPdoYx6x6uKNOO3ur4QAMZEDP4=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH0PR11MB5739.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 6Lqnj1DINJOoiLY9w1YXHO/eRdccSpBNU3YjZGcr9cdtRBJeQ1BwmvaCQ78VFkSBKtMxPL6YAc0va0UVDQ9sem5IPNlIFhEs8v8EgfXlvKGG5nI9VBQgyG0ixzUOSikCXMGcOeY60pJ/oIQ7+wmXxyc/BgfJHQZ5JbEAHhCXPVkYPMe9Uj8367Q/iNeXm/dI4B6bPNGLJDTEA2en0CSIBdfuzVpRarQrEYvgGAfe0mWHCxsYzq4EKNCcUEnTx50GBldn7IQU4CB/cEtIZkrxqChxDwHgEAG7DE1+s13Nik3tHNKTzoSXS41BSnzeaAWoYNm22vjFyu2u5yxarcGXg6H7R4fegVpb0ZXtYbD1XEagW0TPbTYZbGcMGYr0dAw8RwoIVn7nn/JwU3Qowz3dsj2ozqPj9q0S38WEQb3wxrPqukCOINO75+EDHTuRC9lgMXe1ja91pbJsOfKmu3ouLaQbzjIriBZX44FxrZrJZjuVgpYfMiAE6C/OVLgTF6fOloQnzxRi6jIRWX27lK42rdud/hB5hOzVAVxJvKHDIVNAcc/RUefa+QYY/SJTrBvkzZShf0peGiUOFuwuKk8FX7Ul8vPobtJIBsD8PRzEK9VtEVsWScO3a0QrHiDKHzYdG2xd7KYGjZO7Qxd8gz7nuV4r6fGaeZVAMW1aVQQOD72+3BGJKtebr11Uln4Cinq57AS0Xb6PnrZDEFNFbzd2aq4v6yoYl51cUShD1GY0+QEkGL/zQ4ST3sqKb5gMioGNUYviBoQe3hoFZq1cmRHI1M4CXhO67fD4h9rFiUx03tyHz+Bgxlyweo0OfB4pFrqAdvuumnyFcZRlT1KeMmJz9BirB5j0hfkVBZTj/2qZkZBbmzdoXuGXOZF6gbNERVy5Y8dpg/jbwZG/BnGyhEwcMMbckvwmTx0bq6yB6J7w6NAcJvmcH82zTZ6th/wgBeDP4jB3hK2bMrqQQ/fUd87iTDIe2ONQdn6FOX7GaEwr1SB8ucvjLeWHC13mvjXDn24bxeD41IEBbt+U3jnP95Zr0lD/SDNMu3JThcpKBzik06Zxq+IHdNUgeiwNUHLC2NjmFFNx714IzhwtKJ7VIUENR2tHC2Xcctgom/xNJ7FIJG1n9136Wc3HGogrKqPuDncuwogs1TOCbMrjaoe2k1y+tOkBT0i+NRO4JQD13fwddaUPonlvQAui+kyL2WrOT/wTTXQqDKAjqOWO3er8vYepD68odDrKcoeycicLvFyplSReDtoQnHtOhL/kl2FPeQv158rMvVKcN/ZOCjfGHXZWSpI1E3baUmKnLcesTgfcHCzmaFU9V+gbflSBnKzW8ws0pO8VLEG7aa5PHYkHnNGB7DKS7Gkc4NMVX+mzcDUA2kNYe/HZjCQjkjn5r+73qJQLjhRnBAoRr4GFVummBuR0S0T5wf+ILBJJUAclIX3dc91TfU2x+7Z+Ld5QuZ7wddezuISxPFPniOo7Z01udorHo0qjyFFTW8nAzAAU9yuY+CNAf8dAJBQUgrFHSDsKxfdbFgDNMcCGejY2lmhj7V1pk3XskrTUsH5lkd6klYxzGV9nYUr/+ApzDXnpcVbxijy4
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_00EF_01DAF488.15473A10"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cb983c59-50d5-40a4-0452-08dcc2c92199
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Aug 2024 16:40:28.7635 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GoRwhtQf0ue7VKlyDgEKlLX4pF2fgb3QVOKEAJ8GRCOkMS4gsgS6JOPFSyBt2NimqYsCqx0Z7zdgp71peM0/N3XERCSALXE38cUekfxinPo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR11MB6836
X-Proofpoint-GUID: x1vuISUSazDyme2uyXZGNzutslLSn1Kl
X-Proofpoint-ORIG-GUID: x1vuISUSazDyme2uyXZGNzutslLSn1Kl
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-08-22_10,2024-08-22_01,2024-05-17_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1015 priorityscore=1501 impostorscore=0 phishscore=0 bulkscore=0 spamscore=0 lowpriorityscore=0 malwarescore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.21.0-2407110000 definitions=main-2408220125
Message-ID-Hash: ZDND436PWB3Y3F7L4OANZY5UJE7TQ37J
X-Message-ID-Hash: ZDND436PWB3Y3F7L4OANZY5UJE7TQ37J
X-MailFrom: Mike.Ounsworth@entrust.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spasm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: John Gray <John.Gray@entrust.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [lamps] Re: Responding to ISSUE #2 with additional questions
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Xq6PkGkXX4SXudJUnqkVtJ0Mu-U>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Owner: <mailto:spasm-owner@ietf.org>
List-Post: <mailto:spasm@ietf.org>
List-Subscribe: <mailto:spasm-join@ietf.org>
List-Unsubscribe: <mailto:spasm-leave@ietf.org>
Hi Burt, I have sorted your feedback into two github issues: “Burt’s feedback: context string in domain separator?” https://github.com/lamps-wg/draft-composite-sigs/issues/33 Good suggestion. I support having the composite .Sign() accept a context string, and passing it through to underlying component primitives that support a context string (ie ML-DSA). “Burt's feedback: should we define pre-hashed modes for composite?” https://github.com/lamps-wg/draft-composite-sigs/issues/34 I think all your other feedback falls into this category. Fair point, currently the composite draft presents a pure-sign mode, and uses ML-DSA in its pure-sign mode. But with NIST deciding to support both pure and pre-hash modes of ML-DSA, we should probably do that same for composite-ML-DSA. This represents a fairly large amount of design work since all the points raised by you, plus probably more, are in-scope. We’re up to 48 open github issues across the two composite drafts, and this one is probably one of the largest in terms of design work required. It’s logged. We’ll get to it … eventually. --- Mike Ounsworth From: Kaliski, Burt <bkaliski=40verisign.com@dmarc.ietf.org> Sent: Wednesday, August 21, 2024 10:44 AM To: spasm@ietf.org Cc: John Gray <John.Gray@entrust.com> Subject: [EXTERNAL] [lamps] Responding to ISSUE #2 with additional questions John, thanks for putting together the open questions. I’d like to add another group of questions on composite signatures, related to ISSUE #2. The questions are part of a broader discussion of ways of using signature algorithms or “modes of John, thanks for putting together the open questions. I’d like to add another group of questions on composite signatures, related to ISSUE #2. The questions are part of a broader discussion of ways of using signature algorithms or “modes of operation” that I mentioned in my CFRG presentation at IETF 120. * Should the domain separator also include an optional context string, similar to the domain separator NIST has defined for the recently published FIPS 204/205 [1]? The context string would provide a way to “separate uses of the protocol between different protocols … and between different uses within the same protocol” (Sec. 8.3 of [2]). * Should the domain separator include an initial byte that identifies the type of domain separator, again similar to NIST’s definition? For instance, the value 1 could indicate that the message is pre-hashed as currently proposed in draft-ietf-lamps-pq-composite-sigs. A different value could support another option: the message is not pre-hashed, but instead is prepended with a domain separator, and then passed to the two signature algorithms. That option would avoid the need for an additional hashing operation to be specified. (The domain separator could still include an OID for the combination of the two signature algorithms in order to separate different combinations of algorithms.) * If an underlying signature algorithm supports pure and pre-hash modes, which mode should be used with the composite signature construction? Presumably pure mode when the composite construction includes pre-hashing, because the message will already have been hashed by the time it reaches the underlying signature algorithm, but this should be stated explicitly. * Similarly, if an underlying signature algorithm supports a context string, what value should be given to the context string when the algorithm is used with the composite construction? If the composite construction is updated to include an optional context string in the domain separator, should the context strings for the underlying algorithm and for the overall construction be the same? Or should the context string for the underlying algorithm instead somehow indicate the “use” of the underlying algorithm is “for signing a composite signature hash value”? * In addition to pre-hashing as currently proposed, should there be an option for including a randomizer and/or the signers’ public keys in the input to the pre-hash operation, in addition to the message? As Joe Harvey observed in comments to NIST earlier this year [3], without such an option, pre-hashing introduces a dependency on collision resistance, whereas the security of the underlying signature algorithm may be based on other security assumptions (e.g., target collision resistance, second preimage resistance). Moreover, a collision, if found, could potentially be used against multiple users, whereas the underlying signature algorithm may have been designed to provide security in the multi-user model. (This is not an argument for reducing the size of the hash function output by using randomization, but rather for considering that the use of pre-hashing may change the security assumptions compared to the underlying algorithm, and providing the protocol designer a way to revert to the original assumptions.) Thanks – Burt [1] D. Moody. Updates on pre-hash for FIPS 204 and 205. pqc-forum@list.nist.gov <mailto:pqc-forum@list.nist.gov> mailing list, April 19, 2024, https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/JKMh0D0pa30/m/vbflXolxAQAJ <https://urldefense.com/v3/__https:/groups.google.com/a/list.nist.gov/g/pqc-forum/c/JKMh0D0pa30/m/vbflXolxAQAJ__;!!FJ-Y8qCqXTj2!a113X6jzMbd7N_gUH2Pyxza5k0aBqzip3DrH1T10fpdP3ciN6aX0OAKoSIUAIkAePHMKRuhAAw5_ETvdcvFp-br4VD-OFt31TAtWH1SFUw$> [2] S. Josefsson, I. Liusvaara. Edwards-Curve Digital Signature Algorithm (EdDSA). RFC 8032, January 2017, https://www.rfc-editor.org/info/rfc8032 <https://urldefense.com/v3/__https:/www.rfc-editor.org/info/rfc8032__;!!FJ-Y8qCqXTj2!a113X6jzMbd7N_gUH2Pyxza5k0aBqzip3DrH1T10fpdP3ciN6aX0OAKoSIUAIkAePHMKRuhAAw5_ETvdcvFp-br4VD-OFt31TAvAGHqG5Q$> [3] J. Harvey. Re: Pure vs. pre-hash signing for ML-DSA and SLH-DSA. pqc-forum@list.nist.gov <mailto:pqc-forum@list.nist.gov> mailing list, January 19, 2024, https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/qsmP_5ZZx0g/m/sACWPXnVAwAJ <https://urldefense.com/v3/__https:/groups.google.com/a/list.nist.gov/g/pqc-forum/c/qsmP_5ZZx0g/m/sACWPXnVAwAJ__;!!FJ-Y8qCqXTj2!a113X6jzMbd7N_gUH2Pyxza5k0aBqzip3DrH1T10fpdP3ciN6aX0OAKoSIUAIkAePHMKRuhAAw5_ETvdcvFp-br4VD-OFt31TAvFB8Vhng$> From: John Gray <John.Gray@entrust.com <mailto:John.Gray@entrust.com> > Sent: Thursday, August 1, 2024 5:41 PM To: spasm@ietf.org <mailto:spasm@ietf.org> Subject: [lamps] Composite Signatures and KEM open issues that need feedback Hello Lamps. Thanks for the feedback at IETF 120 for composite signatures and composite KEMs. We the authors have compiled together all the currently open questions about composites into one email (sorry it is so long). Feedback on-list is great. Discussion directly on the linked github issue is better. If you’re going to comment on the mailing list. Please carefully tag which issue you are discussing so that it stays somewhat orderly … “Responding to ISSUE #3”. Open Questions on Composite Signatures: ISSUE #1 (Github issue: https://github.com/lamps-wg/draft-composite-sigs/issues/9 <https://urldefense.com/v3/__https:/github.com/lamps-wg/draft-composite-sigs/issues/9__;!!FJ-Y8qCqXTj2!a113X6jzMbd7N_gUH2Pyxza5k0aBqzip3DrH1T10fpdP3ciN6aX0OAKoSIUAIkAePHMKRuhAAw5_ETvdcvFp-br4VD-OFt31TAvR-CWm1g$> ) The ML-DSA public key should be an unwrapped BIT STRING with no ASN.1 type around them. Currently the ML-DSA draft draft-ietf-lamps-dilithium-certificates uses this: pk-MLDSA PUBLIC-KEY ::= { IDENTIFIER id-MLDSA -- KEY no ASN.1 wrapping -- PARAMS ARE absent CERT-KEY-USAGE { nonRepudiation, digitalSignature, keyCertSign, cRLSign } --- PRIVATE-KEY no ASN.1 wrapping -- } We could try using something like an ENCODED BY id-rawkey as in: id-raw-key ::= SOME OBJECT IDENTIFIER pk-CompositeSignature {OBJECT IDENTIFIER:id, FirstPublicKeyType,SecondPublicKeyType } PUBLIC-KEY ::= { IDENTIFIER id KEY SEQUENCE { firstPublicKey BIT STRING (CONTAINING FirstPublicKeyType | ENCODED BY id-raw-key), secondPublicKey BIT STRING (CONTAINING SecondPublicKeyType | ENCODED BY id-raw-key) } PARAMS ARE absent CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign} } Or just have some text that explains the BIT STRING is a raw key without the extra ASN.1 type wrapping. Does the working group have a preference on this matter? The authors think adding some explanatory text should be sufficient. ISSUE #2 (Github Issue: https://github.com/lamps-wg/draft-composite-sigs/issues/19 <https://urldefense.com/v3/__https:/github.com/lamps-wg/draft-composite-sigs/issues/19__;!!FJ-Y8qCqXTj2!a113X6jzMbd7N_gUH2Pyxza5k0aBqzip3DrH1T10fpdP3ciN6aX0OAKoSIUAIkAePHMKRuhAAw5_ETvdcvFp-br4VD-OFt31TAs5eWkHWg$> ) Do we make the Domain separator Hash (DER (OID)) instead of just DER(OID)? The one advantage is we end up with a fixed length Domain separator. The authors don’t think this is required, but are willing to make the change if the working group would like to see this done. ISSUE #3 (Github issue: https://github.com/lamps-wg/draft-composite-sigs/issues/6 <https://urldefense.com/v3/__https:/github.com/lamps-wg/draft-composite-sigs/issues/6__;!!FJ-Y8qCqXTj2!a113X6jzMbd7N_gUH2Pyxza5k0aBqzip3DrH1T10fpdP3ciN6aX0OAKoSIUAIkAePHMKRuhAAw5_ETvdcvFp-br4VD-OFt31TAvGx3jFTw$> ) Should we consider compacting the CompositeSignaturePrivateKey format? For example, today it is: CompositeSignaturePrivateKey ::= SEQUENCE SIZE (2) OF OneAsymmetricKey We could compact it to: CompositeSignaturePrivateKey ::= SEQUENCE SIZE (2) OF OCTET STRING Then implementations would need to recompose the OneAsymmetricKey using the combination of settings give by the OID. This removes the redundant information from the CompositeSignaturePrivateKey because it is now carried in the OID representation itself. The authors don’t have strong opinion on whether this should be changed. The two benefits: 1. Smaller private keys (maybe a couple percent) 2. Aligns with the compact format used in the public key. 3. It makes it a bit more difficult for implementors (but not too much). --------- Open Issues affect both Composite Signatures and Composite KEM: ISSUE #4 Timing. Does LAMPS have an official or unofficial milestone for publishing? Answer could be different for KEMs and Sigs. Obviously, there’s going to be a flurry of PQC drafts from LAMPS and others once FIPS 203, 204, 205 are out. Are we trying to get these into that wave, or not? In particular, should we wait X years for CFRG to finish their KEM Combiners activity, or should we publish this and fix it later if we need to? (The authors and the general feel at LAMPS 120 was to publish-now-fix-later). ISSUE #5 (Github issues: <https://urldefense.com/v3/__https:/github.com/lamps-wg/draft-composite-kem/issues/37__;!!FJ-Y8qCqXTj2!a113X6jzMbd7N_gUH2Pyxza5k0aBqzip3DrH1T10fpdP3ciN6aX0OAKoSIUAIkAePHMKRuhAAw5_ETvdcvFp-br4VD-OFt31TAsbOYzaJg$> https://github.com/lamps-wg/draft-composite-kem/issues/37 <https://urldefense.com/v3/__https:/github.com/lamps-wg/draft-composite-sigs/issues/24__;!!FJ-Y8qCqXTj2!a113X6jzMbd7N_gUH2Pyxza5k0aBqzip3DrH1T10fpdP3ciN6aX0OAKoSIUAIkAePHMKRuhAAw5_ETvdcvFp-br4VD-OFt31TAuYPpxglQ$> https://github.com/lamps-wg/draft-composite-sigs/issues/24 https://github.com/lamps-wg/draft-composite-sigs/issues/23 <https://urldefense.com/v3/__https:/github.com/lamps-wg/draft-composite-sigs/issues/23__;!!FJ-Y8qCqXTj2!a113X6jzMbd7N_gUH2Pyxza5k0aBqzip3DrH1T10fpdP3ciN6aX0OAKoSIUAIkAePHMKRuhAAw5_ETvdcvFp-br4VD-OFt31TAtVUCaumA$> Should the RSA key size be specified by the OID, or left free? Related sub question: if specified, which RSA key sizes should we support? Currently we have {2048, 3072}, but we’ve been asked by an implementer to add 4096. Should it then be {2048, 4096}? Jan is advocating for having all three RSA sizes. Arguments for removing the key size restriction: it completely avoids that related sub question. Arguments against: we probably should provide guidance on how to pair RSA key sizes with the ML-KEM and KDF parameter. Removing the RSA key size does not shorten the current list; you need a minimum of 4 RSA combos to hit: MLDSA44+PSS, MLDSA44+PKCS1, MLDSA65+PSS, MLDSA65+PKCS1, and the equivalents on the KEM side. Reminder: having both L1/2, and L3 with RSA is sort of about matching security levels (although we would be quite happy to call all levels of RSA “NIST PQC L1”), but it’s more about people trying to add PQ to an RSA deployment and they only want to implement one size of ML-*. Maybe this is a weak argument? But then if we only go with one PQ level, then which ML-DSA and which ML-KEM is “the one”? For signature the authors are intending to add two new combinations with RSA 4096. We suggest: id-MLDSA65-RSA4096-PSS-SHA512 id-MLDSA65-RSA4096-PKCS15-SHA512 For KEM we are intended to add id-MLKEM512-RSA4096 ----------- Open Issues affecting Composite KEM ISSUE #6 (Github: https://github.com/lamps-wg/draft-composite-kem/issues/40 <https://urldefense.com/v3/__https:/github.com/lamps-wg/draft-composite-kem/issues/40__;!!FJ-Y8qCqXTj2!a113X6jzMbd7N_gUH2Pyxza5k0aBqzip3DrH1T10fpdP3ciN6aX0OAKoSIUAIkAePHMKRuhAAw5_ETvdcvFp-br4VD-OFt31TAteoBn3Yw$> ) Combiner construction. We’re on-path to align with OpenPGP and X-Wing. We greatly appreciate the interaction with Quynh Dang to make sure this is FIPS-compliant. Sorry for the confusing notation on the slides and in draft-04. The intention is to get as close to the OpenPGP construction as we can, which is: SHA3-*( mlkemSS || tradSS || tradCT || tradPK || domSep ) Note: X-wing puts its spaceship ascii art domain separator first, which we believe will not pass SP800.56Cr2; We believe it has to be at the end to fit 56Cr2’s FixedInfo. The authors will work with the authors of draft-openpgp-pqc, X-Wing, and the forthcoming KEM Combiners draft at CFRG to align hopefully to the point of binary compatibility. I don’t think we actually need any WG feedback, unless there are objections. <https://urldefense.com/v3/__https:/github.com/lamps-wg/draft-composite-kem/issues/40__;!!FJ-Y8qCqXTj2!a113X6jzMbd7N_gUH2Pyxza5k0aBqzip3DrH1T10fpdP3ciN6aX0OAKoSIUAIkAePHMKRuhAAw5_ETvdcvFp-br4VD-OFt31TAteoBn3Yw$> https://github.com/lamps-wg/draft-composite-kem/issues/40 https://github.com/lamps-wg/draft-composite-kem/issues/45 <https://urldefense.com/v3/__https:/github.com/lamps-wg/draft-composite-kem/issues/45__;!!FJ-Y8qCqXTj2!a113X6jzMbd7N_gUH2Pyxza5k0aBqzip3DrH1T10fpdP3ciN6aX0OAKoSIUAIkAePHMKRuhAAw5_ETvdcvFp-br4VD-OFt31TAstqPe0pg$> ISSUE #7 (Github: https://github.com/lamps-wg/draft-composite-kem/issues/54 <https://urldefense.com/v3/__https:/github.com/lamps-wg/draft-composite-kem/issues/54__;!!FJ-Y8qCqXTj2!a113X6jzMbd7N_gUH2Pyxza5k0aBqzip3DrH1T10fpdP3ciN6aX0OAKoSIUAIkAePHMKRuhAAw5_ETvdcvFp-br4VD-OFt31TAsU_gxEnA$> ) For a security proof of the ML-KEM + ECDH combos, we can point to the X-Wing paper. We should have a similar proof for the RSA-OAEP combos. Not sure how to go about attracting someone to help with this, or if we should attempt proof-writing ourselves. ISSUE #8 (Github: https://github.com/lamps-wg/draft-composite-kem/issues/52 <https://urldefense.com/v3/__https:/github.com/lamps-wg/draft-composite-kem/issues/52__;!!FJ-Y8qCqXTj2!a113X6jzMbd7N_gUH2Pyxza5k0aBqzip3DrH1T10fpdP3ciN6aX0OAKoSIUAIkAePHMKRuhAAw5_ETvdcvFp-br4VD-OFt31TAt9iKZR1Q$> ) KEM domain separators. Currently we are using DER(OID) as the domain separator. We think it is desirable that a shared secret derived for CMS cannot be swapped into, for example, an OpenPGP or HPKE context. But maybe that does not need to be handled at the KEM algorithm level, maybe it is already handled at the protocol level (CMS KEMRI, for example), and so we should align on domain separators with OpenPGP? For X-Wing in particular, for that one we could take the “\.//^\”, but as mentioned above, that wouldn’t give binary compatability anyway since they put it at the beginning, and we have to put it at the end for FIPS reasons. Do we want binary compatibility with OpenPGP KEM and XWing. If this is true then shouldn’t we have one composite KEM primitive draft, and then drafts that specify usage in OpenPGP and CMS. We also need to think about the encoding of the public key. ISSUE #9 (Github: https://github.com/lamps-wg/draft-composite-kem/issues/48 <https://urldefense.com/v3/__https:/github.com/lamps-wg/draft-composite-kem/issues/48__;!!FJ-Y8qCqXTj2!a113X6jzMbd7N_gUH2Pyxza5k0aBqzip3DrH1T10fpdP3ciN6aX0OAKoSIUAIkAePHMKRuhAAw5_ETvdcvFp-br4VD-OFt31TAscL1_dsQ$> ) The term “DHKEM” and “RSAOAEPKEM”. Are those registered and already used? In particular, does RFC 9180 have a monopoly on the term “DHKEM”? If so, the authors are happy to take suggestions for what to call our abstract pseudocode in 2.3.3. <https://urldefense.com/v3/__https:/github.com/lamps-wg/draft-composite-kem/issues/48__;!!FJ-Y8qCqXTj2!a113X6jzMbd7N_gUH2Pyxza5k0aBqzip3DrH1T10fpdP3ciN6aX0OAKoSIUAIkAePHMKRuhAAw5_ETvdcvFp-br4VD-OFt31TAscL1_dsQ$> https://github.com/lamps-wg/draft-composite-kem/issues/48. Are we worried about name collisions of Pseudo code in RFC’s. What do we rename it to? ISSUE #10 (Github: https://github.com/lamps-wg/draft-composite-kem/issues/50 <https://urldefense.com/v3/__https:/github.com/lamps-wg/draft-composite-kem/issues/50__;!!FJ-Y8qCqXTj2!a113X6jzMbd7N_gUH2Pyxza5k0aBqzip3DrH1T10fpdP3ciN6aX0OAKoSIUAIkAePHMKRuhAAw5_ETvdcvFp-br4VD-OFt31TAtRxUTPtQ$> https://github.com/lamps-wg/draft-composite-kem/issues/49 <https://urldefense.com/v3/__https:/github.com/lamps-wg/draft-composite-kem/issues/49__;!!FJ-Y8qCqXTj2!a113X6jzMbd7N_gUH2Pyxza5k0aBqzip3DrH1T10fpdP3ciN6aX0OAKoSIUAIkAePHMKRuhAAw5_ETvdcvFp-br4VD-OFt31TAsJY2AIPA$> ) Binding public keys in the KDF. Basically, CMS is used by a lot of embedded and hardware things – a smartcard applet that decrypts S/MIME is an example here. It’s never been true in the past that the device needs the public key in order to do a decryption. Are we asking for trouble if we suddenly make that a requirement of the RSA / ECC side of the hybrid? Note that we only need it at the combiner level, not inside the RSA / ECC decryption routine, which remains unmodified. The authors vote is that this is an ok thing to prescribe, but: 1) We are not embedded hardware vendors, and 2) we’ve been asking this question for a while and have received zero community feedback on it. If we think this is needed in composite, it will have to added. As an example, in <https://urldefense.com/v3/__https:/docs.oracle.com/javacard/3.0.5/api/javacard/security/ECPrivateKey.html__;!!FJ-Y8qCqXTj2!a113X6jzMbd7N_gUH2Pyxza5k0aBqzip3DrH1T10fpdP3ciN6aX0OAKoSIUAIkAePHMKRuhAAw5_ETvdcvFp-br4VD-OFt31TAtS27hdmg$> https://docs.oracle.com/javacard/3.0.5/api/javacard/security/ECPrivateKey.html does not contain the public key. ISSUE #11 (Github: https://github.com/lamps-wg/draft-composite-kem/issues/51 <https://urldefense.com/v3/__https:/github.com/lamps-wg/draft-composite-kem/issues/51__;!!FJ-Y8qCqXTj2!a113X6jzMbd7N_gUH2Pyxza5k0aBqzip3DrH1T10fpdP3ciN6aX0OAKoSIUAIkAePHMKRuhAAw5_ETvdcvFp-br4VD-OFt31TAv0pV5HxA$> ) KDF = SHA3 … what about SHA2. This question should probably have the same answer as Dan van Geest’s related question about draft-cms-kyber. The argument for is that even though ML-KEM needs SHA3 internally, this may not always be available to the layer of code doing the combiner, or the CMS EnvelopedData. Just a note, because the KDF is part of the composite OID, adding HKDF-SHA2 will 2x the size of the list. If the WG wants us to do this, great, but please don’t complain at us about the size of the list. The authors suggest, rather than 2x'ing the whole list, we do the following: All RSA combinations use HKDF-SHA2. Each of the P256 and brainpoolP256 combinations are offered with both SHA3 (to align with X-Wing), and HKDF-SHA2. The new list would then be: | Composite KEM | KDF | |--------- | -------- | | id-MLKEM512-ECDH-P256 | SHA3-256 | | id-MLKEM512-ECDH-P256 | HKDF-SHA2 | | id-MLKEM512-ECDH-brainpoolP256r1 | SHA3-256 | | id-MLKEM512-ECDH-brainpoolP256r1 | HKDF-SHA2 | | id-MLKEM512-X25519 | SHA3-256 | | id-MLKEM512-RSA2048 | HKDF-SHA2 | | id-MLKEM512-RSA3072 | HKDF-SHA2 | | id-MLKEM512-RSA4096 | HKDF-SHA2 | | id-MLKEM768-ECDH-P256 | SHA3-384 | | id-MLKEM768-ECDH-P256 | HKDF-SHA2 | | id-MLKEM768-ECDH-brainpoolP256r1 | SHA3-384 | | id-MLKEM768-ECDH-brainpoolP256r1 | HKDF-SHA2 | | id-MLKEM768-X25519 | SHA3-384 | | id-MLKEM1024-ECDH-P384 | SHA3-512 | | id-MLKEM1024-ECDH-brainpoolP384r1 | SHA3-512 | | id-MLKEM1024-X448 | SHA3-512 | {: #tab-kem-algs title="Composite KEM key types"} ISSUE #12 (Github: https://github.com/lamps-wg/draft-composite-kem/issues/47 <https://urldefense.com/v3/__https:/github.com/lamps-wg/draft-composite-kem/issues/47__;!!FJ-Y8qCqXTj2!a113X6jzMbd7N_gUH2Pyxza5k0aBqzip3DrH1T10fpdP3ciN6aX0OAKoSIUAIkAePHMKRuhAAw5_ETvdcvFp-br4VD-OFt31TAvIo4UZhw$> ) Should we remove ML-KEM512 and only offer 768 and 1024? Thanks in advance for all your feedback to move these drafts forward, The Composite Signature and KEM authors Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
- [lamps] Re: Composite Signatures and KEM open iss… Mike Ounsworth
- [lamps] Composite Signatures and KEM open issues … John Gray
- [lamps] Re: Composite Signatures and KEM open iss… Tim Hollebeek
- [lamps] Re: Composite Signatures and KEM open iss… Carl Wallace
- [lamps] Responding to ISSUE #2 with additional qu… Kaliski, Burt
- [lamps] Re: Responding to ISSUE #2 with additiona… Mike Ounsworth