IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: Adoption call for draft-housley-lamps-cms-sha3-hash

Mike Ounsworth <Mike.Ounsworth@entrust.com> Wed, 01 November 2023 23:19 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2FFCC151077 for <spasm@ietfa.amsl.com>; Wed, 1 Nov 2023 16:19:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.002
X-Spam-Level:
X-Spam-Status: No, score=-6.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FONT_INVIS_DOTGOV=1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cp6KaoDDvJKQ for <spasm@ietfa.amsl.com>; Wed, 1 Nov 2023 16:19:12 -0700 (PDT)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82FDAC1C02DA for <spasm@ietf.org>; Wed, 1 Nov 2023 16:19:11 -0700 (PDT)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.22/8.17.1.22) with ESMTP id 3A1EJxlE002953; Wed, 1 Nov 2023 18:13:08 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h= from:to:subject:date:message-id:references:in-reply-to :content-type:mime-version; s=mail1; bh=1CCllokKX0dYnSjVpGxPnNgQ xsR1YCw1g2QFYdqpDzE=; b=X+7xC0jbvEH1M1zFfTQ7FXLr3wqZcj5Sx4zQRhpW 7QL9Yoqby+q6VBD/NwtO+6vUwodEuzzX0SbXhclI3ey+zZrb40qoCaCBaM4kzA5D BIvd3yUOP3YsG60IROTimforrqq9FFD0X4M5CsDKqThBpGW/LINxoRZfZA6VCvHh odTvT/JtfJQhojMOzSdcXL07jmlQtJodwDO43nfhqXDdsc81c5DF0xFFuJzcPoZS CJvJ/C+9pzbGgSNsu9GH8wwDjEyq8sUkJZo8GTi3dI1evjvnvpbRlWNo1L+yhhGl mEnFWTgawfptkjyG2di0Nxdf8qDZsy+LAY8Rh84CMhP+wg==
Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2101.outbound.protection.outlook.com [104.47.55.101]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3u0w9m3dx2-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 01 Nov 2023 18:13:07 -0500 (CDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=J8B3m8V1NTZJmZcCum2/YpNbKiEMXgMDq8FJv4w8Gui3lvDYd9Lz/6MJ83zoI+L58p5hZimAxkZO4c/NRWxyDt5ne0MejeV7dvOEBNYh806sofO639tzeocg4Z0L6rAWw0myh1u6OhF2rNxAuM6/lIgNN4UQXx4kFV3khg3KrbGzFNQPeCsUeLA0o8w2ElvVpi+EMAu+ToM/I4EM5UarqUzKpjY7mVPCozIs+8cBbvX62+dd498x3KuvSLlXGmyidl0pEvLVlnuANrdvLU2WKaxjgURr6H+MzuUwj7SjmuDYwrJBxVNbo7bkVR4zd0oopCI/13Fww+eYtqDwPpxCRw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=F//DMKvrcaiLuGHk00NvekmtGDJNcq/atuBkE+kpiO4=; b=c6I2knX9n9r/uoeEpVWbBIq2dk0kOnsK6rQ3CxmrunPc5SV2j4XtZb50TXeQNCueYmg2rmA7hJmsHnpuufW0b7hHz2mYujX/MyhMJ2f8wYa5bnIr+kog9LlqVHR9HcpoitVD4g2wHAPYStA4vxZXwSA8zkYMa2Ovvit9Kj0OxehKGAvyAlEDsfTN7b1RydF9HhG7MezOmCsOX8PLbSMn2dAbwqaX5uZm6dLX5W+xCia+j26+24C6+18MwhWAAHKWjfKriHLRJ4KvdjlUKd9i6BlAd9iSGT9kZFNm13B0abg4gk0Dkqq8e9UgqtfNBzy7GQO3ieKj0y1W9JHpk6w6KA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by PH0PR11MB7544.namprd11.prod.outlook.com (2603:10b6:510:28d::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6933.28; Wed, 1 Nov 2023 23:13:04 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::9154:8630:8db3:6f4d]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::9154:8630:8db3:6f4d%6]) with mapi id 15.20.6954.019; Wed, 1 Nov 2023 23:13:04 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Michael StJohns <msj@nthpermutation.com>, "Kampanakis, Panos" <kpanos@amazon.com>, "spasm@ietf.org" <spasm@ietf.org>, Russ Housley <housley@vigilsec.com>
Thread-Topic: [EXTERNAL] Re: [lamps] Adoption call for draft-housley-lamps-cms-sha3-hash
Thread-Index: AQHaCtVAEmYM6Zd5EUuKITvqlEtzv7BijnIAgANr6LA=
Date: Wed, 01 Nov 2023 23:13:03 +0000
Message-ID: <CH0PR11MB5739BE4CAC58E03E092E7ED19FA7A@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <SN7PR14MB64924398A13D7C521AEDF4B283DCA@SN7PR14MB6492.namprd14.prod.outlook.com> <bfa2812c899541cc84f7c5abb38ee435@amazon.com> <597E6452-69BF-41EE-A3EB-19AF0A01304C@vigilsec.com> <CH0PR11MB573915B912FA76F9D2A8B3239FA3A@CH0PR11MB5739.namprd11.prod.outlook.com> <fb2e4bbe95964d8e9015e3787385fa53@amazon.com> <2d75918b-4815-4ec9-9e6f-74472af97a73@nthpermutation.com> <ee119d906d02451495e4b13a3c8bbc67@amazon.com> <98f0b71a-dd2a-4d73-9d46-05c9878d1ee9@nthpermutation.com>
In-Reply-To: <98f0b71a-dd2a-4d73-9d46-05c9878d1ee9@nthpermutation.com>
Accept-Language: en-US
Content-Language: en-US
X-Mentions: housley@vigilsec.com
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|PH0PR11MB7544:EE_
x-ms-office365-filtering-correlation-id: 632cc76d-148f-4e1f-2b11-08dbdb3019ec
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: u6ImQC9g048hQJjpWliqPzdqom1iMAsCL8Aj6gSJ3uorRasryAsbM65skNVv77vkqW3GaFOO3pQPuEa2SA8n6Fuq4t9szJBQ9l2uWh885kGqNMD41fLCTp+ExJrhn4wpLIn1A6o44UQp0+KQB9EhSK09DLjiLLwYpD/Nr9KzN4ec82DrqRo8HXhjDIG2vzrFRogX+2OMfk4tsuoD3qWw1fyflSxdHXZFA3pwla9gOnTzo5w9z2A8dLenXkbXnZojJLDodNx9Xz25L0FwEyg33YaAOV4EuiXBg7/SEev8uwxSHczfqRaAxM6KGRpF8TSp0Fql8HPeBZutfIAh5fVYdRjR3lfAsI/qzSmQzyqnk54kL9XYhAWMmu51a3T6BDbSIGIXwK3Mq788TqO3/6Tz9e7FSX6zm09t02o4CKiceUJPa9VS+rjduEJdoS8QPFUsD7IF7kMm0lO01skbTbpH7aG3DdDHUJrY4J6lN3QGPoBAJgM2irhVFj4wb+SODNn1+ublcPTxqwHftXcPE7gsxWck93lyQqxjd0UIYr5ZwoktR/lXBJZhZOM7cka2vU9Vt+LBFk1JT0S+ASjdOLq7qsoLfU+oJpwWxbKOPNB286yY+KjRigZMEuvDXrgel/BF1a+Ut1t5WdCupbzy3UMOx+ZB0QpA132UNjmApH1XqTNXKNPgVMwYE7j7ZHcqcxEC
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366004)(346002)(396003)(136003)(376002)(39850400004)(230922051799003)(230173577357003)(230273577357003)(64100799003)(186009)(451199024)(1800799009)(55016003)(2906002)(26005)(38100700002)(9686003)(41300700001)(83380400001)(6506007)(8676002)(66556008)(7696005)(8936002)(478600001)(5660300002)(71200400001)(110136005)(966005)(66946007)(9326002)(52536014)(66476007)(66446008)(64756008)(53546011)(76116006)(316002)(38070700009)(166002)(86362001)(33656002)(122000001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: +OpcMkJb7WUxFfKlu2pQA8CAWt8chxVG4xjgUhIupAlvC3UNhPhlNoaMXFfMpll0Nh133odv13Qycz46x97F74wyD+ooJDybAXRpdUGzmwj5tgOtogy49QYml9SGp8226NXawS56S5hNOByPeflqzgd14AydsWlKXsCgdVvDP1FaQiHSnB5HlvSr9ReyjI8QL/z0DsIOrECCLRXfopJ8ZLYK1y8hprqt6cVgNnXDEDMFFWQEQKZpDC5eePQcSFi1qg8Vo2WLBjBUOgPX5tC2eWIpFzEHZ+y5oDpqH2yTijzwoX/rFfhZPfSMqVOOYde49G6pGXBvKXzaMD+lLS9Elkthhg49whJUAi8Oq9Ho7+An4Fv6QxYljVBqa2IxlHwUsxES3EM4lUn4nFTEvG2taWboaInTHNJAbJ+Gh0CATgBmKdmeW9/wM8fNuKujf7djAnOiympnYKy/mawHW61OCRIZIXdFp9nDJmFT9GEeyijGFx8nQSipchYGrhkp/8/lB/HGBpHDetYMBrMwOFZc+HFhuedv9rPTK1uhCC0vX/PHz4LaqbyCY7WTDOpWrEiGRWd2c6S5JVh+l/G1IqoAv39vNP7cKQYxaHCccuRpvZp5qAnMcSHR2O4MR4CB1cdsCssWikK7sSc6La0q/yRhx0/VMZCxIgpgtQPMFiReSrR9MVrtlKhykwLSM0umzS89oFlnFrGSZYkOk4IFqMMfI9dSNxOmFp8x3XywV/AZeeioKm64m5ez95B2Ej7X8U+bIvM6eOYBNdeji/khnrFtUIImjArAWEjpP7u44CpmU+zYCfkl5Cyi6zujLfu/ZUb96hRW04AGAmu/R+bU0X5EXzLru7vcS8ptJUC+Aadblbv7sMfLts9rUwt4NRCGk0gpm2TLShYlR0Y0WAbSKcd2boPwyscCPdATILc/30qVoigQGf15PMXz7tGRddhRNT5phh33s/Hmn4ABYnWAYk5ZZXbnkOOSywZASXgmHZ6i8ZwhtJxI8GU635UD4Ij6VC1L3Ww4JXvsZ7BXiRXxkZ3H2cvYdsnggEfrz2h8u2T4EIPEXIlzshaYCWwp8wjkIMBbC0etJ2i/GkXX303m7MsbMeR6y2T/p2QyfL8RjOwh7g7Nw0MEeOCxJWvMcuOSS9wkSwo1JpYnkCSxxjjTOOyjye9mQ3GuKf3LBGorcqtP3ffAY/Y7zu3mZpmBAihEqn/2711AZobf7YA+AuQ1E357OUgg+bc4LIE0KMDrh2uWz0zg/NNNjuESF3/BCenkv1h1Z3KncvFpqjw+BJFfgPJXlQT1i1vbyAxtjkOCzB72v2iVTKSywhtSuL2ADfaf9RG2zFBhU+oykFXqejwBMYiyj9oteXjhk5mam5MqyO3V2TYYNAgZkjDmpWs1pYajZAVWrXGrPBJKL4KDOVOtUpJGlePxd4MzmQ1j9I5mxOrTMpiFKDeXoRLG0UGZv4QOG4cKzwWGkF5m4++KeJgI1xK8ck+7t4veMAGToydkvTihIrNof2rtMzDsdgDFeSyWwxYqC0hVGtz2MWk2soj6YQARJ0aDHG47JrJAN1QHTdZBxxn0lS8whx6PIufxGE/AHch5RitWh9UQDBHp76NGmc+Dqw==
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB5739BE4CAC58E03E092E7ED19FA7ACH0PR11MB5739namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 632cc76d-148f-4e1f-2b11-08dbdb3019ec
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Nov 2023 23:13:03.7509 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MzJK7aadgnYmJhwNYKupRJmUf/s+L+SjDWZvxKeJP9Ye1JHe6zb81z1QJDLGnTSpT2OnG0oB+1LZyNa+6++MVEysFpr+sM9QUqqSFIjXRAc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB7544
X-Proofpoint-ORIG-GUID: fdhZxqZBFXGV-FiuZAaDl_eDBFtPuTCM
X-Proofpoint-GUID: fdhZxqZBFXGV-FiuZAaDl_eDBFtPuTCM
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.987,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-11-01_21,2023-11-01_02,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 malwarescore=0 spamscore=0 mlxlogscore=705 lowpriorityscore=0 adultscore=0 priorityscore=1501 mlxscore=0 clxscore=1015 suspectscore=0 phishscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2310240000 definitions=main-2311010173
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/_nS_RTh-vCupy3lStf8vYxLKPWQ>
Subject: Re: [lamps] [EXTERNAL] Re: Adoption call for draft-housley-lamps-cms-sha3-hash
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Nov 2023 23:19:17 -0000

Hi Mike,

> One of the things I dislike about the pq-kem document is that choices like the particular KDF to use are implied by the KEM algorithm OID and can't be easily substituted without starting over.  Compare and contrast RFC5990 and the RSA-KEM parameters definition.

Great discussion to bring out on the list!

This is sorta going in circles; initially the composite sigs and kems drafts had all the parametrized flexibility that you could dream of. We were told this is not how we do things in 2023 and AlgID params are verboten and everything needs to be implied by the OID. For example, we were told that id-MLKEM512-RSA-KMAC128 was too flexible since it leaves the RSA key size unconstrained, so in the most recent version we changed that to id-MLKEM512-RSA2048-KMAC128.

So let’s hash this out on-list. @Russ Housley<mailto:housley@vigilsec.com> is the big proponent of “no params, mega-OID” approach.

---
Mike Ounsworth

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Michael StJohns
Sent: Monday, October 30, 2023 11:57 AM
To: Kampanakis, Panos <kpanos@amazon.com>; spasm@ietf.org
Subject: [EXTERNAL] Re: [lamps] Adoption call for draft-housley-lamps-cms-sha3-hash

On 10/29/2023 10: 02 PM, Kampanakis, Panos wrote: > try and practice algorithmic pluralism in the way we define things Personally, I am not sure algorithmic pluralism for the sake of variety is a good idea. Integrating and using only new

On 10/29/2023 10:02 PM, Kampanakis, Panos wrote:
> try and practice algorithmic pluralism in the way we define things

Personally, I am not sure algorithmic pluralism for the sake of variety is a good idea. Integrating and using only new algorithms that make sense is a better one imo.
I can’t think of a case where SHA-3 would be preferred over SHAKEs, but I am open to suggestions.

AFAICT from FIPS202 both are just parameterized instantiations of the same KECCAK function and have exactly the same performance (and strength).  E.g. from FIPS202

SHA3-256 (M) ::= KECCACK[512](M||01, 256)

SHAKE256 (M,d) ::= KECCACK[512](M||1111, d)

Now RFC8702 says that SHAKE256 should use d = 512 if you're using it as a hash/message digest, but I can't find anywhere in the NIST document that also use that value as a default.  That worries me with respect to future interoperability.

The main advantage of id-sha3-256 in this instance is that the definition associated with that OID makes clear that SHA3-256 has a fixed output of 256 bits.   If I were going to use SHAKE256-512, I'd rather use id-shake256-len as the OID and parameterize it with that length in an AlgorithmIdentifer so that it was clear to the receiver just what I was doing with the XOF.
Alg-SHAKE256-LEN ALGORITHM ::= { OID id-shake256-len PARMS ShakeOutputLen }

id-shake256 is an  unparameterized OID and that means I have to figure out what the length is from context and hope an implementer didn't miss getting to the same context.  RFC8702 section 3.1 notwithstanding.

With respect to pluralism, what I mean is the ability to plug in approved algorithms that more closely meet a set of requirements.  One of the things I dislike about the pq-kem document is that choices like the particular KDF to use are implied by the KEM algorithm OID and can't be easily substituted without starting over.  Compare and contrast RFC5990 and the RSA-KEM parameters definition.

Later, Mike





From: Spasm <spasm-bounces@ietf.org><mailto:spasm-bounces@ietf.org> On Behalf Of Michael StJohns
Sent: Saturday, October 28, 2023 11:50 PM
To: spasm@ietf.org<mailto:spasm@ietf.org>
Subject: RE: [EXTERNAL] [lamps] Adoption call for draft-housley-lamps-cms-sha3-hash


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

IMHO - These are somewhat orthogonal items.   Russ' document is useful irrespective of the Mike's KEM stuff, and I'd like to see it move forward on that basis.

(also, https://csrc.nist.gov/Projects/computer-security-objects-register/algorithm-registration<https://urldefense.com/v3/__https:/csrc.nist.gov/Projects/computer-security-objects-register/algorithm-registration__;!!FJ-Y8qCqXTj2!dANQSh0mKJ9qwy0EFgNZVn5T2FrIWDG_l5rlc3-Ean-nzsgR_LwHK2ta8wm6lPACrEMPhdCvx49TQ9YYvfjGiKId360$> has the OID registration for id-sha3-256, so for the use Mike as asking about, it's unclear his document actually depends on Russ' document.  That said, its usually useful to have an IETF public of the NIST allocations as RFCs tend to be a bit easier to find for our participants).

If you want draft-ietf-lamps-pq-composite-kem to use Shake exclusively, that's more a discussion that needs to happen on the list with respect to that draft.  Alternately, do what is more flexible and define multiple kda-??? KEY-DERIVATION ::={} constructs to support both shake and sha3.

So I'd suggest it may be better to avoid discussions about which is better and try and practice algorithmic pluralism in the way we define things.  In other words, allocate top level OIDs for both a shake and sha3 variant of the KDF and include those in the ASN1.

Later, Mike


On 10/28/2023 10:37 PM, Kampanakis, Panos wrote:
Hi Mike,

> I guess this is a design choice that the WG can discuss. We could instead use id-shake-256 from RFC8702, which is usable as a digest algorithm as per section 3.1, but why? If what I actually want is a hash function, then why can’t I have a hash function?

I suggest to discuss this in IETF-118. SHAKEs are XOFs but can be used just fine as hashes with constant output size. Their performance is better, and generally that is the reason they have be favored and more adopted than SHA-3 (in the same family).




From: Spasm <spasm-bounces@ietf.org><mailto:spasm-bounces@ietf.org> On Behalf Of Mike Ounsworth
Sent: Saturday, October 28, 2023 2:08 PM
To: Russ Housley <housley@vigilsec.com><mailto:housley@vigilsec.com>; Kampanakis, Panos <kpanos@amazon.com><mailto:kpanos@amazon.com>
Cc: LAMPS <spasm@ietf.org><mailto:spasm@ietf.org>
Subject: RE: [EXTERNAL] [lamps] [EXTERNAL] Re: Adoption call for draft-housley-lamps-cms-sha3-hash


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

Panos,

Specifically, draft-ietf-lamps-pq-composite-kem instantiates RSA-KEM (RFC5990bis) with:
keyDerivationFunction  kda-kdf3 with id-sha3-256
See:
https://datatracker.ietf.org/doc/html/draft-ietf-lamps-pq-composite-kem-02#name-rsa-kem-parameters<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-ietf-lamps-pq-composite-kem-02*name-rsa-kem-parameters__;Iw!!FJ-Y8qCqXTj2!dANQSh0mKJ9qwy0EFgNZVn5T2FrIWDG_l5rlc3-Ean-nzsgR_LwHK2ta8wm6lPACrEMPhdCvx49TQ9YYvfjGPwOTnfY$>

Therefore, I need an OID for id-sha3-256.

I guess this is a design choice that the WG can discuss. We could instead use id-shake-256 from RFC8702, which is usable as a digest algorithm as per section 3.1, but why? If what I actually want is a hash function, then why can’t I have a hash function?

- Mike Ounsworth
________________________________
From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> on behalf of Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>
Sent: Saturday, October 28, 2023 10:44:57 AM
To: Panos Kampanakis <kpanos@amazon.com<mailto:kpanos@amazon.com>>
Cc: LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: [EXTERNAL] Re: [lamps] Adoption call for draft-housley-lamps-cms-sha3-hash

Panos: Mike Ounsworth needs these OIDs to be available, and the easiest solution was to just publish the previously abandoned I-D. Russ On Oct 27, 2023, at 11: 00 PM, Kampanakis, Panos <kpanos=40amazon. com@ dmarc. ietf. org><mailto:kpanos=40amazon. com@ dmarc. ietf. org> wrote: Hi Russ,

Panos:

Mike Ounsworth needs these OIDs to be available, and the easiest solution was to just publish the previously abandoned I-D.

Russ


On Oct 27, 2023, at 11:00 PM, Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org<mailto:kpanos=40amazon.com@dmarc.ietf.org>> wrote:

Hi Russ,

I was under the impression that SHAKEs for CMS and X.509 would suffice for introducing the Keccak family to these standards. SHAKEs have the same security and better performance. I thought that was the reason draft-turner-lamps-adding-sha3-to-pkix never made it.

Is there a reason why someone would use SHA-3 in CMS instead of SHAKE128 or SHAKE256 (RFC8702)?



From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Tim Hollebeek
Sent: Friday, October 27, 2023 11:39 AM
To: SPASM <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: [EXTERNAL] [lamps] Adoption call for draft-housley-lamps-cms-sha3-hash


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

Hello,

Russ has asked for an adoption call for this short document that explains how to
use SHA-3 with CMS.  Since people may be traveling to IETF 118, we’ll do a three
week adoption call.


https://datatracker.ietf.org/doc/html/draft-housley-lamps-cms-sha3-hash-00<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-housley-lamps-cms-sha3-hash-00__;!!FJ-Y8qCqXTj2!btMHx3oQg1XcdsmiDk3zQn-HVGxUExFHzJp0v2bwunfFVR3P8235FQ_QH4pzRkyD49fJSywzek8dgSw-P9DqGArWDMhf$>

Abstract

   This document describes the conventions for using the four one-way
   hash functions in the SHA3 family with the Cryptographic Message
   Syntax (CMS).

Please indicate whether you support adoption, and optionally indicate why, on
the list by 17 November 2023.

For the chairs,

-Tim

_______________________________________________
Spasm mailing list
Spasm@ietf.org<mailto:Spasm@ietf.org>
https://www.ietf.org/mailman/listinfo/spasm<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!btMHx3oQg1XcdsmiDk3zQn-HVGxUExFHzJp0v2bwunfFVR3P8235FQ_QH4pzRkyD49fJSywzek8dgSw-P9DqGMDI1k9b$>

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.




_______________________________________________

Spasm mailing list

Spasm@ietf.org<mailto:Spasm@ietf.org>

https://www.ietf.org/mailman/listinfo/spasm<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!dANQSh0mKJ9qwy0EFgNZVn5T2FrIWDG_l5rlc3-Ean-nzsgR_LwHK2ta8wm6lPACrEMPhdCvx49TQ9YYvfjGTEWqXBw$>

v2.23.0 | Report a Bug | By Email