Re: [lamps] Do we have a FALCON draft yet?
"Massimo, Jake" <jakemas@amazon.com> Tue, 22 November 2022 22:23 UTC
Return-Path: <prvs=3185a1e16=jakemas@amazon.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6400BC14CE30 for <spasm@ietfa.amsl.com>; Tue, 22 Nov 2022 14:23:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.498
X-Spam-Level:
X-Spam-Status: No, score=-14.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tF2bWr7qCUzo for <spasm@ietfa.amsl.com>; Tue, 22 Nov 2022 14:23:31 -0800 (PST)
Received: from smtp-fw-9102.amazon.com (smtp-fw-9102.amazon.com [207.171.184.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4459C14CE2C for <spasm@ietf.org>; Tue, 22 Nov 2022 14:23:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1669155812; x=1700691812; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=gSOGg+z507kAiivOkhzrN8rUR1kg2J5lPY4igkeB8kA=; b=ujkXrsYGCC6z/qGD1DkjAoPDQ8BHCq675SYiBArhT+s4gQ4asYrGoppz Z7TORmjbj0qujFtwfxhWelqUqB7NX7vSj/6K114CGVypY9+pLNQN8b+Q8 qrNIKRyy4dr9/M25iGvgGn8hDcVF6CdOaXKL71Jf5wJZeF8aCDxp2Aq6c I=;
X-IronPort-AV: E=Sophos;i="5.96,185,1665446400"; d="scan'208,217";a="282998956"
Thread-Topic: [lamps] Do we have a FALCON draft yet?
Received: from pdx4-co-svc-p1-lb2-vlan2.amazon.com (HELO email-inbound-relay-pdx-2a-m6i4x-8a14c045.us-west-2.amazon.com) ([10.25.36.210]) by smtp-border-fw-9102.sea19.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Nov 2022 22:23:26 +0000
Received: from EX13D41EUB002.ant.amazon.com (pdx1-ws-svc-p6-lb9-vlan3.pdx.amazon.com [10.236.137.198]) by email-inbound-relay-pdx-2a-m6i4x-8a14c045.us-west-2.amazon.com (Postfix) with ESMTPS id 513CD8269E; Tue, 22 Nov 2022 22:23:23 +0000 (UTC)
Received: from EX19D046EUB003.ant.amazon.com (10.252.61.117) by EX13D41EUB002.ant.amazon.com (10.43.166.132) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Tue, 22 Nov 2022 22:23:22 +0000
Received: from EX19D046EUB001.ant.amazon.com (10.252.61.72) by EX19D046EUB003.ant.amazon.com (10.252.61.117) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.20; Tue, 22 Nov 2022 22:23:22 +0000
Received: from EX19D046EUB001.ant.amazon.com ([fe80::dbc6:4900:cc9e:35e5]) by EX19D046EUB001.ant.amazon.com ([fe80::dbc6:4900:cc9e:35e5%4]) with mapi id 15.02.1118.020; Tue, 22 Nov 2022 22:23:22 +0000
From: "Massimo, Jake" <jakemas@amazon.com>
To: "Markku-Juhani O. Saarinen" <mjos@pqshield.com>, LAMPS <spasm@ietf.org>
CC: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Thread-Index: AQHY/HKuju7GF0Mq7kaHcbSAxb9n+65HuiOAgACneYCAAOlsAIABuASA
Date: Tue, 22 Nov 2022 22:23:22 +0000
Message-ID: <B695FF0C-08B0-47BE-BCF4-99F961C58D10@amazon.com>
References: <CAMjbhoUUKjuU1rMJ--21TDz4h6MxMdghGZPVVVJjGaSyCNAgLQ@mail.gmail.com> <F17215D0-255B-4DD5-8410-4F5FDA250658@ll.mit.edu> <CAPwdP4P7A+rcGTm3k603KcftigV5Hg-fS0XGpgXv3N5=MzOaYA@mail.gmail.com>
In-Reply-To: <CAPwdP4P7A+rcGTm3k603KcftigV5Hg-fS0XGpgXv3N5=MzOaYA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.119.197.54]
Content-Type: multipart/alternative; boundary="_000_B695FF0C08B047BEBCF499F961C58D10amazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/kTR7hyJtNX57VLwcrFWYSKjhlx8>
Subject: Re: [lamps] Do we have a FALCON draft yet?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2022 22:23:36 -0000
Markku, Thanks for posting this analysis, it’s very useful! I’d be happy to help co-author the Falcon I-D should one arise. It was originally planned to have multiple algorithms in an all-encompassing “PQ X.509” draft, but due to the vast differences in the schemes it would have muddied the water and produced a hefty draft. That said, a lot of the more general formatting/material authored for Dilithium could easily transfer over to a Falcon draft, so I’d love to be involved and work with you (it could also more easily facilitate consistency between the I-Ds). Cheers, Jake From: Spasm <spasm-bounces@ietf.org> on behalf of "Markku-Juhani O. Saarinen" <mjos@pqshield.com> Date: Monday, 21 November 2022 at 04:09 To: LAMPS <spasm@ietf.org> Cc: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Subject: RE: [EXTERNAL][lamps] Do we have a FALCON draft yet? CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. Hi, I have been looking at possibly preparing an I-D for Falcon, but the technical details are currently in flux. I've been in contact with members of the Falcon design team, and I hear that they're getting around to revising the algorithm for standardization (my understanding from NIST is that they will try to get the Dilithium specs in shape before moving on to address Falcon -- this is private communication and not official.) One of the issues is that there is a yet another twist to message hash processing with Falcon (surprise, surprise!) Falcon spec (v1.2, 1 Oct 2020), Sect 3.11.3: "A Falcon signature consists of two strings r and s. They may conceptually be encoded separately, because the salt r must be known before beginning to hash the message itself, while the s value can be obtained or verified only after the whole message has been processed. In a format that supports streamed processing of long messages, the salt r would normally be encoded before the message, while the s value would appear after the message bytes. However, we here define an encoding that includes both r and s." For purposes of, say, PKI formats having the concatenated pair (r,s) as the signature obviously makes more sense than having the signature in two parts. The second issue is that SHAKE-256 XOF output is used directly. Unless this is changed, Falcon will be yet another case for API architects to consider: 0. For classical (PKCS #1) RSA or ECDSA you can just hash a message and pass the H(m) to the signing function. 1. For Dilithium, you prefix the message "m" with a hash of Dilithium pub key tr=H(pk) and use that as a prefix to compute H(tr | m). You don't need the signature to start verification, just the public key (the "tr" hash can also be found in the private key). 2. For Falcon verification, it's different again. You grab "r' from the signature (not the keys) and prefix the message with it; str = (r | m). If you're singing, you need to throw dice and get a random r before starting to hash the message. But that's not all; HashToPoint() function uses SHAKE256 XOF output directly -- there is no actual upper bound to the number of bytes needed (albeit statistical ones are easy to work out.) One can also pass the entire Keccak context (200 bytes, containing the prefix r and the mixed message m) to the signing/verification function. This is a compatibility-breaking issue, unlike the randomized vs. non-randomized aspects of Dilithium singing. As the Falcon spec says, "Of course, any variant deviating from the procedure expressed in algorithm 3 implies that the same message will hash to a different value, which breaks interoperability." This will have to be addressed by the design team. Ps. I agree that eliminating potential timing oracles from the current Falcon is trickier/costlier than with most other algorithms. Masking and other electromagnetic (DPA/DEMA) countermeasures for hardware implementations are even trickier -- as required for platform security, smart cards, etc. Unless there is a major design change concerning floating point operations in the Gaussian sampler, this appears to be an "inherent" security consideration for Falcon and, indeed, needs to be discussed in the I-D/RFC. Cheers, - markku Dr. Markku-Juhani O. Saarinen Staff Cryptography Architect PQShield Ltd M: +44 0 7548 620723 E: mjos@pqshield.com<mailto:mjos@pqshield.com> W: www.pqshield.com<http://www.pqshield.com/> On Sun, Nov 20, 2022 at 10:13 PM Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu<mailto:uri@ll.mit.edu>> wrote: Completely agree with Bas. Regards, Uri On Nov 20, 2022, at 07:14, Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org<mailto:40cloudflare.com@dmarc.ietf.org>> wrote: Not that I know of. If someone picks this up, may I urge them to add a warning to the following effect in the earliest draft. The Falcon signing procedure is difficult to implement in constant time because of its use of floating point arithmetic. By default, it should be assumed that the timing of the creation of the signature leaks the private key. Thus, without careful consideration, it should not be used when signatures are created on-the-fly such as for TLS handshakes. It is safe if floating-point emulation is used (which comes at a performance penalty) or a (custom) FPU with sufficient constant-time guarantees. Verification does not use floating-point arithmetic and does come with the same concerns. Best, Bas On Sun, Nov 20, 2022 at 12:56 AM Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org<mailto:40entrust.com@dmarc.ietf.org>> wrote: For completeness, we also have Kyber [3]. [3]: https://datatracker.ietf.org/doc/draft-ietf-lamps-kyber-certificates/ --- Mike Ounsworth From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Mike Ounsworth Sent: November 19, 2022 5:53 PM To: 'LAMPS' <spasm@ietf.org<mailto:spasm@ietf.org>> Subject: [EXTERNAL] [lamps] Do we have a FALCON draft yet? WARNING: This email originated outside of Entrust. DO NOT CLICK links or attachments unless you trust the sender and know the content is safe. ________________________________ Hi LAMPS, We have drafts for SPHINCS+ [1] and Dilithium [2] in LAMPS. Has anyone started one for FALCON yet? (I need something to cross-reference the composite draft against) [1]: https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-sphincs-plus/<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-lamps-cms-sphincs-plus/__;!!FJ-Y8qCqXTj2!fJ0iZFzue-XVZBbJ18itKI-6e6y12C3g-v1B6dzJyGsg9sgUnSr-uGDYsyjTI-fvpuSJoWVhNP0h3vCR5xxUkcbW4I-VqfjlT2DqrQ8jQA$> [2]: https://datatracker.ietf.org/doc/draft-massimo-lamps-pq-sig-certificates/<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-massimo-lamps-pq-sig-certificates/__;!!FJ-Y8qCqXTj2!fJ0iZFzue-XVZBbJ18itKI-6e6y12C3g-v1B6dzJyGsg9sgUnSr-uGDYsyjTI-fvpuSJoWVhNP0h3vCR5xxUkcbW4I-VqfjlT2A2XHyKVQ$> --- Mike Ounsworth Software Security Architect, Entrust Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system. _______________________________________________ Spasm mailing list Spasm@ietf.org<mailto:Spasm@ietf.org> https://www.ietf.org/mailman/listinfo/spasm _______________________________________________ Spasm mailing list Spasm@ietf.org<mailto:Spasm@ietf.org> https://www.ietf.org/mailman/listinfo/spasm _______________________________________________ Spasm mailing list Spasm@ietf.org<mailto:Spasm@ietf.org> https://www.ietf.org/mailman/listinfo/spasm
- [lamps] Do we have a FALCON draft yet? Mike Ounsworth
- Re: [lamps] Do we have a FALCON draft yet? Mike Ounsworth
- Re: [lamps] Do we have a FALCON draft yet? Bas Westerbaan
- Re: [lamps] Do we have a FALCON draft yet? Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Do we have a FALCON draft yet? Markku-Juhani O. Saarinen
- Re: [lamps] Do we have a FALCON draft yet? Ilari Liusvaara
- Re: [lamps] Do we have a FALCON draft yet? Massimo, Jake
- Re: [lamps] [EXTERNAL] Re: Do we have a FALCON dr… Mike Ounsworth