IETF Logo Mail Archive

[lamps] Seed as private key for ML-DSA and ML-KEM

Bas Westerbaan <bas@cloudflare.com> Wed, 21 August 2024 15:50 UTC

Return-Path: <bas@cloudflare.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E814BC151093 for <spasm@ietfa.amsl.com>; Wed, 21 Aug 2024 08:50:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zbPl9jUtpnHC for <spasm@ietfa.amsl.com>; Wed, 21 Aug 2024 08:50:23 -0700 (PDT)
Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36FAEC14F5EB for <spasm@ietf.org>; Wed, 21 Aug 2024 08:50:23 -0700 (PDT)
Received: by mail-yb1-xb2c.google.com with SMTP id 3f1490d57ef6-e026a2238d8so7093051276.0 for <spasm@ietf.org>; Wed, 21 Aug 2024 08:50:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1724255422; x=1724860222; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=KT1ZrGJy7JRtZUuX/0CfjerGE7NT0lB2N+XQqiF4Q90=; b=ZU4y8XoAFB4FfP4FAdS1h2IgmJQa5yYE1g0aECp2tj6zqUPCw1J0MIrZGjGunr0yOR HkwJlNPwFVBB1abpnQrn2gnHSYgdYw1l5usowoolYJl63tcOZjkmyGzGDuA92Q9D45oe zjulYJCFc3RW+Pyg97NaievjqqrW+4DVMt5gn+Sh2OTzRI6bg+5UaW1i3wOAmUXtE2MT dZsY/HeiAC4r4vDabkbnGDS1FPMcRpIZcrQqTutGAW6vqWwTjKZku2s6r38ZA8ROJGdG mPfCmidY3e7y1WQQIbC16R+pZ8TgY8WDjAM2DDXH10iHkxlEFbZurZVEql/DOSKmpNVm d/pA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724255422; x=1724860222; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=KT1ZrGJy7JRtZUuX/0CfjerGE7NT0lB2N+XQqiF4Q90=; b=FYxfJAGkdxg1PsjCc7r0iZhh1mWbD0hn4JOpX0+K0D7e+q3FuQHjB+z8D5/9+t04yj fOKqrXZ6tpVDPqrTSIdm6juWhwB6DpmNpxEbN1QEB42bbNr5sUiXmmouL/kcL2jBwH5v i/W5KmEUM/+je+AQLJLGXromai+W9dpSatWLQ1e6moE/HS/dwbl2FjzHscbGIO024lWF PiTGDc63pY4SZepACkTge3jtOd6+Ql6rdQymmKeT+qaY3IHKgYqssbSGeiVutC6If298 fE7e4srN5jfdl95tz8DzcADRtbjjIVWIcVdFr83Y3Ubn4VBH3tomoPzD2BMV/x24jXkT 77ug==
X-Gm-Message-State: AOJu0YwOf2D9TiOYO0ySoAUweokcNuKBjSttUvexxAMNg2IKOa/aLrMZ 4RAGXvtBu/ZZuEReUsERZ/BXEtOe0U6l5RVrImaEmRbeIbFY1pT6zStEbTSxA9wNrGj4c3gl2S1 1X6NkHWa5z3tgAac1mQbB/aRx3IU5FKViMHU9JGIgo/OOUOxYu3ft9Q==
X-Google-Smtp-Source: AGHT+IH5RVxunJGyCsleRN8LzvsY+wkVjOm2xfrXQj6oPnTA+NvSiyEBmiiRi/BluYLjaH200BS20Ys8uBwshkbZT0Y=
X-Received: by 2002:a05:6902:c03:b0:e16:4665:c3d8 with SMTP id 3f1490d57ef6-e166553aea6mr3648356276.42.1724255421951; Wed, 21 Aug 2024 08:50:21 -0700 (PDT)
MIME-Version: 1.0
From: Bas Westerbaan <bas@cloudflare.com>
Date: Wed, 21 Aug 2024 17:50:10 +0200
Message-ID: <CAMjbhoUOLfcRHT12ubSsPMEnDGT=UJUCvy34VX+qJYmyoFbscg@mail.gmail.com>
To: LAMPS <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000edec090620337f4b"
Message-ID-Hash: FH3OEAKR5ONC64PWGZSJJSQLY5NRTHGQ
X-Message-ID-Hash: FH3OEAKR5ONC64PWGZSJJSQLY5NRTHGQ
X-MailFrom: bas@cloudflare.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spasm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [lamps] Seed as private key for ML-DSA and ML-KEM
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/vaAKtzW3BVHN8cm_JbwIaX-ypms>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Owner: <mailto:spasm-owner@ietf.org>
List-Post: <mailto:spasm@ietf.org>
List-Subscribe: <mailto:spasm-join@ietf.org>
List-Unsubscribe: <mailto:spasm-leave@ietf.org>

Hi all,

NIST allows two formats in which private keys are stored ML-DSA and ML-KEM.

1. Seed. 32 bytes for ML-DSA; 64 bytes for ML-KEM.
2. Expanded private key. Multiple kilobytes depending on instance.

An expanded private key is obtained from the seed by calling the
KeyGen_internal function.

In contrast to RSA, key generation for these algorithms is very fast. In
fact, if you use spinning disks, then using a seed is probably faster than
the expanded private key.

Another advantage is that we do not need to worry about private key
validation. NIST specified a few checks to perform, but there are more we
could do (eg. whether the decoded coefficients of \hat{s} are bounded.)

Of course a big advantage is storage space: the seeds are much smaller.

Now, how do we want to proceed? I see a few options.

1. Ignore the seed as private key.

2. Allow both seed and the expanded private key.

3. Assign separate algorithm for seed-as-private-key.

4. Switch to seed as private key only.

I prefer 4, and would otherwise go for 1.

The downside of 2 is that it adds complexity without the gain of
simplifying verification. If one only cares about size savings, then one
can use seed-as-private-key without needing a portable format for it.

So I'd prefer 4 and 1 second.

Best,

 Bas

v2.46.0 | Report a Bug | By Email | System Status