[lamps] Re: [EXT] Re: Seed as private key for ML-DSA and ML-KEM

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Wed, 21 August 2024 16:13 UTC

Return-Path: <prvs=0963df83e9=uri@ll.mit.edu>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FD27C17C89D; Wed, 21 Aug 2024 09:13:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o8fPVH4MN4tt; Wed, 21 Aug 2024 09:13:09 -0700 (PDT)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) by ietfa.amsl.com (Postfix) with ESMTP id 1FC87C1519A5; Wed, 21 Aug 2024 09:13:08 -0700 (PDT)
Received: from LLEX2019-02.mitll.ad.local ([172.25.4.98]) by MX3.LL.MIT.EDU (8.17.1.19/8.17.1.19) with ESMTPS id 47LGBZUs212675 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 21 Aug 2024 12:11:35 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=rUtTNgjkUr4QU1+8XAOeWB1SA87zrn6IsmOaUmLpcbkPZs1fbwtBxl+JuN2YTU9tjhCJwFCFTNQOipmbrajjmpwl6HTR+98qtvtmI5zwIJcaxwoWsr+SwKavDVjDIevlTR8zWmnTcdz919xXOSDYUeoOaXNDC9x0a3FYQ2HTv3XCQGgeB0KvEkZYHUDiRYtmI2YglkZmCgip5BTawHc+lRWuw34ejNGhiYNxhEU10sAkAASp9KW4e6x46NV8d5EtK+C8Hfch8vUwHOOGNoe7i6LzQ2zgDxyDjarfG7dmS8LiUXdmp5Z0n4DEbvwBj+TQ1nAfdEPbo8gs+qSltg9FWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=vO4anQ7VZxovVcxqV5DsRPoSUOhekwHtEOWccXj6uSY=; b=zt8rZzS/u+AQLa+/hkLM2XEjp8OZTcNzEVkz26f2wrDYGqOWVm69a8t175zaSymTaTftU89ue+iWs6ZBGCczTM4ccpzC/l7LwY08eC2P8OLmXtY1TBGI0tFyas8UsDBxBwFDKitjnYDi5nHLxKKwxVptURqlExcc4ZZzRVJXpi7yZHeYVjkduIgeSR+JG3hb4zi84SUxqb91SQz4vmnPmsXgUOX6jNMiVpOCWCvoq0o9S/Qf2xdCpf5BGiMenqawLuS2r8pW2B5Nte5ljr1qe1l74mz9k/b/Tzvl4YdKAfILsoL/kaD01XrA+6eSmATGM40LwTC9991yp8UPIoX+pA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Russ Housley <housley@vigilsec.com>
Thread-Topic: [EXT] [lamps] Re: Seed as private key for ML-DSA and ML-KEM
Thread-Index: AQHa8+ORRtFWi6EpOkqXYQEx03YmKrIx4isA
Date: Wed, 21 Aug 2024 16:13:03 +0000
Message-ID: <ABECBF09-EA31-4B99-885E-12C77244120E@ll.mit.edu>
References: <AE5C0B7F-16E3-4829-966F-E4AA68F00BC6@vigilsec.com>
In-Reply-To: <AE5C0B7F-16E3-4829-966F-E4AA68F00BC6@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN0P110MB1419:EE_|BN0P110MB1403:EE_
x-ms-office365-filtering-correlation-id: 1a9d0422-5f06-48c2-c9d9-08dcc1fc229d
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;ARA:13230040|4022899009|1800799024|366016|38070700018;
x-microsoft-antispam-message-info: G/UVC64ldpq2PZS7cG8RBvxWgPZePxcWX+7AzQ1WQEMRyEiDTc+RMU85bfv49S2toebmp8UN3ZlCPNnkGj3XDc9oyqjh/AQNmpfkn3gMbjZtarvU90ottuUiYI8J2CIWCeWo554usicrVFSK3KjoIDnDMC4Rbm7mv2+6l7nvcWWORO5wxDc52PLVM1v7CP/v3+zdRgZ/i41UqmmJubxL/3mvzuoGGEsxNgztyOFDyHxrNfLDZ2q1oiV9MAm9sUSS6jRXYxI/ag1APELPFCTNHUvK6VqEcbI1kU7WFAY9A8Bu4lOa3FcJKheg286Jm6CM6LQm9ZhAjKLrgcOLo5U2CaAhzZlCLKG/srxvZPv2CQKZR/8Z3KLF8hAFvp0+eqxMMLung9I/lVx6H4EyQFX/HRF5D+F0PM6SNR1KnOFCWLghG7q5OoHjYkQHezbPgU80yqO/dRsNqBQ3DZmK0kLOcdgoLw714bY3YtRQJJuehmttN/bfM91oh8OX+oSXHyMyZPEaEfqqbayt7bLIt99rnU50GOjxJ9AFMXs8war6sz5y9MjrP01xMsRD5BKtaGkuGCb00Tz/5ytoQp93bpo/9TQPfnPYAdkuCVeKynHfkR7Cm9K20krPBMNtMLPWtYhIwSEP/jBTiAlUjnx+l9wkWwC+tj2WpW6c0GZubz9npv2Dun6Oe+ycVYuUv2QSewKk1HNUaugwr70AamzCeymqNVAK7v5YFT/RdF7Ju9wIfydjx6rLcdnY7HjRkj/fMn642vqd/EZkXIyyNTJcCZ24VJoo6REYf2CDtf9XhjLrhoqWmDOuzYcouDhc8xJRa6p3kk/8kTu3ZD3GU2NGBRfsCHiCZ8aSXd8HKYn0r/h2Us4ReS1uBkQ7Avd/PMU+759BL1i4uiwKIgAluWIJvpebf5ihZqQ7UOM1f+0Plitwc6M/rISw+q+eIToDl+zf+BFezTQNIvBRF2/DpqIEkuuimjvw8uGTPXkP9qthbK6MGvsaZiZg71Mggr5IeMat8idqnpe1g7hkvScWM1pYUtHKauMZZz+YZ63+CM7ve52n+Q5KBTTI2qxyg66rtxobWbyC1Nl6Rc4ggIiwYq9fHsOqd7RC8vDCt5m9PTpnY4WDpMNnz1TgI1v8jpSelbrIJZSnZ/iLZG+BcCoh3l9jYguewXZdMsvUCrYpgx2Sp/ExxpaNdMtaTsJvGN9/wMnJ+rDtA1Eg0JLcFmDY6RbAskOiYnQjbD03PEPIjNav2EQUO/GcNrT9CgLYSvc7YCvj9E2vymlyzYf9L65Sdbtz1uCDE7z3gCJadVcsrcg5thEmj6J+JVFwdbmPyzNITLdcnx0SiOAHaQwd4LzGeqyVDG6WxZ4pofUDcaeaorOaNta9UNF6BXkHEF65o7KaJbZpwKHHOMjInkNXMD9GKC7dZFD+fA==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(4022899009)(1800799024)(366016)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: jai0ZsRVUyZPmHLd5LyTB00VOSP5dc0uDOjcXBu4ugPr8PIDyHNCjoIpARAZdUziSbHb6PnU47D7Bt9e3sg4ueuDpopsUE/HA1gurOzn59/sWQD7Fx8M1k7RCEL6VjFYNzJoWO9FlvUlAzNdhcDsFxGlX3IPmqaKRJ/urjAzgF6XbMJmOnEMVk48eD7jroy+OCz9mr13oPoWLtUL7y51yVxelWGDnzNUWZlJeoE4FeryAh3Ro1UCXBXbrpg9sFwyYFolIx4OaS1YP1kR1EmvJaD4EPqMX6qqI4W2y1id/NYYbWz0Ag68QwLZo+4zzWJXU7JB0fMq+aYD/7VRTut+YKXTAgrZxBEABhqcv8sT0icQ/TL6FUYbJxodFaCdpGlWxhsISnRIIowNe4mhSZK6yBSmv3LhgwIqKJCfUQRH5wMCezafXbYuL2q26cCkzEkVo/F79+RZZr9m9957KISIJ/WoR9whVBSPx65h1E0ETPAUXkj2a8IliaRM+f/HEmIgmp7r8oc/fSPazBAg1LfV7Jxk8AX8ZzZemzbXNvsaAiYGmZg2idX+05hc9o8Eb44Cp84OIq9UG0IVcZpLITl2MzgJRYYB5QZwhE5E/wTnMbjjAeuYfBaA3fvh4X/SwTakJ70yJ8sQ9ArvBMr0QLBMARhbCsJ27Skb6QV0t4NFdyuVFPO8vH+maO6z6pIWNb8o/9M3omesBOTmkYhXNkhQxR7UUTgRgEdWJLs3jp2bGNWdrEUrdVjVCqAlzgWITcRW301HIhU/xw0vz/oszFV2cqKYAsMpVvZ+6vdvVO1kvwX0O+kJMV7teHFqrlaMmKie6wBeSBnExJTL6csSuh1b8FP0UvJxbcEKgkHhET9xR/7/C9Lw/ooY98amNxEBMOYhdSy+fjMW3OCHXrkl9pXlTw4xTmhqPzGOoesrqUoIQ4U9JaddWinzdzRCDUba4dSRPXa8A1FZ4nkb0iAoD0IWfbPBd7GoD3oci7600WvQr8oHZYyHkavQmj36d6e3rhW+duHIezQY6SZZCYN2okLW7c5DAzXvM09sk7enR0ll3w3zeIhSGCY4O+xhvF4ZASTB48RxmY1nro18pGdqkt1Va/M2LwOq/rvD8Khqpx7gRxlNYEAXqWrS7pek/wYNqdhDfYz3GEl0vOf9QmrYNPa7I1CQqn3SMHIGJv8G+mhv3Z0XAjrQfc0ajQNlnwMlYNAZ7kxdUTQ6hC9DDCZ6sxmMm3raY7nf2IrJ6SaZTM7i5C/70gkxMR3Rqb1pQKv61GWeWPuoUf9R/70BHBhYSBc+GsACiAHRdDcuzUsTqySe5l456BLRct3dZQinwSUTxvCA9qJMAnqUiq8428CZS9LTJ6Qlkz+aeHZMFVNtYJgC6ao=
Content-Type: multipart/signed; boundary="Apple-Mail-B25423AF-F5AD-4E16-8B9A-BAA2A47BCC27"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 1a9d0422-5f06-48c2-c9d9-08dcc1fc229d
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Aug 2024 16:13:03.5969 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1403
X-Proofpoint-GUID: cDWBcuS2439WK9OfcX5kc6MsCxzWuY5u
X-Proofpoint-ORIG-GUID: cDWBcuS2439WK9OfcX5kc6MsCxzWuY5u
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-08-21_11,2024-08-19_03,2024-05-17_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 spamscore=0 mlxscore=0 adultscore=0 bulkscore=0 mlxlogscore=999 suspectscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2407110000 definitions=main-2408210118
Message-ID-Hash: UQF26Q3QE3VKRZTE46BTIKTCA6VCFPN3
X-Message-ID-Hash: UQF26Q3QE3VKRZTE46BTIKTCA6VCFPN3
X-MailFrom: prvs=0963df83e9=uri@ll.mit.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spasm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>, LAMPS <spasm@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [lamps] Re: [EXT] Re: Seed as private key for ML-DSA and ML-KEM
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/wzbzHEqDrRBZCQea0jrUrAnopqI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Owner: <mailto:spasm-owner@ietf.org>
List-Post: <mailto:spasm@ietf.org>
List-Subscribe: <mailto:spasm-join@ietf.org>
List-Unsubscribe: <mailto:spasm-leave@ietf.org>

I prefer option 2, followed by option 4. 

Thanks
—
Regards,
Uri

Secure Resilient Systems and Technologies
MIT Lincoln Laboratory

> On Aug 21, 2024, at 12:02, Russ Housley <housley@vigilsec.com> wrote:
> 
> !-------------------------------------------------------------------|
>  This Message Is From an External Sender
>  This message came from outside the Laboratory.
> |-------------------------------------------------------------------!
> 
> Bas:
> 
> I also prefer option 4.  That is, always thranser as a seed, but allow an implementation to internal store in whatever works best for them.
> 
> Russ
> 
>> On Aug 21, 2024, at 11:50 AM, Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org> wrote:
>> 
>> Hi all,
>> 
>> NIST allows two formats in which private keys are stored ML-DSA and ML-KEM.
>> 
>> 1. Seed. 32 bytes for ML-DSA; 64 bytes for ML-KEM.
>> 2. Expanded private key. Multiple kilobytes depending on instance.
>> 
>> An expanded private key is obtained from the seed by calling the KeyGen_internal function.
>> 
>> In contrast to RSA, key generation for these algorithms is very fast. In fact, if you use spinning disks, then using a seed is probably faster than the expanded private key.
>> 
>> Another advantage is that we do not need to worry about private key validation. NIST specified a few checks to perform, but there are more we could do (eg. whether the decoded coefficients of \hat{s} are bounded.)
>> 
>> Of course a big advantage is storage space: the seeds are much smaller.
>> 
>> Now, how do we want to proceed? I see a few options.
>> 
>> 1. Ignore the seed as private key.
>> 
>> 2. Allow both seed and the expanded private key.
>> 
>> 3. Assign separate algorithm for seed-as-private-key.
>> 
>> 4. Switch to seed as private key only.
>> 
>> I prefer 4, and would otherwise go for 1.
>> 
>> The downside of 2 is that it adds complexity without the gain of simplifying verification. If one only cares about size savings, then one can use seed-as-private-key without needing a portable format for it.
>> 
>> So I'd prefer 4 and 1 second.
>> 
>> Best,
>> 
>> Bas
>> _______________________________________________
>> Spasm mailing list -- spasm@ietf.org
>> To unsubscribe send an email to spasm-leave@ietf.org
> 
> _______________________________________________
> Spasm mailing list -- spasm@ietf.org
> To unsubscribe send an email to spasm-leave@ietf.org