On Thu, Mar 10, 2022 at 03:20:43PM -0500, Rafael Misoczki wrote: > I'm not quite familiar with kty's and OKP's yet (sorry, I hope to ramp up > soon) but from a pure crypto perspective, here are my two cents: > > History has shown that anytime we left room for ambiguity in terms of the > primitive being used, we saw some sort of downgrade attacks in the wild. > See for example this attack > <https://www.youtube.com/watch?v=CiH6iqjWpt8&t=1428s> where AES-GCM is > replaced by the weaker AES-CBC, thus being exploited as an efficient > padding oracle. > > For PQC, things are even trickier because most of them employ several > cryptographic building blocks. The choice for these building blocks has > critical security implications, so I won't consider them "equivalent". For > example, SPHINCS+ using SHA256 or the more efficient Haraka are secure but > I won't be so sure if some other (second pre-image vulnerable) hash > function is plugged in. > > Again, I'm not very familiar with all the nuances for the kty's design but > being as specific as possible may have some security benefits.
Yes, in general, using one key with multiple algorithms is crypto- graphically unsound. Safety would have to be evaluated at case-by-case basis. That is a reason for any cryptographic key material to state what algorithm it is intended to be used with. However, Taking this to the logical conclusion would lead to the ultimate algorithm overload. And I think that any "hash" function that fails 2nd preimage resistance is utterly worthless (similarly to any key exchange that fails OW-CONF security). Fortunately that seems to be extremely rare. I think the last time any "serious" hash function has failed that way was SNEFRU (1990). However, even just failing collision resistance is a cause for grave concern. And with parametrizing asymmetric primitives, some primitives use parameters like hash functions in public key derivation. So what public key goes with what private key depends on hash function. And this might not change lengths of the fields, so it is possible for an implementation to try use wrong one. -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
