On Tue, Mar 15, 2022 at 11:16:34AM -0400, Mike Prorock wrote: > Orie, > I think other alternative would be: > kty: PQL // post quantum - lattice based > alg: CRYDI3 // crystals dilithium, parameter set 3 > x: public > d: private
"Lattice-based post quantum" is not a valid key type. It is not a single key shape (unlike every kty currently defined). And it does not look to be helpful even working around algorithm dispatch issues in implementations, as, e.g., Dilithium and Kyber are both lattice post- quantum algorithms, but wildly different. If that kty is supposed to be octet-keypair for given alg, that would be defensible (mixing algorithms for the same key is unsound), but the name for that kty would not be PQL. There is also actual security problem with this: Serious cryptographers are very unconfortable with unhybridized post-quantum algorithms (with exception of hash signatures) at the moment. Gaining confidence on such things will take years at the very least. > and > kty: PQH // post quantum - hash based > alg: SP-SHAKE256-[n]-[w]-[h]-[d]-[k]-[t] // SPHINCS+, shake256, parameter > set as noted > x: public > d: private One really should stay away from those parameters and use parameter sets made by experts, as at least some of those parameters will absolutely destroy security if set the wrong way. And "Hash-based post quantum" is also not a valid key type. -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
