Re: [COSE] draft-prorock-cose-post-quantum-signatures [Was: Re: IETF 114 Call for Agenda Items]

Wed, 06 Jul 2022 05:58:22 -0700 

On Wed, Jul 06, 2022 at 10:04:00AM +0200, Anders Rundgren wrote:
> I agree.  New crypto systems should follow the standard for "kty":
> https://datatracker.ietf.org/doc/html/rfc7517#section-4.1
> 
>    The "kty" (key type) parameter identifies the cryptographic
>    algorithm family used with the key, such as "RSA" or "EC"

COSE defines things bit differently:

     This parameter is used to identify the family of keys for this
     structure and, thus, the set of key-type-specific parameters to be
     found.

> Putting different PQ crypto systems under the same moniker would be
> a mistake regardless of the system's maturity. Distinct names permit
> dynamic registration of cryptographic providers which is used by
> platforms like Java.

One should note that dynamic registration at crv(okp) level and kty
level requires very different interfaces. The reason is that the first
has to deal with fixed keyshape, while the latter has to deal with
arbitrary keyshapes. And crv(ec2) is another different keyshape
requiring yet another interface for dynamic registration (and watch
out for key-algorithm pairs that would work, but are prohibited).

For relative difficulty of designing such interface, crv(okp) is
the easiest, followed by crv(ec2) and kty is the hardest.

And things get even less pleasant if two kty's actually have the same
keyshape, as that will result in code duplication to parse the keyshape.
As of currently, no two keyshapes are the same (OKP and HSS-LMS are
subly different, as OKP has private keys, but HSS-LMS does not).


And with regards to there being more OKP crv's in the future, the test
implementation of COSE-HPKE I wrote uses five new OKP crv values...


And with regards to X.509, each key type is its own keyshape. And
because Ed25519 and Ed448 are their own key types, that means
duplicating code to parse the keyshapes (the TLS implementation I have
written indeed duplicates that code). Fortunately, Ed25519 and Ed448
public keys have the simplest keyshape there is.



-Ilari

_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose

Reply via email to