On Tue, Aug 20, 2024 at 02:26:00PM -0400, Phillip Hallam-Baker wrote: > > I am looking for guidance on algorithm identifiers for ML-KEM and ML-DSA, I > understand that the drafts are not yet final. But I need to push code that > has PQC roots embedded before that is going to happen and would like to > follow as close as possible to what the final choices are going to be.
If not using registered values, JOSE recommends using Collision-Resistant Names. Examples include URLs, OIDs and UUIDs. For ML-KEM keys, use "kty":"OKP" with new crv values (three in total). For algorithms, one needs to patch ECDH-ES/ECDH-ES+A256KW a bit to use a KEM instead of ECDH. The three operations JOSE does with ECDH-ES turn out to exactly correspond to the three standard KEM ops! For ML-DSA keys, things are less clear. The ML-DSA and SLH-DSA drafts define two new key types. However, the algorithms are in the same cryptographic algorithm family (distict from any current family), so should use the same key type. Then there is the is the issue that both ML-DSA and SLH-DSA support pre-hashing. Things would be much simpler if one could just ignore that. > Since I need to ship before the specs are final, I will probably use: > > MLKa1024 > MLDa87 > > I see no need for other identifiers since I cannot imagine anyone who is so > concerned about CRQC robustness as to use PQC not using the highest > strength available at this point. Also, I want to stress test with the > biggest payloads. Those two are the only ones from ML-* approved for secret stuff (up to Top Secret). -Ilari _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
