OASIS PKCS 11 TC

 View Only

  • 1.  pq signature update 2 uploaded

    Posted 09-26-2024 17:53
    Submitter's message
    This contains the diffs from the last signature update. Including the following already voted on changes:

    - removal of Falcon
    - rename CKM_XXXX_PREHASH[_YYYY] to CKM_HASH_XXXX[_YYYY]

    And the following we agreed to in spirit, but not yet approved.

    - prose changes in line with the xxxx prehash to hash xxxx.
    - removal of deterministic mechanism and replacing them with a new parameter to CK_*SIGN_ADDITIONAL_CONTEXT.
    - removal of deterministic mechanisms from the prose
    - explanation of the hedge parameters in the prose.

    Fix clear errors in the original update
    - copy paste error in SHL where some SHL mechanisms still hand ML
    - copy past errors where the SHL spec was referenced as FIPS 204 rather than FIPS 205

    What you should focus on in the review:
    - errors in english or better way of wording the semantics.
    - bikeshedding of the entire hedge ID names and variable types *IS* welcome.
    - bikeshedding of the spelling of CK_*SIGN_ADDITIONAL_CONTEXT is also welcome, now that it has grown additional purposes.
    - ideas of where we may put the descriptions of how the above structures are used so we don't have it copied in every PQ mechanism prose over and over?

    bob
    -- Mr. Robert Relyea
    Document Name: pq signature update 2
    Description
    update to the last signature update based on the results of the last two
    meetings.
    Download Latest Revision
    Public Download Link
    Submitter: Mr. Robert Relyea
    Group: OASIS PKCS 11 TC
    Folder: Working Drafts
    Date submitted: 2024-09-26 21:52:45


    ---------------------------------
    Robert Relyea
    Principle Software Engineer
    Red Hat
    Mountain View CA
    ---------------------------------


  • 2.  RE: pq signature update 2 uploaded

    Posted 10-08-2024 06:29

    Hi Bob,

    the updates look good.  I have two points on this text in "1.2.5 ML-DSA Signature": "Verification is only single part or using VerifySignature interface". 

    My first point is editorial. To make it clearer, it should probably be "Verification is only for single part verifications or multipart verifications when the C_VerifySignatureInit interface is used"; or something similar.

    My second point is a question; why is it single part verify only unless C_VerifySignatureInit used?  This sounds like a unnecessary restriction given how ML-DSA works. There are many ways that a token could do this. For example; C_VerifyInit+C_VerifyUpdate can cover the external function and steps 6 and 7 (just hashing the public key and the M`). It could include step 1 as well or defer it to the final operation. The remaining steps can be done in the C_VerifyFinal call with no introduced risks.  ML-DSA is different from SLH-DSA, which does have this limitations because it hashes (R || PK.seed || PK.root || M`).

    Tokens may vary on how they implement algorithms.  Maybe we should have mechanism flags to indicate single vs multipart support based on the individual token's limitations.

    Thanks

    Darren



    ------------------------------
    Darren Johnson
    THALES
    ------------------------------

    Original Message


  • 3.  RE: pq signature update 2 uploaded

    Posted 10-08-2024 13:13
    On 10/8/24 3:29 AM, Darren Johnson via OASIS wrote:

    Hi Bob,

    the updates look good.  I have two points on this text in "1.2.5 ML-DSA Signature": "Verification is only single part or using VerifySignature interface". 

    My first point is editorial. To make it clearer, it should probably be "Verification is only for single part verifications or multipart verifications when the C_VerifySignatureInit interface is used"; or something similar.

    Yes, that sounds fine. If we decide to remove it based on your second comment, your wording would still apply to HSS, XMSS, and SLH-DSA.

    My second point is a question; why is it single part verify only unless C_VerifySignatureInit used?  This sounds like a unnecessary restriction given how ML-DSA works. There are many ways that a token could do this. For example; C_VerifyInit+C_VerifyUpdate can cover the external function and steps 6 and 7 (just hashing the public key and the M`). It could include step 1 as well or defer it to the final operation. The remaining steps can be done in the C_VerifyFinal call with no introduced risks.  ML-DSA is different from SLH-DSA, which does have this limitations because it hashes (R || PK.seed || PK.root || M`).

    I was being consistent with the other PQ signatures (including HSS and XMSS). We be believe you can start hashing immediately in ML-DSA without buffering and the original signature, I would be OK with removing this restriction.

    Tokens may vary on how they implement algorithms.  Maybe we should have mechanism flags to indicate single vs multipart support based on the individual token's limitations.

    That would be beyond what we can do in 3.2 if we want to keep our current timelines, but taking on the whole mechanism info resolution in PKCS #11 v3.3 would be a great idea.

    Thanks

    Darren

     





    Original Message


  • 4.  RE: pq signature update 2 uploaded

    Posted 10-10-2024 09:15

    All,

     

    while integrating PQ Signature Update 2 into PKCS#11 v3.2 working draft 06, I stumbled upon the following inconsistency / ambiguity (please notice that sections number refer to the sections in the PDF proposal, not in the Word working draft):

    • section 1.1.2 defines "CK_XMSS_OID is the XMSS oid defined in [RFC 8391] and [NIST SP800-208]." , typedefs CK_XMSS_OID as CK_ULONG, and uses CK_XMSS_OID as data type in CKA_PARAMETER_SET. The example uses value 0x01 for the oid.
    • section 1.1.3 has same wording and typedef for CK_XMSSMT_OID
    • in section 1.1.4 and 1.1.5, "Byte array" is declared as data type for CKA_PARAMETER_SET, while the description talks about "oid as defined above". The example again uses 0x01 as value for the oid.

    I assume that this inconsistency is left over from a previous draft. Unless anyone objects, I will replace "byte array" by CK_XMSS_OID / CK_XMSSMT_OID

     

    ... but wait ...

     

    I see an ambiguity in using the term "OID":

    • RFC 8391 uses the term OID but doesn't define any. SP800-208 does not use the term OID but uses the term "parameter set" instead. Both standards are thus inconsistent with regard to wording.
    • When reading "OID" I think of object identifier or algorithm identifier of the form a.b.c.d... , e.g. the XMSS public key OID id-alg-xmss-hashsig  OBJECT IDENTIFIER ::= { itu-t(0) identified-organization(4) etsi(0) reserved(127)  etsi-identified-organization(0) isara(15) algorithms(1) asymmetric(1) xmss(13) 0 } defined in Internet X.509 Public Key Infrastructure: Algorithm Identifiers for HSS and XMSS (ietf.org) but this is not encodable in CK_ULONG, and we don't reference this page
    • The parameter sets in SP800-208 are small integer values and can easily be encoded in CK_ULONG

     

    I guess CKA_PARAMETER_SET shall encode the parameter set as defined in SP800-208. We may resolve the current ambiguity by

    1. Keep using the terms oid and CK_XMSS_OID/CK_XMSSMT_OID, but explicitly state in the text that oid means parameter set as defined in SP800-208; or
    2. Remove the definition of CK_XMSS_OID/CK_XMSSMT_OID, and instead talk about XMSS/XMSSMT parameter sets, and use data type CK_ULONG for CKA_PARAMETER_SET

    I have a preference for option 2, as it avoids any confusion between oid and parameter set. What do you think?

     

    Thanks,

    Dieter

     



    Utimaco IS GmbH
    Germanusstr. 4, D.52080 Aachen, Germany, Tel: +49-241-1696-0, www.utimaco.com
    Seat: Aachen – Registergericht Aachen HRB 18922
    VAT ID No.: DE 815 496 496
    Managing Directors: Stefan Auerbach, Martin Stamm, Hacan Tiwemark
    You will find our data protection information for customers and business partners here.

    This communication is confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Please inform us immediately and destroy the email.



    Original Message


  • 5.  RE: pq signature update 2 uploaded

    Posted 10-10-2024 10:28

    Update for solving the ambiguity -> 3 options:

    1. Keep using the terms oid and CK_XMSS_OID/CK_XMSSMT_OID, but explicitly state in the text that oid means parameter set as defined in SP800-208; or
    2. Remove the definition of CK_XMSS_OID/CK_XMSSMT_OID, and instead talk about XMSS/XMSSMT parameter sets, and use data type CK_ULONG for CKA_PARAMETER_SET
    3. Rename CK_XMSS_OID/CK_XMSSMT_OID to CK_XMSS_PARAMETER_SET_TYPE/ CK_XMSSMT_PARAMETER_SET_TYPE and thus use a similar naming as in "typedef CK_ULONG CK_ML_DSA_PARAMETER_SET_TYPE"

    Having added option 3, this becomes my preferred option.

    Best regards,

    Dieter

     




    Original Message


  • 6.  RE: pq signature update 2 uploaded

    Posted 10-10-2024 14:16

    THALES GROUP LIMITED DISTRIBUTION to email recipients

     

    Hi,

    I think all the options make sense. If I had to vote, I vote for option 3 mostly because we have started to use "parameter set" for many other algorithms.

    Rather than call it an OID, we culd explain it as something like "the Numeric Identifier defined in SP800-108".

     

    Thanks

    Darren

     




    Original Message


  • 7.  RE: pq signature update 2 uploaded

    Posted 10-15-2024 06:57
      |   view attached

    See attached a version of section 6.66 XMSS and XMSSMT after changing the parameter set definition to CK_XMSS[MT]_PARAMETER_SET_TYPE to align with ML-DSA and SLH-DSA, and using the wording suggested by Darren. I'll include this wording into PKCS#11 v3.2 working draft 06, hoping that it finds consensus.

    Best regards,

    Dieter



    ------------------------------
    Dieter Bong
    Manager Standardization and Strategic Projects
    Utimaco IS GmbH
    ------------------------------

    Attachment(s)

    pdf
    XMSS and XMSSMT.pdf   442 KB 1 version
    Original Message


Related Content