Skip to main content

IETF conflict review for draft-atkins-suit-cose-walnutdsa
conflict-review-atkins-suit-cose-walnutdsa-01

Yes


No Objection

Erik Kline
Murray Kucherawy
Warren Kumari
(Alvaro Retana)
(Barry Leiba)
(Deborah Brungard)
(Martin Duke)
(Robert Wilton)

Note: This ballot was opened for revision 00 and is now closed.

Ballot question: "Is this the correct conflict review response?"

Erik Kline
No Objection
Murray Kucherawy
No Objection
Roman Danyliw
(was Discuss) No Objection
Comment (2021-01-12) Sent for earlier
Thanks for incorporating my DISCUSS feedback into note.  

----

I concur with the conflict review conclusion.

For the IESG
==========
As background for the IESG, the NIST Post-Quantum Cryptography initiative is an iterative, multi-round (multi-year) selection process for algorithms:

Round 3 = https://csrc.nist.gov/Projects/post-quantum-cryptography/round-3-submissions

Round 2 = https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions

Round 1 = https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions

WalnutDSA was part of only Round 1 (no judgement implied)

A similar process was used to select what we currently know as AES and SHA2.
Warren Kumari
No Objection
Éric Vyncke
No Objection
Comment (2020-08-27 for -00) Not sent
I like Roman's suggestion for the IESG note.
Benjamin Kaduk Former IESG member
Yes
Yes (2020-08-24 for -00) Sent
To the IESG
===========
The -05 has text requesting a codepoint allocation from a "Standards
Action" range, but the authors and ISE have confirmed that this was a
copy/paste issue from a different draft and will be addressed prior to
publication.

There is also a bit of related work in flight whereby
draft-ietf-cose-rfc8152bis-algs is introducing "COSE Capabilities" (see
Section 4 comments) that would need to be defined for the key type and
algorithm specified by this document.  However, my opinion is that the
"capabilities" concept is not fundamentally changing the operation of
COSE, and thus that defining capabilities for WalnutDSA could be done in
a separate document after -algs is published; as such, it does not seem
to merit a "please wait to publish <X> until <Y> is published" type
response.  (That said, I still encourage the authors to specify what the
capabilities should be at this time, instead of waiting.)

More worrisome is that this document claims to provide a "post-quantum
secure" algorithm at a time when the IETF consensus is to wait for the
outcome of the NIST contest before specifying post-quantum algorithms.
In some sense this constitutes a case where publication is harmful, akin
to the example in Section 5 of RFC 5742, whereby the "rejected
alternative" gets published before the WG solution.  However, there is
not currently a WG solution under consideration, and thus no clear <Y>
to use in "please wait to publish <X> until <Y> is published".

I do note that "please wait to publish <X> until <Y> is published" is
not one of the enumerated classes of response in RFC 5742, rather, we
would be expected to use:

   3. The IESG has concluded that publication could potentially disrupt
      the IETF work done in WG <X> and recommends not publishing the
      document at this time.

to achieve such an effect.  However, the COSE Algorithms registry does
have a separation of codepoint ranges into the "anyone can get one" and
"IETF approved" (paraphrasing) ranges, so my expectation is that the
codepoint range would be more useful to an implementor/user looking at
what algorithm to use than the "lower RFC number" metric.  As such, I
don't have a clear justification for how publication would "disrupt IETF
work in the COSE WG".  My proposal is therefore to use the "type 2"
response:

   2. The IESG has concluded that this work is related to IETF work done
      in WG <X>, but this relationship does not prevent publishing.

with an IESG Note indicating that the IETF is waiting for external
events (NIST) before undertaking work on post-quantum secure algorithms.

To the Authors/IESG
===================

Please find below some review comments on the draft, based on notes I
made while reviewing the document.

Abstract

What are "constrained16807 environments"?

Section 1

   This document specifies the conventions for using the Walnut Digital
   Signature Algorithm (WalnutDSA) [WALNUTDSA] for digital signatures
   with the CBOR Object Signing and Encryption (COSE) [RFC8152] syntax.

(There is an 8152bis effort underway to get Internet Standard status
that even made it as far as IESG evaluation, but got pulled back because
a flaw in how countersignatures are specified.  There probably is not a
reason to sequence publication of this document after those documents,
though.)

   small processors.  Unlike many hash-based signatures, there is no
   state required and no limit on the number of signatures that can be
   made.  WalnutDSA private and public keys are relatively small;

I'm not sure if this statement is intended to place WalnutDSA as
belonging to the category of "hash-based signatures".  (I would argue
that it does not; the hash seems to just be used to digest the message
to a form smaller than the native input size for the "main" algorithm.)

   algorithm.  The goal of thie specification is to document a method to

nit: s/thie/the/ or s/thie/this/ (probably the latter)

Section 1.1

   Recent advances in cryptanalysis [BH2013] and progress in the

(Does 2013 still count as "recent"?)

   deployed digital signature algorithms.  As a result, there is a need
   to prepare for a day that cryptosystems such as RSA and DSA that
   depend on discrete logarithm and factoring cannot be depended upon.

nit(?): maybe "the discrete logarithm problem or factorization"?
(Also when it appears later on.)

I also note that draft-hoffman-c2pq is adopted in the CFRG and attempts
to go into a fair bit more detail on "the need to prepare", so might be
worth considering a reference to.

Section 3

Some disambiguation about "the infinite group" and "N defines the size
of the group" might be in order (but it's not material to the actual
content of the draft, so it might not, too).

   The main parameters are N and q.  The parameter N defines the size of
   the group and implies working in an NxN matrix.  The parameter q
   defines the size of the finite field (in q elements).  Signature

nit(?): the "in" in the parenthetical feels weird to me.  It's just
clarifying that "defines the size of the field" is "the size is the
value of the parameter" (vs. some more complicated function), right?  So
maybe "The parameter q specifies the number of elements in the finite
field" directly?

Section 4

draft-ietf-cose-rfc8152bis-algs (part of the 8152bis effort mentioned
previously, now in the RFC Editor queue) introduces the concept of "COSE
Capabilities".  It may be worth investigating now what capabilities (if
any) would be specified for these key types to avoid the need for a
follow-up specification.

   o  If the 'kid' field is present, it MAY be used to identify the
      WalnutDSA Key.

This is not quite true -- recall that "[t]here may be more than one key
with the same 'kid' value", and as such 'kid' cannot (in general) serve
as a unique key identifier.

Section 5.1

(I note that RFC 4086 is BCP 106.)

Section 5.2

   The Walnut Digital Signature Algorithm has undergone significant
   cryptanalysis since it was first introduced, and several weaknesses
   were found in early versions of the method, resulting in the
   description of several exponential attacks.  A full writeup of all

nit(?): my understanding is that "exponential attack" is not a term of
art, so an alternate phrasing like "attacks of exponential computational
complexity" might be appropriate.  (Also occurs later.)

   the analysis can be found in [WalnutDSAAnalysis].  In summary, the
   original suggested parameters were too small, leading to many of
   these exponential attacks being practical.  However, current

I would suggest calling out the original proposed parameter sets (e.g.,
N=8, q=32 IIUC?) to contrast against the modifications needed to achieve
the desired security level as a result of the security reviews.

   First, the team of Hart et al found a universal forgery attack based
   on a group factoring problem that runs in O(q^((N-1)/2)) with a
   memory complexity of log_2(q) N^2 q^((N-1)/2).  With parameters N=10
   and q=M31 (2^31 - 1), the runtime is 2^139 and memory complexity is
   2^151.  W.  Beullens found a modification of this attack but its
   runtime is even longer.

If you're going to use the "M31" (and "M61", later) notation, it's
probably worth mentioning the phrase "Mersenne number" somehow.

   Specifically, they require that q^dimension > 2^(2*Security Level).
   With N=10, the current encoder produces a dimension of 66 which
   clearly provides sufficient security.

(The new q of M31 or M61 is also required; q=32, N=10 wouldn't cut it.)

   Finally, Merz and Petit discovered that using a Garside Normal Form
   of a WalnutDSA signature enabled them to find commonalities with the
   Garside Normal Form of the encoded message.  Using those
   commonalities they were able to splice into a signature and create
   forgeries.  Increasing the number of cloaking elements, specifically
   within the encoded message, sufficiently obscures the commonalities
   and blocks this attack.

The previous paragraphs had numerical formulae that even a
non-cryptographer can verify are satisfied; is there not such a formula
for the ability of cloaking elements to obscure commonalities between
message and signature that could be listed?

   In summary, most of these attacks are exponential in run time and can
   be shown that current parameters put the runtime beyond the desired
   security level.  The final two attacks are also sufficiently blocked
   to the desired security level.

Earlier we implied that *all* (not just "most of") the attacks were
exponential.  The formulae I see are exponential, which seems to just
leve the Garside Normal Form/commonalities forgery attack as potentially
non-exponential.  Is it, or is it not exponential?

Section 6.3

In IETF protocols we have been seeing a recent trend to, essentially,
have only "one joint" for describing how the protocol/algorithm varies,
as opposed to a cornucopia of parameters that allows for the user to
produce unsafe configurations (among other things).  Having fewer
parameters to encode also produces a shorter encoding, of course.  Given
that the rest of the recent literature has been showing parameters with
N=1 and either q=M31 or q=M1, perhaps some reduction in the number of
key parameters could be considered.

Section 6.3.4, 6.3.6

Are the matrices encoded in row-major or column-major form?

Also, given that [WALNUTDSA] just talks about a public key being "two
matrix and permutation pairs", it's not clear how much value we get from
splitting them into separate key parameters and labeling them "one" and
"two".

Also^2, doesn't that imply that we need a "permutation 2" key parameter?

Section 7.2

I feel like at least one of [WALNUTDSA] and [WALNUTSPEC] should be
classified as normative, as you will need to read those quite carefully
in order to actually generate a COSE signature for this key/algorithm
type.
Alvaro Retana Former IESG member
No Objection
No Objection (for -00) Not sent

                            
Barry Leiba Former IESG member
No Objection
No Objection (for -00) Not sent

                            
Deborah Brungard Former IESG member
No Objection
No Objection (for -00) Not sent

                            
Martin Duke Former IESG member
No Objection
No Objection (for -00) Not sent

                            
Robert Wilton Former IESG member
No Objection
No Objection (for -00) Not sent