IETF conflict review for draft-atkins-suit-cose-walnutdsa
conflict-review-atkins-suit-cose-walnutdsa-01
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2021-02-15
|
01 | Cindy Morgan | The following approval message was sent From: The IESG To: Adrian Farrel , draft-atkins-suit-cose-walnutdsa@ietf.org, rfc-ise@rfc-editor.org Cc: IETF-Announce , … The following approval message was sent From: The IESG To: Adrian Farrel , draft-atkins-suit-cose-walnutdsa@ietf.org, rfc-ise@rfc-editor.org Cc: IETF-Announce , The IESG , iana@iana.org Subject: Results of IETF-conflict review for draft-atkins-suit-cose-walnutdsa-07 The IESG has completed a review of draft-atkins-suit-cose-walnutdsa-07 consistent with RFC5742. The IESG has no problem with the publication of 'Use of the Walnut Digital Signature Algorithm with CBOR Object Signing and Encryption (COSE)' as an Informational RFC. The IESG has concluded that this work is related to IETF work done in WG COSE, but this relationship does not prevent publishing. Additionally, the IESG requests the following note be added to the document if it is published: This document proposes a cryptographic signature algorithm that is claimed to be "post-quantum secure". The IETF takes no position on these claims. Development of such algorithms is an active topic of great interest to the Internet community, but the IETF has chosen to defer selection and publication of "post-quantum secure" algorithms until after the conclusion of the NIST "Post-Quantum Cryptography" Project (https://csrc.nist.gov/projects/post-quantum-cryptography). The NIST-sponsored endeavor (whose participants include cryptographic experts from around the world) provides substantially more cryptographic expertise than is available solely within the IETF, and the IESG believes it is in the best interest of the Internet community to take advantage of the in-depth cryptographic reviews performed during the NIST project before selecting "post-quantum secure" algorithms for standardization. The IESG would also like the Independent Submissions Editor to review the comments in the datatracker related to this document and determine whether or not they merit incorporation into the document. Comments may exist in both the ballot and the history log. The IESG review is documented at: https://datatracker.ietf.org/doc/conflict-review-atkins-suit-cose-walnutdsa/ A URL of the reviewed Internet Draft is: https://datatracker.ietf.org/doc/draft-atkins-suit-cose-walnutdsa/ The process for such documents is described at https://www.rfc-editor.org/indsubs.html Thank you, The IESG Secretary |
2021-02-15
|
01 | Cindy Morgan | IESG has approved the conflict review response |
2021-02-15
|
01 | Cindy Morgan | Closed "Approve" ballot |
2021-02-15
|
01 | Cindy Morgan | Conflict Review State changed to Approved No Problem - announcement sent from Approved No Problem - announcement to be sent |
2021-02-15
|
01 | Cindy Morgan | Conflict Review State changed to Approved No Problem - announcement to be sent from IESG Evaluation |
2021-01-12
|
01 | Roman Danyliw | [Ballot comment] Thanks for incorporating my DISCUSS feedback into note. ---- I concur with the conflict review conclusion. For the IESG ========== As background for … [Ballot comment] Thanks for incorporating my DISCUSS feedback into note. ---- I concur with the conflict review conclusion. For the IESG ========== As background for the IESG, the NIST Post-Quantum Cryptography initiative is an iterative, multi-round (multi-year) selection process for algorithms: Round 3 = https://csrc.nist.gov/Projects/post-quantum-cryptography/round-3-submissions Round 2 = https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions Round 1 = https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions WalnutDSA was part of only Round 1 (no judgement implied) A similar process was used to select what we currently know as AES and SHA2. |
2021-01-12
|
01 | Roman Danyliw | [Ballot Position Update] Position for Roman Danyliw has been changed to No Objection from Discuss |
2021-01-08
|
01 | Benjamin Kaduk | New version available: conflict-review-atkins-suit-cose-walnutdsa-01.txt |
2020-09-08
|
00 | Warren Kumari | [Ballot Position Update] New position, No Objection, has been recorded for Warren Kumari |
2020-09-03
|
00 | Robert Wilton | [Ballot Position Update] New position, No Objection, has been recorded for Robert Wilton |
2020-08-27
|
00 | Cindy Morgan | Telechat date has been changed to 2020-09-10 from 2020-08-27 |
2020-08-27
|
00 | Éric Vyncke | [Ballot comment] I like Roman's suggestion for the IESG note. |
2020-08-27
|
00 | Éric Vyncke | [Ballot Position Update] New position, No Objection, has been recorded for Éric Vyncke |
2020-08-26
|
00 | Barry Leiba | [Ballot Position Update] New position, No Objection, has been recorded for Barry Leiba |
2020-08-26
|
00 | Alvaro Retana | [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana |
2020-08-26
|
00 | Roman Danyliw | [Ballot discuss] As noted below, I agree with the conflict review conclusion. Let's discuss on whether we should make a slightly stronger IESG note: OLD … [Ballot discuss] As noted below, I agree with the conflict review conclusion. Let's discuss on whether we should make a slightly stronger IESG note: OLD This document proposes a cryptographic signature algorithm that is claimed to be "post-quantum secure". Development of such algorithms is an active topic ..., NEW This document proposes a cryptographic signature algorithm that is claimed to be "post-quantum secure". The IETF takes no position on these claims. Development of such algorithms is an active topic ... |
2020-08-26
|
00 | Roman Danyliw | [Ballot comment] I concur with the conflict review conclusion. For the IESG ========== As background for the IESG, the NIST Post-Quantum Cryptography initiative is an … [Ballot comment] I concur with the conflict review conclusion. For the IESG ========== As background for the IESG, the NIST Post-Quantum Cryptography initiative is an iterative, multi-round (multi-year) selection process for algorithms: Round 3 = https://csrc.nist.gov/Projects/post-quantum-cryptography/round-3-submissions Round 2 = https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions Round 1 = https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions WalnutDSA was part of only Round 1 (no judgement implied) A similar process was used to select what we currently know as AES and SHA2. |
2020-08-26
|
00 | Roman Danyliw | [Ballot Position Update] New position, Discuss, has been recorded for Roman Danyliw |
2020-08-26
|
00 | Deborah Brungard | [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard |
2020-08-26
|
00 | Murray Kucherawy | [Ballot Position Update] New position, No Objection, has been recorded for Murray Kucherawy |
2020-08-25
|
00 | Erik Kline | [Ballot Position Update] New position, No Objection, has been recorded for Erik Kline |
2020-08-24
|
00 | Martin Duke | [Ballot Position Update] New position, No Objection, has been recorded for Martin Duke |
2020-08-24
|
00 | Benjamin Kaduk | [Ballot comment] To the IESG =========== The -05 has text requesting a codepoint allocation from a "Standards Action" range, but the authors and ISE have … [Ballot comment] To the IESG =========== The -05 has text requesting a codepoint allocation from a "Standards Action" range, but the authors and ISE have confirmed that this was a copy/paste issue from a different draft and will be addressed prior to publication. There is also a bit of related work in flight whereby draft-ietf-cose-rfc8152bis-algs is introducing "COSE Capabilities" (see Section 4 comments) that would need to be defined for the key type and algorithm specified by this document. However, my opinion is that the "capabilities" concept is not fundamentally changing the operation of COSE, and thus that defining capabilities for WalnutDSA could be done in a separate document after -algs is published; as such, it does not seem to merit a "please wait to publish until is published" type response. (That said, I still encourage the authors to specify what the capabilities should be at this time, instead of waiting.) More worrisome is that this document claims to provide a "post-quantum secure" algorithm at a time when the IETF consensus is to wait for the outcome of the NIST contest before specifying post-quantum algorithms. In some sense this constitutes a case where publication is harmful, akin to the example in Section 5 of RFC 5742, whereby the "rejected alternative" gets published before the WG solution. However, there is not currently a WG solution under consideration, and thus no clear to use in "please wait to publish until is published". I do note that "please wait to publish until is published" is not one of the enumerated classes of response in RFC 5742, rather, we would be expected to use: 3. The IESG has concluded that publication could potentially disrupt the IETF work done in WG and recommends not publishing the document at this time. to achieve such an effect. However, the COSE Algorithms registry does have a separation of codepoint ranges into the "anyone can get one" and "IETF approved" (paraphrasing) ranges, so my expectation is that the codepoint range would be more useful to an implementor/user looking at what algorithm to use than the "lower RFC number" metric. As such, I don't have a clear justification for how publication would "disrupt IETF work in the COSE WG". My proposal is therefore to use the "type 2" response: 2. The IESG has concluded that this work is related to IETF work done in WG , but this relationship does not prevent publishing. with an IESG Note indicating that the IETF is waiting for external events (NIST) before undertaking work on post-quantum secure algorithms. To the Authors/IESG =================== Please find below some review comments on the draft, based on notes I made while reviewing the document. Abstract What are "constrained16807 environments"? Section 1 This document specifies the conventions for using the Walnut Digital Signature Algorithm (WalnutDSA) [WALNUTDSA] for digital signatures with the CBOR Object Signing and Encryption (COSE) [RFC8152] syntax. (There is an 8152bis effort underway to get Internet Standard status that even made it as far as IESG evaluation, but got pulled back because a flaw in how countersignatures are specified. There probably is not a reason to sequence publication of this document after those documents, though.) small processors. Unlike many hash-based signatures, there is no state required and no limit on the number of signatures that can be made. WalnutDSA private and public keys are relatively small; I'm not sure if this statement is intended to place WalnutDSA as belonging to the category of "hash-based signatures". (I would argue that it does not; the hash seems to just be used to digest the message to a form smaller than the native input size for the "main" algorithm.) algorithm. The goal of thie specification is to document a method to nit: s/thie/the/ or s/thie/this/ (probably the latter) Section 1.1 Recent advances in cryptanalysis [BH2013] and progress in the (Does 2013 still count as "recent"?) deployed digital signature algorithms. As a result, there is a need to prepare for a day that cryptosystems such as RSA and DSA that depend on discrete logarithm and factoring cannot be depended upon. nit(?): maybe "the discrete logarithm problem or factorization"? (Also when it appears later on.) I also note that draft-hoffman-c2pq is adopted in the CFRG and attempts to go into a fair bit more detail on "the need to prepare", so might be worth considering a reference to. Section 3 Some disambiguation about "the infinite group" and "N defines the size of the group" might be in order (but it's not material to the actual content of the draft, so it might not, too). The main parameters are N and q. The parameter N defines the size of the group and implies working in an NxN matrix. The parameter q defines the size of the finite field (in q elements). Signature nit(?): the "in" in the parenthetical feels weird to me. It's just clarifying that "defines the size of the field" is "the size is the value of the parameter" (vs. some more complicated function), right? So maybe "The parameter q specifies the number of elements in the finite field" directly? Section 4 draft-ietf-cose-rfc8152bis-algs (part of the 8152bis effort mentioned previously, now in the RFC Editor queue) introduces the concept of "COSE Capabilities". It may be worth investigating now what capabilities (if any) would be specified for these key types to avoid the need for a follow-up specification. o If the 'kid' field is present, it MAY be used to identify the WalnutDSA Key. This is not quite true -- recall that "[t]here may be more than one key with the same 'kid' value", and as such 'kid' cannot (in general) serve as a unique key identifier. Section 5.1 (I note that RFC 4086 is BCP 106.) Section 5.2 The Walnut Digital Signature Algorithm has undergone significant cryptanalysis since it was first introduced, and several weaknesses were found in early versions of the method, resulting in the description of several exponential attacks. A full writeup of all nit(?): my understanding is that "exponential attack" is not a term of art, so an alternate phrasing like "attacks of exponential computational complexity" might be appropriate. (Also occurs later.) the analysis can be found in [WalnutDSAAnalysis]. In summary, the original suggested parameters were too small, leading to many of these exponential attacks being practical. However, current I would suggest calling out the original proposed parameter sets (e.g., N=8, q=32 IIUC?) to contrast against the modifications needed to achieve the desired security level as a result of the security reviews. First, the team of Hart et al found a universal forgery attack based on a group factoring problem that runs in O(q^((N-1)/2)) with a memory complexity of log_2(q) N^2 q^((N-1)/2). With parameters N=10 and q=M31 (2^31 - 1), the runtime is 2^139 and memory complexity is 2^151. W. Beullens found a modification of this attack but its runtime is even longer. If you're going to use the "M31" (and "M61", later) notation, it's probably worth mentioning the phrase "Mersenne number" somehow. Specifically, they require that q^dimension > 2^(2*Security Level). With N=10, the current encoder produces a dimension of 66 which clearly provides sufficient security. (The new q of M31 or M61 is also required; q=32, N=10 wouldn't cut it.) Finally, Merz and Petit discovered that using a Garside Normal Form of a WalnutDSA signature enabled them to find commonalities with the Garside Normal Form of the encoded message. Using those commonalities they were able to splice into a signature and create forgeries. Increasing the number of cloaking elements, specifically within the encoded message, sufficiently obscures the commonalities and blocks this attack. The previous paragraphs had numerical formulae that even a non-cryptographer can verify are satisfied; is there not such a formula for the ability of cloaking elements to obscure commonalities between message and signature that could be listed? In summary, most of these attacks are exponential in run time and can be shown that current parameters put the runtime beyond the desired security level. The final two attacks are also sufficiently blocked to the desired security level. Earlier we implied that *all* (not just "most of") the attacks were exponential. The formulae I see are exponential, which seems to just leve the Garside Normal Form/commonalities forgery attack as potentially non-exponential. Is it, or is it not exponential? Section 6.3 In IETF protocols we have been seeing a recent trend to, essentially, have only "one joint" for describing how the protocol/algorithm varies, as opposed to a cornucopia of parameters that allows for the user to produce unsafe configurations (among other things). Having fewer parameters to encode also produces a shorter encoding, of course. Given that the rest of the recent literature has been showing parameters with N=1 and either q=M31 or q=M1, perhaps some reduction in the number of key parameters could be considered. Section 6.3.4, 6.3.6 Are the matrices encoded in row-major or column-major form? Also, given that [WALNUTDSA] just talks about a public key being "two matrix and permutation pairs", it's not clear how much value we get from splitting them into separate key parameters and labeling them "one" and "two". Also^2, doesn't that imply that we need a "permutation 2" key parameter? Section 7.2 I feel like at least one of [WALNUTDSA] and [WALNUTSPEC] should be classified as normative, as you will need to read those quite carefully in order to actually generate a COSE signature for this key/algorithm type. |
2020-08-24
|
00 | Benjamin Kaduk | Ballot comment text updated for Benjamin Kaduk |
2020-08-24
|
00 | Benjamin Kaduk | [Ballot Position Update] New position, Yes, has been recorded for Benjamin Kaduk |
2020-08-24
|
00 | Benjamin Kaduk | Created "Approve" ballot |
2020-08-24
|
00 | Benjamin Kaduk | Conflict Review State changed to IESG Evaluation from AD Review |
2020-08-24
|
00 | Benjamin Kaduk | New version available: conflict-review-atkins-suit-cose-walnutdsa-00.txt |
2020-08-07
|
00 | Benjamin Kaduk | Telechat date has been changed to 2020-08-27 from 2020-08-13 |
2020-08-07
|
00 | Benjamin Kaduk | Conflict Review State changed to AD Review from Needs Shepherd |
2020-08-04
|
00 | Benjamin Kaduk | Shepherding AD changed to Benjamin Kaduk |
2020-08-03
|
00 | Cindy Morgan | Placed on agenda for telechat - 2020-08-13 |
2020-08-03
|
00 | Adrian Farrel | IETF conflict review requested |