Hi Bob,
I noticed the following when reviewing your proposal:
- Sections 1.1.3, 1.2.3 and 1.3.3: remove attribute {CKA_PARAMETER_SET, ¶m_set, sizeof(param_set)} from the example, as per definition the parameter set is
not specified in the private key template
- Section 1.3.3: Should the Sphincs+ hash family be treated like the parameter set, i.e. not be specified in the template for the private key but only in the template for the public
key? If so, wording must be updated and {CKA_HASH_FAMILY, &hash_family, sizeof(hash_family)} be removed from the example
- Section 1.3.4: attributes CKA_PRIME and CKA_BASE seem to be “inherited” from using another algorithm as blueprint. They are not used in Sphincs+ as far as I understand the algorithm,
are they?
My general topic for discussion is: how do we proceed from here?
- Do we prepare everything but wait with finalization until NIST SP’s are available? This may take us into PKCS #11 specification V3.3.
- Or do we finish the mechanism definitions with references to the Round 3 submissions, and mechanism/constants names that clearly indicate these are round 3 algorithms/parameter sets.
And include these in PKCS #11 specification V3.2?
Best regards,
Dieter
From: pkcs11@lists.oasis-open.org <pkcs11@lists.oasis-open.org>
On Behalf Of Robert Relyea
Sent: Wednesday, February 8, 2023 2:40 AM
To: pkcs11@lists.oasis-open.org
Subject: [pkcs11] Groups - Post Quantum Signatures uploaded
Submitter's message
Notes for Hash algorithms.
Like Kyber, I used CKA_PARAMETER_SET to select a preselected set of parameters. Like Kyber we can define experimental Parameter sets based on the Round 3 spec until the full NIST spec is released.
I defined a base single shot function and a combined hash version. We may want to rethink this because all the post quantum algorithms appear to expect Message to be the full signed message, and processes it through it's own hashing function with some preface
values. If that's the case, then the base mechanism should be defined as a multi-part and single part and all the hash and sign mechanisms should be dropped.
SPHINCS+ defines the underlying hash separate from the other parameters (like HSS and XMSS). That underlying hash is a fixed characteristic of the underlying key, so like Parameters I've included it as an attribute on the key. It might be NIST will just pick
one (actually likely), so we may not necessarily need it. Each security level of SPHINC+ has two variants - fast and slow. They affect the parameter set definitions, so I made it part of the parameter set (thus 6 parameters sets instead of 3).
-- Mr. Robert Relyea
Utimaco IS GmbH
Germanusstr. 4, D.52080 Aachen, Germany, Tel: +49-241-1696-0, www.utimaco.com
Seat: Aachen – Registergericht Aachen HRB 18922
VAT ID No.: DE 815 496 496
Managementboard: Stefan Auerbach, Martin Stamm
This communication is confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Please inform us immediately and destroy the email.
|