RE: [pkcs11] Groups - Post Quantum Signatures uploaded

Hi Bob,

I noticed the following when reviewing your proposal:

Sections 1.1.3, 1.2.3 and 1.3.3: remove attribute {CKA_PARAMETER_SET, &param_set, sizeof(param_set)} from the example, as per definition the parameter set is not specified in the private key template
Section 1.3.3: Should the Sphincs+ hash family be treated like the parameter set, i.e. not be specified in the template for the private key but only in the template for the public key? If so, wording must be updated and {CKA_HASH_FAMILY, &hash_family, sizeof(hash_family)} be removed from the example
Section 1.3.4: attributes CKA_PRIME and CKA_BASE seem to be “inherited” from using another algorithm as blueprint. They are not used in Sphincs+ as far as I understand the algorithm, are they?

My general topic for discussion is: how do we proceed from here?

Do we prepare everything but wait with finalization until NIST SP’s are available? This may take us into PKCS #11 specification V3.3.
Or do we finish the mechanism definitions with references to the Round 3 submissions, and mechanism/constants names that clearly indicate these are round 3 algorithms/parameter sets. And include these in PKCS #11 specification V3.2?

Best regards,

Dieter

From: pkcs11@lists.oasis-open.org <pkcs11@lists.oasis-open.org> On Behalf Of Robert Relyea
Sent: Wednesday, February 8, 2023 2:40 AM
To: pkcs11@lists.oasis-open.org
Subject: [pkcs11] Groups - Post Quantum Signatures uploaded

Submitter's message
Notes for Hash algorithms.

Like Kyber, I used CKA_PARAMETER_SET to select a preselected set of parameters. Like Kyber we can define experimental Parameter sets based on the Round 3 spec until the full NIST spec is released.

I defined a base single shot function and a combined hash version. We may want to rethink this because all the post quantum algorithms appear to expect Message to be the full signed message, and processes it through it's own hashing function with some preface values. If that's the case, then the base mechanism should be defined as a multi-part and single part and all the hash and sign mechanisms should be dropped.

SPHINCS+ defines the underlying hash separate from the other parameters (like HSS and XMSS). That underlying hash is a fixed characteristic of the underlying key, so like Parameters I've included it as an attribute on the key. It might be NIST will just pick one (actually likely), so we may not necessarily need it. Each security level of SPHINC+ has two variants - fast and slow. They affect the parameter set definitions, so I made it part of the parameter set (thus 6 parameters sets instead of 3).
-- Mr. Robert Relyea

Document Name: Post Quantum Signatures

Description
This defines the new mechanisms to support the new NIST post quantum
signature algorithms
Download Latest Revision
Public Download Link

Submitter: Mr. Robert Relyea
Group: OASIS PKCS 11 TC
Folder: Working Drafts
Date submitted: 2023-02-07 17:40:23

pkcs11 message