Re: [pkcs11] Groups - Post Quantum Signatures uploaded

pkcs11 message

Subject: Re: [pkcs11] Groups - Post Quantum Signatures uploaded

From: Robert Relyea <rrelyea@redhat.com>

To: Dieter Bong <Dieter.Bong@utimaco.com>, "pkcs11@lists.oasis-open.org" <pkcs11@lists.oasis-open.org>

Date: Wed, 15 Feb 2023 11:32:06 -0800

On 2/14/23 7:19 AM, Dieter Bong wrote:

Hi Bob,

I noticed the following when reviewing your proposal:

Sections 1.1.3, 1.2.3 and 1.3.3: remove attribute {CKA_PARAMETER_SET, &param_set, sizeof(param_set)} from the example, as per definition the parameter set is not specified in the private key template

Section 1.3.3: Should the Sphincs+ hash family be treated like the parameter set, i.e. not be specified in the template for the private key but only in the template for the public key? If so, wording must be updated and {CKA_HASH_FAMILY, &hash_family, sizeof(hash_family)} be removed from the example

Section 1.3.4: attributes CKA_PRIME and CKA_BASE seem to be âinheritedâ from using another algorithm as blueprint. They are not used in Sphincs+ as far as I understand the algorithm, are they?

My general topic for discussion is: how do we proceed from here?

Do we prepare everything but wait with finalization until NIST SPâs are available? This may take us into PKCS #11 specification V3.3.
Or do we finish the mechanism definitions with references to the Round 3 submissions, and mechanism/constants names that clearly indicate these are round 3 algorithms/parameter sets. And include these in PKCS #11 specification V3.2?

Best regards,

Dieter

From: pkcs11@lists.oasis-open.org <pkcs11@lists.oasis-open.org> On Behalf Of Robert Relyea
Sent: Wednesday, February 8, 2023 2:40 AM
To: pkcs11@lists.oasis-open.org
Subject: [pkcs11] Groups - Post Quantum Signatures uploaded

Submitter's message
Notes for Hash algorithms.

Like Kyber, I used CKA_PARAMETER_SET to select a preselected set of parameters. Like Kyber we can define experimental Parameter sets based on the Round 3 spec until the full NIST spec is released.

I defined a base single shot function and a combined hash version. We may want to rethink this because all the post quantum algorithms appear to expect Message to be the full signed message, and processes it through it's own hashing function with some preface values. If that's the case, then the base mechanism should be defined as a multi-part and single part and all the hash and sign mechanisms should be dropped.

SPHINCS+ defines the underlying hash separate from the other parameters (like HSS and XMSS). That underlying hash is a fixed characteristic of the underlying key, so like Parameters I've included it as an attribute on the key. It might be NIST will just pick one (actually likely), so we may not necessarily need it. Each security level of SPHINC+ has two variants - fast and slow. They affect the parameter set definitions, so I made it part of the parameter set (thus 6 parameters sets instead of 3).
-- Mr. Robert Relyea

Document Name: Post Quantum Signatures

Description
This defines the new mechanisms to support the new NIST post quantum
signature algorithms
Download Latest Revision
Public Download Link

Submitter: Mr. Robert Relyea
Group: OASIS PKCS 11 TC
Folder: Working Drafts
Date submitted: 2023-02-07 17:40:23

Utimaco IS GmbH
Germanusstr. 4, D.52080 Aachen, Germany, Tel: +49-241-1696-0, www.utimaco.com
Seat: Aachen â Registergericht Aachen HRB 18922
VAT ID No.: DE 815 496 496
Managementboard: Stefan Auerbach, Martin Stamm

This communication is confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Please inform us immediately and destroy the email.