Re: The importance of PQC / Stop using RSA immediately from Orie Steele on 2023-01-04 (public-credentials@w3.org from January 2023)

From: Orie Steele <orie@transmute.industries>
Date: Wed, 4 Jan 2023 09:13:36 -0600
To: Mike Prorock <mprorock@mesur.io>
Cc: Gabe Cohen <gabe@tbd.email>, W3C Credentials CG <public-credentials@w3.org>
Message-ID: <CAN8C-_Lm9qxhRasxWpuvP07sTh9Fijwqyr0LLjceEqhq5UjOzw@mail.gmail.com>
HPKE with Kyber... will IETF define it for JOSE and COSE in time?

What does a Kyber key look like as a JWK or COSE Key?

Maybe: https://github.com/OR13/draft-steele-cose-kyber

The main problem facing adoption is IETF politics of key representations,
and lack of community support for representing keys as JSON and CBOR.

Multibase post quantum keys have the advantage of not needing to wait for
IETF and the disadvantage of being politically unacceptable to large
companies (who control standards organizations).

The netflix movie "Don't Look Up" is actually about post quantum
cryptography.

Experimental JWK representations for PQC JWK:

https://github.com/transmute-industries/did-jwk-pqc

Ask yourselves this:

In a world where downgrade attacks and hybrid / composite schemes are
likely to exist simultaneously, should "alg" be optional at key gen time?

Why would you ever generate a key and then choose to use it for a purpose
or with an algorithm that was different?

If a key is a rifle, this is like saying that anything that fits &
functions is safe to fire, or... was intended to be fired.

Let's make the label for the thing that produces the other thing optional,
so you can't tell what is supposed to be produced, even when you are
holding the thing that is produced.

Maybe it's a feature of an RSA JWK that you can use `PS256` or `RS256` if
the `alg` is not present in the JWK?... Seems like not a feature.

If you want to see how things are trending, look at WalnutDSA and HMS/LMS.

They all have the same alg and kty... This is what declaring bankruptcy on
an optional parameter looks like... just make it the same value as a
mandatory one.

That won't work for encryption.... and it's...

See also the proposals to make HPKE its own kty...

`alg` is the `@context` of IETF... with a similar level of compromise and
design by committee that is getting people wrecked ( see alg: none )

Optionality is great until you realise you can't rely on anything for
interoperability... Then you realize that's what foundations are for?

OS

On Tue, Jan 3, 2023, 9:38 PM Mike Prorock <mprorock@mesur.io> wrote:

> I think Orie and I may have been putting the most time in in regards to
> PQC and VCs/DIDs.  Definitely something that waiting on an answer for is
> not the right approach.  This is not to say switch to Dilithium or similar
> immediately, but have a plan.  Most of the active work at this point is at
> IETF standards wise, and places like
> https://openquantumsafe.org/ on the implementation side.  This however is
> enabling testing and use with VCs and DIDs and I highly encourage some
> familiarity with the "new" signature methods and KEMs as there are impacts
> on key sizes, signature generation time, and verification time.
>
> We ran a main CCG call last year on the topic and we can definitely dust
> that off again this year as we see more from NIST on the topic.
>
> The KEM stuff is mostly still at CFRG and will likely be working it's way
> into JOSE/COSE come IETF in March.
>
> Mike Prorock
> mesur.io
>
> On Tue, Jan 3, 2023, 20:05 Gabe Cohen <gabe@tbd.email> wrote:
>
>> Breaking RSA is now a more real threat than ever!
>> https://www.schneier.com/blog/archives/2023/01/breaking-rsa-with-a-quantum-computer.html
>>
>>  We have long known from Shor’s algorithm that factoring with a quantum
>>> computer is easy. But it takes a big quantum computer, on the orders of
>>> millions of qbits, to factor anything resembling the key sizes we use
>>> today. What the researchers have done is combine classical lattice
>>> reduction factoring techniques with a quantum approximate optimization
>>> algorithm. This means that they only need a quantum computer with 372
>>> qbits, which is well within what’s possible today. (The IBM Osprey is a
>>> 433-qbit quantum computer, for example. Others are on their way as well.)
>>>
>>
>>
>> The importance of hybrid and PQC solutions from DIDs and VCs is extremely
>> pressing. I know there is some work on post quantum signature type
>> <https://www.ietf.org/archive/id/draft-prorock-cose-post-quantum-signatures-01.txt>.
>> Is anyone else working on similar systems?
>>
>>
>> Gabe Cohen
>>
>> Lead Platform Engineer, Verifiable Credentials
>>
>> gabe@tbd.email <gcohen@tbd.email>
>>
>> TBD <http://tbd.website/> | LinkedIn <https://linkedin.com/in/cohengabe>
>> | Twitter <https://twitter.com/decentralgabe>
>>
>>
Received on Wednesday, 4 January 2023 15:14:00 UTC