- From: Mike Prorock <mprorock@mesur.io>
- Date: Fri, 6 Jan 2023 10:57:34 -0700
- To: Orie Steele <orie@transmute.industries>
- Cc: Gabe Cohen <gabe@tbd.email>, W3C Credentials CG <public-credentials@w3.org>
- Message-ID: <CAGJKSNTSc2wLtF-=uOQoaF7RUOQGM9RfmBnsZ0PQ9kmNdZeyrA@mail.gmail.com>
On topic: https://arxiv.org/pdf/2212.12372.pdf Skeptical of the claims in this paper and still reviewing, but I believe this should underscore the need to have a plan in place Mike Prorock mesur.io On Wed, Jan 4, 2023, 08:13 Orie Steele <orie@transmute.industries> wrote: > HPKE with Kyber... will IETF define it for JOSE and COSE in time? > > What does a Kyber key look like as a JWK or COSE Key? > > Maybe: https://github.com/OR13/draft-steele-cose-kyber > > The main problem facing adoption is IETF politics of key representations, > and lack of community support for representing keys as JSON and CBOR. > > Multibase post quantum keys have the advantage of not needing to wait for > IETF and the disadvantage of being politically unacceptable to large > companies (who control standards organizations). > > The netflix movie "Don't Look Up" is actually about post quantum > cryptography. > > Experimental JWK representations for PQC JWK: > > https://github.com/transmute-industries/did-jwk-pqc > > Ask yourselves this: > > In a world where downgrade attacks and hybrid / composite schemes are > likely to exist simultaneously, should "alg" be optional at key gen time? > > Why would you ever generate a key and then choose to use it for a purpose > or with an algorithm that was different? > > If a key is a rifle, this is like saying that anything that fits & > functions is safe to fire, or... was intended to be fired. > > Let's make the label for the thing that produces the other thing optional, > so you can't tell what is supposed to be produced, even when you are > holding the thing that is produced. > > Maybe it's a feature of an RSA JWK that you can use `PS256` or `RS256` if > the `alg` is not present in the JWK?... Seems like not a feature. > > If you want to see how things are trending, look at WalnutDSA and HMS/LMS. > > They all have the same alg and kty... This is what declaring bankruptcy on > an optional parameter looks like... just make it the same value as a > mandatory one. > > That won't work for encryption.... and it's... > > See also the proposals to make HPKE its own kty... > > `alg` is the `@context` of IETF... with a similar level of compromise and > design by committee that is getting people wrecked ( see alg: none ) > > Optionality is great until you realise you can't rely on anything for > interoperability... Then you realize that's what foundations are for? > > OS > > On Tue, Jan 3, 2023, 9:38 PM Mike Prorock <mprorock@mesur.io> wrote: > >> I think Orie and I may have been putting the most time in in regards to >> PQC and VCs/DIDs. Definitely something that waiting on an answer for is >> not the right approach. This is not to say switch to Dilithium or similar >> immediately, but have a plan. Most of the active work at this point is at >> IETF standards wise, and places like >> https://openquantumsafe.org/ on the implementation side. This however >> is enabling testing and use with VCs and DIDs and I highly encourage some >> familiarity with the "new" signature methods and KEMs as there are impacts >> on key sizes, signature generation time, and verification time. >> >> We ran a main CCG call last year on the topic and we can definitely dust >> that off again this year as we see more from NIST on the topic. >> >> The KEM stuff is mostly still at CFRG and will likely be working it's way >> into JOSE/COSE come IETF in March. >> >> Mike Prorock >> mesur.io >> >> On Tue, Jan 3, 2023, 20:05 Gabe Cohen <gabe@tbd.email> wrote: >> >>> Breaking RSA is now a more real threat than ever! >>> https://www.schneier.com/blog/archives/2023/01/breaking-rsa-with-a-quantum-computer.html >>> >>> We have long known from Shor’s algorithm that factoring with a quantum >>>> computer is easy. But it takes a big quantum computer, on the orders of >>>> millions of qbits, to factor anything resembling the key sizes we use >>>> today. What the researchers have done is combine classical lattice >>>> reduction factoring techniques with a quantum approximate optimization >>>> algorithm. This means that they only need a quantum computer with 372 >>>> qbits, which is well within what’s possible today. (The IBM Osprey is a >>>> 433-qbit quantum computer, for example. Others are on their way as well.) >>>> >>> >>> >>> The importance of hybrid and PQC solutions from DIDs and VCs is >>> extremely pressing. I know there is some work on post quantum signature >>> type >>> <https://www.ietf.org/archive/id/draft-prorock-cose-post-quantum-signatures-01.txt>. >>> Is anyone else working on similar systems? >>> >>> >>> Gabe Cohen >>> >>> Lead Platform Engineer, Verifiable Credentials >>> >>> gabe@tbd.email <gcohen@tbd.email> >>> >>> TBD <http://tbd.website/> | LinkedIn <https://linkedin.com/in/cohengabe> >>> | Twitter <https://twitter.com/decentralgabe> >>> >>>
Received on Friday, 6 January 2023 17:58:00 UTC