Re: The importance of PQC / Stop using RSA immediately from Mike Prorock on 2023-01-06 (public-credentials@w3.org from January 2023)

From: Mike Prorock <mprorock@mesur.io>
Date: Fri, 6 Jan 2023 10:57:34 -0700
To: Orie Steele <orie@transmute.industries>
Cc: Gabe Cohen <gabe@tbd.email>, W3C Credentials CG <public-credentials@w3.org>
Message-ID: <CAGJKSNTSc2wLtF-=uOQoaF7RUOQGM9RfmBnsZ0PQ9kmNdZeyrA@mail.gmail.com>
On topic: https://arxiv.org/pdf/2212.12372.pdf

Skeptical of the claims in this paper and still reviewing, but I believe
this should underscore the need to have a plan in place

Mike Prorock
mesur.io

On Wed, Jan 4, 2023, 08:13 Orie Steele <orie@transmute.industries> wrote:

> HPKE with Kyber... will IETF define it for JOSE and COSE in time?
>
> What does a Kyber key look like as a JWK or COSE Key?
>
> Maybe: https://github.com/OR13/draft-steele-cose-kyber
>
> The main problem facing adoption is IETF politics of key representations,
> and lack of community support for representing keys as JSON and CBOR.
>
> Multibase post quantum keys have the advantage of not needing to wait for
> IETF and the disadvantage of being politically unacceptable to large
> companies (who control standards organizations).
>
> The netflix movie "Don't Look Up" is actually about post quantum
> cryptography.
>
> Experimental JWK representations for PQC JWK:
>
> https://github.com/transmute-industries/did-jwk-pqc
>
> Ask yourselves this:
>
> In a world where downgrade attacks and hybrid / composite schemes are
> likely to exist simultaneously, should "alg" be optional at key gen time?
>
> Why would you ever generate a key and then choose to use it for a purpose
> or with an algorithm that was different?
>
> If a key is a rifle, this is like saying that anything that fits &
> functions is safe to fire, or... was intended to be fired.
>
> Let's make the label for the thing that produces the other thing optional,
> so you can't tell what is supposed to be produced, even when you are
> holding the thing that is produced.
>
> Maybe it's a feature of an RSA JWK that you can use `PS256` or `RS256` if
> the `alg` is not present in the JWK?... Seems like not a feature.
>
> If you want to see how things are trending, look at WalnutDSA and HMS/LMS.
>
> They all have the same alg and kty... This is what declaring bankruptcy on
> an optional parameter looks like... just make it the same value as a
> mandatory one.
>
> That won't work for encryption.... and it's...
>
> See also the proposals to make HPKE its own kty...
>
> `alg` is the `@context` of IETF... with a similar level of compromise and
> design by committee that is getting people wrecked ( see alg: none )
>
> Optionality is great until you realise you can't rely on anything for
> interoperability... Then you realize that's what foundations are for?
>
> OS
>
> On Tue, Jan 3, 2023, 9:38 PM Mike Prorock <mprorock@mesur.io> wrote:
>
>> I think Orie and I may have been putting the most time in in regards to
>> PQC and VCs/DIDs.  Definitely something that waiting on an answer for is
>> not the right approach.  This is not to say switch to Dilithium or similar
>> immediately, but have a plan.  Most of the active work at this point is at
>> IETF standards wise, and places like
>> https://openquantumsafe.org/ on the implementation side.  This however
>> is enabling testing and use with VCs and DIDs and I highly encourage some
>> familiarity with the "new" signature methods and KEMs as there are impacts
>> on key sizes, signature generation time, and verification time.
>>
>> We ran a main CCG call last year on the topic and we can definitely dust
>> that off again this year as we see more from NIST on the topic.
>>
>> The KEM stuff is mostly still at CFRG and will likely be working it's way
>> into JOSE/COSE come IETF in March.
>>
>> Mike Prorock
>> mesur.io
>>
>> On Tue, Jan 3, 2023, 20:05 Gabe Cohen <gabe@tbd.email> wrote:
>>
>>> Breaking RSA is now a more real threat than ever!
>>> https://www.schneier.com/blog/archives/2023/01/breaking-rsa-with-a-quantum-computer.html
>>>
>>>  We have long known from Shor’s algorithm that factoring with a quantum
>>>> computer is easy. But it takes a big quantum computer, on the orders of
>>>> millions of qbits, to factor anything resembling the key sizes we use
>>>> today. What the researchers have done is combine classical lattice
>>>> reduction factoring techniques with a quantum approximate optimization
>>>> algorithm. This means that they only need a quantum computer with 372
>>>> qbits, which is well within what’s possible today. (The IBM Osprey is a
>>>> 433-qbit quantum computer, for example. Others are on their way as well.)
>>>>
>>>
>>>
>>> The importance of hybrid and PQC solutions from DIDs and VCs is
>>> extremely pressing. I know there is some work on post quantum signature
>>> type
>>> <https://www.ietf.org/archive/id/draft-prorock-cose-post-quantum-signatures-01.txt>.
>>> Is anyone else working on similar systems?
>>>
>>>
>>> Gabe Cohen
>>>
>>> Lead Platform Engineer, Verifiable Credentials
>>>
>>> gabe@tbd.email <gcohen@tbd.email>
>>>
>>> TBD <http://tbd.website/> | LinkedIn <https://linkedin.com/in/cohengabe>
>>> | Twitter <https://twitter.com/decentralgabe>
>>>
>>>
Received on Friday, 6 January 2023 17:58:00 UTC