--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/67b9d205-c98c-4f96-903b-d6ab064a2b76n%40list.nist.gov.
I concur, and support this proposal.
--
V/R,
Uri
From: 'Bas Westerbaan' via pqc-forum <pqc-...@list.nist.gov>
Date: Tuesday, May 28, 2024 at 08:45
To: Guillaume Endignoux <guill...@google.com>
Cc: pqc-forum <pqc-...@list.nist.gov>
Subject: [EXT] Re: [pqc-forum] ML-DSA and decoding of malformed private keys
For the reasons you've laid out, I agree that a single 32-byte seed is the best format for a portable ML-DSA signing key, and I would be in favour of adopting it as the primary signing key format, as long as it does not preclude implementations
ZjQcmQRYFpfptBannerStart
|
ZjQcmQRYFpfptBannerEnd
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CAMjbhoWgiFWtHuAa142-TJabY-DE5AN7VUAjmmGzpaXHZBTW9w%40mail.gmail.com.
I also am in favour of the 32-byte seed as the primary portable ML-DSA private key format.
But I think it is also worth defining a serialization format for the full key because as mentioned by Guillaume, applications that sign often will want to hold on to the expanded private key for performance reasons. Giving a serialization for this avoids interop problems, and gives us a place to put a security consideration note about error checking the private key.
---
Mike Ounsworth
From: 'Bas Westerbaan' via pqc-forum <pqc-...@list.nist.gov>
Sent: Tuesday, May 28, 2024 7:44 AM
To: Guillaume Endignoux <guill...@google.com>
Cc: pqc-forum <pqc-...@list.nist.gov>
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CAMjbhoWgiFWtHuAa142-TJabY-DE5AN7VUAjmmGzpaXHZBTW9w%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/f4ec74a3-9806-4cdd-959b-4da23e6e9c13n%40list.nist.gov.
Guillaume raises a good point though that some research will require constructing test cases around hand-crafted keypairs for which we do not know the seed, and that implementations that only support seed-based private keys will have difficulty running these test cases.
It seems to me that the answer is for the test frameworks of robust implementations to be able to accept fully inflated private keys, even if the implementation’s normal mode of operation only accepts seeds.
---
Mike Ounsworth
From: Sophie Schmieg <ssch...@google.com>
Sent: Friday, May 31, 2024 7:01 AM
To: Guillaume Endignoux <guill...@google.com>
Cc: pqc-forum <pqc-...@list.nist.gov>; Paul Hoffman <paul.h...@icann.org>; Mike Ounsworth <Mike.Ou...@entrust.com>
Subject: [EXTERNAL] Re: [pqc-forum] ML-DSA and decoding of malformed private keys
I would not worry too much about generating test cases, unless you have a property that is both unlikely enough to be very expensive to brute force, but not expensive enough that it cannot reasonably be brute forced by anyone. In other words,
It seems to me that the answer is for the test frameworks of robust implementations to be able to accept fully inflated private keys, even if the implementation’s normal mode of operation only accepts seeds.