IETF Logo Mail Archive

Re: [CFRG] Google's (current) Threat model for Post-Quantum Cryptography

Sophie Schmieg <sschmieg@google.com> Tue, 12 March 2024 23:08 UTC

Return-Path: <sschmieg@google.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE510C14F6B5 for <cfrg@ietfa.amsl.com>; Tue, 12 Mar 2024 16:08:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -22.606
X-Spam-Level:
X-Spam-Status: No, score=-22.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JfAn-tXbMUrb for <cfrg@ietfa.amsl.com>; Tue, 12 Mar 2024 16:08:19 -0700 (PDT)
Received: from mail-ua1-x932.google.com (mail-ua1-x932.google.com [IPv6:2607:f8b0:4864:20::932]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 108CEC14F69E for <cfrg@irtf.org>; Tue, 12 Mar 2024 16:08:19 -0700 (PDT)
Received: by mail-ua1-x932.google.com with SMTP id a1e0cc1a2514c-7d5bfdd2366so3190936241.3 for <cfrg@irtf.org>; Tue, 12 Mar 2024 16:08:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1710284898; x=1710889698; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=H5BQbcf05+2X7XkMlALJbkdl7WkNXHVIF957E04jSXs=; b=tGmcFnVveujo4lGXNh5s9TmneHA1z0Hw9qmH3D1avO3r8Pn9+q28/gcZwP1ujds3Rs bnYLwBlWNx0k49wdvdEzAyPO5J2pn2g6FGHn32O/gET5x+90HRq0stVj/E3kATw38/HM 6O4fAWxfH4aOjkTT82g77ScRTn+qgnpGBKpKDPgypPkwvJ8+ukRnQoVVcJn/4Q+qyY44 ZHDdHhy5mcsNePyVgOSW+xvB5Rfr89ZUy2l+dq8dTr8K0UQRMUJ+UF0YAqSfbfNSwnVo djr9tWc7UezPWE3Ukxsv6Bc1vVIpmD6UWv/qJUUajw5M4MKp6To31G1ZoKMJrtJdPgNs pSlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710284898; x=1710889698; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=H5BQbcf05+2X7XkMlALJbkdl7WkNXHVIF957E04jSXs=; b=uelj9HMl7IisHKJ7wZX+eq6Hnu8komB4kIvsWEn3OAQGHibZ7HYDSset6nkyo1v/ce a4lp5m6BVsE1sZnnFoQ8tykYe4q7NYrqQXeUYTqrdoQ4t1HY7YnkYMRXSH4o8SRpNdRQ D3jfScEGw9um5EG1yN/CIxlXzv+T1klXlwro75yj8qd+GKLWgX7+oILuc35f1KvBPhVC dv4tD7eYU4u2PJ11vnLldRAiE4XXLa9Vg5X0CoGz8MKKEmxgNJWvf0lgusMuTtTfshhq ExT1p77JBDRJECluHmko7W+iG9hCUjoQONLm/b7/jhu2B94dsowsDIq3Scvz5NOUIHEc vAaQ==
X-Forwarded-Encrypted: i=1; AJvYcCXRp9BDgQmdhghcsceDOWJ8wrh+Kk1oq1S7tmbZ/BF3L2EiHGxHEM2f77S9Xub7/OEHfHg3lmk6zdtUAcDE
X-Gm-Message-State: AOJu0Yxj0STwQUR58ApF7GUpDHkPix44UJOnHsvEIb54plHQnzBNg2w1 uRw362DGHGDvcRZes1TyMIGy9WpwtnuYM5G1S2hy9cnD0cXDntxQDOHES7Xxc7cTbUxEBufq+aD vOy6kJ2kP2fRFRStSEd/kMiKFKzyw7b8TNjU1
X-Google-Smtp-Source: AGHT+IEl7zstD2UAM5TvIIJFTpaMhmi7QPe4nTwsHP4x4+rG4tFpIYxo3WNC6uu8j93jXlF8CtjAFXhzv4nREBgLPJY=
X-Received: by 2002:a05:6102:3089:b0:472:d517:24e1 with SMTP id l9-20020a056102308900b00472d51724e1mr8162814vsb.29.1710284897205; Tue, 12 Mar 2024 16:08:17 -0700 (PDT)
MIME-Version: 1.0
References: <2D2B67B4-9E1D-46DA-A2EE-08D89BFE254D@akamai.com> <CAN8C-_J0_bQRTymi0O+OtNOcid6P5m9EYj-MaZP_MJe=_VXKiw@mail.gmail.com> <3ee20938-95a5-40d3-9930-8ae8db3ed3d8@cs.tcd.ie>
In-Reply-To: <3ee20938-95a5-40d3-9930-8ae8db3ed3d8@cs.tcd.ie>
From: Sophie Schmieg <sschmieg@google.com>
Date: Tue, 12 Mar 2024 16:08:02 -0700
Message-ID: <CAEEbLAaXG+=shtAqf4DMJBZXm6qDCqYwh9_9ri1TY05gFW10gQ@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Orie Steele <orie@transmute.industries>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000c3a07b06137ebbe3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/6qjL8A2pxvgJXaBxBClpbHWbeM8>
Subject: Re: [CFRG] Google's (current) Threat model for Post-Quantum Cryptography
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2024 23:08:22 -0000

The hybrid recommendations are somewhat intentionally kept vague in order
to not add yet another hybridization scheme by accident :)
The unfortunate reality we have to deal with is that we have to use P256
for compliance purposes in some scenarios, but among hybrids X-Wing is
currently looking the strongest and is using X25519. I would much prefer
having a single clear scheme that we could recommend there.
I do think there is some urgency on the KEM hybridization, because I fear
that we will see an explosion of different hybrid schemes once the NIST
standards are out, unless there is a clear go-to choice.
In a way this is in my opinion an extension of the mess we have with key
derivation functions in general, where every protocol does their own
similar but incompatible thing. The worst offender there is ECIES, where it
took us an embarrassingly long time to finally standardize HPKE.

For signature hybrids, I honestly think just using the simple "sign twice
and concatenate, verify with &&" hybrid scheme is good enough to eventually
win even in absence of a standard.
But yeah, I think in general signatures are far more experimental at this
point in time, many use cases will require more of an exploratory
approach, which definitely makes getting the hybrid right on first try less
of an urgent problem.

On Tue, Mar 12, 2024 at 3:24 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

>
>
> On 12/03/2024 22:04, Orie Steele wrote:
> >> Our current recommendation is to use either Dilithium3 (FIPS 204,
> ML-DSA)
> > in hybrid with ECDSA/EdDSA/RSA, or SPHINCS+ (FIPS 205, SLH-DSA) for this
> > use case.
> >
> > I fear how many different variants of these we may see in protocols
> without
> > some baseline guidance from CFRG.
>
> I prefer the bits saying to mostly not worry about signatures
> for now and chill out a bit wrt those. (yeah, my interpretation:-)
>
> If we did pay attention to that (and we should) I think it takes
> away most of the problem with hyrbid combnbatorics.
>
> I'd love it if cfrg had consensus on something like that as I
> think it'd save a bunch of IETF WGs a bunch of time over the
> next couple of years.
>
> Cheers,
> S.
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://mailman.irtf.org/mailman/listinfo/cfrg
>


-- 

Sophie Schmieg | Information Security Engineer | ISE Crypto |
sschmieg@google.com

v2.23.0 | Report a Bug | By Email