IETF Logo Mail Archive

Re: [CFRG] Classic McEliece

John Mattsson <john.mattsson@ericsson.com> Fri, 20 October 2023 10:02 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28586C151077 for <cfrg@ietfa.amsl.com>; Fri, 20 Oct 2023 03:02:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yVBwDSxRf-Mi for <cfrg@ietfa.amsl.com>; Fri, 20 Oct 2023 03:02:27 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on2054.outbound.protection.outlook.com [40.107.6.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02758C14CE24 for <cfrg@ietf.org>; Fri, 20 Oct 2023 03:02:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Zg/jXI2Mbpz8ZN7M1bznoexXGyqSYo4Rj+0ock+3cyZxw1hrpp2u6VPts/6o8Bf6c1O6DVc+4kvL7fOKv78EJvrmzDYdaxeu/DFz6nAVTGRkSjntqxngM1/f+8NgORcNC8eHjtZYhiZfNFBEYYnjdsX05qIv4b7Pzzl2yg0u14XT6OPqyXDhf3J8/vZ9QS7dDiTSKapMAOlE/gU+NfdadVfWkMDQjmAjepzA9i+1HXdGIWhodDgqzh3UuggUjCf99o/J9qCP/hgWudEcNtfFxZRQnYxs32UxNMLqqD4deU9EYFstPX/Jwsk2oYom6Rh8Tm1r8bRtWgfKPKlGKjkGhw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HJzCYDNlya6vrkL13agQH6FaC3GMhvbnLqTi/aFm0hQ=; b=jCg9TOaBpnZzCRbOtmm8JHfxACNj0afCIx9r5p5uzG8l2RW6yDYW7ZClZ7Pzi79DiHy/HUtfxMepCn3C0J3jEmDF9kwh3+5rX5toRfR3hpllXui1gEpOThMTjEXnSktyxqg9mSfCPo1CGfDM6ZFhc78TwwnP0qlZEH7K8pne4ZgyhwWvfah1tMs5QhyEMwtMzCv5SSj05rKwbxx7dhuHxy4lo0ZX/da8AxLnJUwEDz0J3AhKkGI1gVw9gJN3xKfQoLKdgFO4AIp5/MxLjz43Py8Gz2arVFXn32jvXw75OLi1c0NIc3m1yF15w9HNr/mobML+hCKtHBWjw4rFNJH+9w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HJzCYDNlya6vrkL13agQH6FaC3GMhvbnLqTi/aFm0hQ=; b=hIRmCLuFfSYC/SwfBqqtSocqeaTzM0kkfiGV7k98/+d00GjIuLakDBK3K+F+9IxTzF1fZ7lj8uUNTFRbLEHx3lnUQYHGNAGHt9ff/sT9avkcdxC0fjDiER4x74juMyPu/hlk3MHe5VbEsgH1h4E07iNwB6vPKcrip8gtAxHfmbs=
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by AM0PR07MB6258.eurprd07.prod.outlook.com (2603:10a6:20b:155::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6907.23; Fri, 20 Oct 2023 10:02:23 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::73ca:2e10:8406:1059]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::73ca:2e10:8406:1059%3]) with mapi id 15.20.6907.025; Fri, 20 Oct 2023 10:02:22 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "D. J. Bernstein" <djb@cr.yp.to>, "cfrg@ietf.org" <cfrg@ietf.org>
Thread-Topic: [CFRG] Classic McEliece
Thread-Index: AQHaAcpUYRREbPq1Okmt/pIGPEBA3LBScdna
Date: Fri, 20 Oct 2023 10:02:22 +0000
Message-ID: <GVXPR07MB9678B4660B612AD3E0A776C389DBA@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <GVXPR07MB967815C318BA70AA90B696AF89D6A@GVXPR07MB9678.eurprd07.prod.outlook.com> <LO2P123MB4927A211C26E278C307725B3BCD7A@LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM> <20231018135140.362169.qmail@cr.yp.to>
In-Reply-To: <20231018135140.362169.qmail@cr.yp.to>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|AM0PR07MB6258:EE_
x-ms-office365-filtering-correlation-id: 3700e221-a88b-40c8-eb92-08dbd153a7ba
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ZLkvXf/O5cC9fXawJZHhlOYWK158bXKnbNVIhMtWz/ZXBfXFprkf0IPl2GkoUBTBQktMDePPo5oDk1eT1+SzK04hGJ+L1eJ5VXdK+rjf+168uGDExeFzZqPYWeGcbxm16dzj8ewFV/iqNI1bOe591krQL9yf/4uuYkX/9aTLWA/yxi16PliaoNHpskj5OBQ6v48CB9DledxrwDhJCV7ytGxneGXySOR5UUbaZsOSpX29RBIMf5aXhXFFvrUlOK3jMTVH65p3VA2p374jAsH5EaQ8XFdkj+uvbgZzATPISSAvjKCPXDj6s677UZFVGPij9Gz2/iRn5TECQua6w5Rq6cT4n8KNaOExCNL3S4U6aelfp6jP3fJ+/E6XDGaO9mw2OtFIQQ/oTpEI2yoRcWqqfgAe3Z1COzxF9l8LuCtlnfbIYaXGQlJV/4cW+/wpbMpSPMc+WYSOw8Cb+tJRmUn/kH3tyY9aa55mHtIayngbO3dPfTHelTBPdVh20gLJmwWZqIbCUIFy7DbqTBkaHU81v3XnEcmqz+ukTQVTIXvV6TbZhmkRlYQWrvsECHCtRQa0vR2UO6L+PemKAszgnPejWPKnRWvLC/wBmubo/hdLAMg5PizNDnd4JCYTPGUfKMSCEXQKT5uagSYH4TD8EFjZKoLkUwVFu38HtLeh7XaXgsY=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(6029001)(366004)(136003)(346002)(376002)(396003)(39860400002)(230922051799003)(186009)(451199024)(64100799003)(1800799009)(66574015)(26005)(82960400001)(55016003)(38100700002)(52536014)(38070700009)(83380400001)(86362001)(41300700001)(66476007)(66556008)(110136005)(66946007)(8676002)(5660300002)(64756008)(66446008)(316002)(478600001)(2906002)(33656002)(44832011)(8936002)(76116006)(7696005)(71200400001)(53546011)(6506007)(122000001)(9686003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 4pqbqPUMrFx6AqOhVHlQdTUP2UAddHpBqOtbgVMqoRh8BqpZahq8MLhvLNne9SVeIXL2Can1lIY6uMHDS8k7rWeVADvsPalmfzyfAR9prtxgaVMRwWXJiqaUdKKnlTNa/JkDrTz2/pEpeJ1xPh/e4m6WYC5YLca3WUtgdCysqAftEBAyKMMtY3QddNEoNanIE5vWDdepAFIMOJw/xY59BcjF+YKIza7VJPySkSND1oJ+G5nNwhHFlXGeQVMCa3JLEVZc1rwQdqpgXTlghnxd5bYVwKt0XvK9k4XbihwTdF/aDQLqq35kC98iqy5VV1RHxICr1SvREKuwDBgOs+UKMqhRKQQ/O2cz0/JIJo4Mfu7mlu+GOpjRT7711qcjH7BR/gi30prWxX06FuFnVRpwR5xV6TmwYWfpP1ZmgojkvkzgqMz7qh7Hts4k2V8mwf4qSjxxk1jUbOW5JoOLs9kuDCLLinl6LtQWY0UWnTrJ4noy0zuLMGfje/dcEmo86PdiUHKHv7o2cPJP+4Xs0nY7iRi0sywNz3lAJcfIcCwHihmqkgciZZSlLSS/26EPxRaHW41+IEbkbFoMf8U5Cfz8WlD1aW/Wibu8EAoAd8eARP2JUgjA3awmz/z8cR5btYDcHMVfKZEQKDUucN0betfikvcRHXEkF3xnzF530mZI4X1QmkIbRkFGpikZQ6wYvz9GOMuyw7PXPZRM4lny4xfKA3+vQWjDcXkwxEx6/gKyEG64iQ0yOLGjaWshoCC+T9gDaGoDdePVPjSh5sKR3vGuhn7p5XrRC8fQScImm4gKyY5cwt+/2A5HCbV5wZVZzhzYt+9HA/wfmSUu+/L83oJx1vGZXKZGdcHBEUQzW20uDAKH5/TrVjbBZD1y1yDTcP+aHxaI0c4SYGfGUeOgU84ccDBOyDMchcJQOTXaVIa4QVCrRdreBSHBhmeb6kfUlmo5G63cltGAk7jYhxIGDxwzwBIcMaXNYpI1O+jm7fzAmqs0r4GWmo4/60xYJ/Tp3j0tIuOuAxYKOcIBs3KXA9LR+ywwnAxoXEc/hD8G0Oo+2Q6+g7QzNboq0/sncgQD4A5MHvvd+JOOWJwzAkCGCBI9NSPlEUohcYqFdxW2BKU7Nne1ES2l6piufnciSmE6VfxC0T/uSwQRAxMnZu30AdN+7q+/trTDem2yjsuIiPkyBHKuWG/HfHFxxC0xbDix7iAhgttwOX/IPKrASCGhRizlZjOyqlptCwiEe/hbKjvnglNQjqvVhaOET8aRlExwer4RMvtg+yocXJF/Wh2GvNnGb/HQMC6DkEG3+Hq0XHoIkLcHX10Hfo0WjfIYk/OpDFyGs4DJJvMRS/FVl1K1jlO0a2TAESBxJ/S2IJRqLks6zBPpISi3hUJuArH+eH/eMu9XEFotif/4ZrFQNpHXFzwhJqa8d3VWXDj7oQ5jJMxsFg2pGZ/NOzECK1HqLbC+4Wv6oYVEAFHjCIMrd29uJDGeQO40DenNAQ2YhXg1speg4jZ6rXEMNEQLIw7DNZHT32uzv/frh9FswNzlyRWtdnU1fbCC1ZBYWUtPiPnJkyxk55+iQPTZdZMEIccwIKGQOoHqbKdCr0XWCgBkXJ6VvIGm5g3Ndfib2aO70TF4DL3EtTg=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678B4660B612AD3E0A776C389DBAGVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3700e221-a88b-40c8-eb92-08dbd153a7ba
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Oct 2023 10:02:22.9104 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: rr0ExAs4OGzw2nSt5gTyNMIer0n4vzZ2RHzEsWkuv5tvGArHbVZBneFsvtH+fyuYm0U2Gi3DjW5jQgXNQ4h7SmZ4UWgs5XrU1Fj8xOfPzyw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6258
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ACDxbVS-vWHjTWFCUGQQfAiFeK0>
Subject: Re: [CFRG] Classic McEliece
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Oct 2023 10:02:31 -0000

D. J. Bernstein wrote:

> prohibited from speculating

Seems like a nice SDO ... :)

> The ISO style file inserted an incorrect ISO copyright notice

That ISO systematically commit copyfraud does certainly not make
me like their paywalled security risk standards better. Copyfraud is a
huge problem. Unfortunately, authorities mostly ignore this crime.

> what it'll do, but why should speculation about future >standardization by
> NIST and/or ISO enter into CFRG decisions regarding this draft?

> We're already seeing McEliece deployment in Mullvad, for example, and in
> Rosenpass.

I am aware of several other commercial implementations as well.
European governments are recommending Classic McEliece or
FrodoKEM for European national security systems. I am sure
there are or will be many more implementations.

I am strongly in favor of one or more (NIST and/or CFRG) publicly
available specifications of Classic McEliece. I will make sure to send
this as an official comment to NIST as well.

>There is no NIST specification for the McEliece cryptosystem. If you
>mean "potential future NIST specification", please say that clearly.

Yes. I am talking about a potential future NIST standard. Based on the
latest comments from NIST I would even speculate that such a standard
is likely.

> It's normal for CFRG to document cryptographic primitives in
> use on the Internet.

> _Of course_ a future NIST specification, if one happens, should not
> deviate from the careful Classic McEliece design. I'm not seeing how
> this future possibility is relevant to Simon's draft.

I think both a future NIST and CFRG specification could deviate from the
current non-standardized specification if needed for security or performance.
If adopted, CFRG decides. I don’t think too much consideration should be given
to existing implementations or paywalled SDOs like ISO. I think it is bad security
practice to deploy both paywalled standards and non-standardized algorithms.

IETF/CFRG is typically a hesitant to overlap to much with other non-paywalled
SDOs. It is a waste of everybody’s time. That said, I think a public RFC or FIPS
specifying Classic McEliece is very much needed. Given the uncertainty that
NIST will standardize Classic McELiece, I think work on this should proceed in CFRG.

Cheers,
John

From: CFRG <cfrg-bounces@irtf.org> on behalf of D. J. Bernstein <djb@cr.yp.to>
Date: Wednesday, 18 October 2023 at 15:52
To: cfrg@ietf.org <cfrg@ietf.org>
Subject: Re: [CFRG] Classic McEliece
Peter C writes:
> if the CRFG wants a specification to use as an alternative to an ISO
> standard

I don't understand this framing.

First of all, there is no ISO standard on this topic. ISO actors are
permitted by ISO policy to reveal that ISO is _considering_ McEliece
standardization, but are prohibited from speculating that those
discussions will produce an ISO standard; that's a future decision for
ISO to make. If you mean "potential future ISO standard", please say
that clearly.

NIST's statements regarding Classic McEliece similarly allow NIST to
make either decision. Obviously NIST doesn't prohibit speculation about
what it'll do, but why should speculation about future standardization
by NIST and/or ISO enter into CFRG decisions regarding this draft?

We're already seeing McEliece deployment in Mullvad, for example, and in
Rosenpass. It's normal for CFRG to document cryptographic primitives in
use on the Internet.

> this is not the way to go about it.

Simon said he took the latest public spec from the Classic McEliece team
and based his draft on that. (That spec happens to have been prepared
for ISO. The ISO style file inserted an incorrect ISO copyright notice;
as one of the authors, I can confidently state that ISO does not own
copyright. Regarding the notion that ISO needs a copyright transfer, see
the quote from the ISO Directives earlier in the thread.)

If there are specific tweaks needed for IETF/IRTF then of course those
should happen, but overall the process here is exactly the right way to
go. The sharing of text simplifies review.

John Mattsson writes:
> Yes, non-public paywalled ISO algorithms should not be used at all,
> they are a cybersecurity risk.

The cost of buying ISO standards definitely reduces the amount of review
that those standards receive. However, all documents under discussion
here are, as Peter C put it, "almost" verbatim copies of each other.
Obviously this doesn't rule out the possibility of future changes, and
from a security perspective one has to be very careful with the word
"almost", but I'm not seeing how this is relevant to Simon's draft.

> I don’t care about ISO, but a CFRG publication should not differ from
> a publicly available NIST specification.

There is no NIST specification for the McEliece cryptosystem. If you
mean "potential future NIST specification", please say that clearly.

_Of course_ a future NIST specification, if one happens, should not
deviate from the careful Classic McEliece design. I'm not seeing how
this future possibility is relevant to Simon's draft.

---D. J. Bernstein (speaking for myself)

v2.37.1 | Report a Bug | By Email | System Status