IETF Logo Mail Archive

Re: [Cfrg] Postquantum cryptography in IETF protocols

"Tams, Benjamin" <Benjamin.Tams@secunet.com> Wed, 22 March 2017 10:54 UTC

Return-Path: <Benjamin.Tams@secunet.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C93F1296AD for <cfrg@ietfa.amsl.com>; Wed, 22 Mar 2017 03:54:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wi-IHaszUZFy for <cfrg@ietfa.amsl.com>; Wed, 22 Mar 2017 03:54:32 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 741181316EE for <cfrg@irtf.org>; Wed, 22 Mar 2017 03:54:32 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 0E75321069; Wed, 22 Mar 2017 11:54:30 +0100 (CET)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3nnnUmjiv0lt; Wed, 22 Mar 2017 11:54:18 +0100 (CET)
Received: from mail-essen-02.secunet.de (mail-essen-02.secunet.de [10.53.40.205]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id 8342221067; Wed, 22 Mar 2017 11:54:07 +0100 (CET)
Received: from MAIL-ESSEN-01.secunet.de ([fe80::1c79:38b7:821e:46b4]) by mail-essen-02.secunet.de ([fe80::4431:e661:14d0:41ce%16]) with mapi id 14.03.0319.002; Wed, 22 Mar 2017 11:54:07 +0100
From: "Tams, Benjamin" <Benjamin.Tams@secunet.com>
To: Aaron Zauner <azet@azet.org>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Postquantum cryptography in IETF protocols
Thread-Index: AQHSopq2hRcBTqqnzEiFdQAC6FZfhqGgmnPQ
Date: Wed, 22 Mar 2017 10:54:06 +0000
Message-ID: <78B0B91A8FEB2E43B20BCCE1326131812D6C308E@mail-essen-01.secunet.de>
References: <78B0B91A8FEB2E43B20BCCE1326131812D6B62F6@mail-essen-01.secunet.de> <51780B9E-8BE5-493F-8338-AB3E80E9BFEC@azet.org>
In-Reply-To: <51780B9E-8BE5-493F-8338-AB3E80E9BFEC@azet.org>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.36.126.244]
x-exclaimer-md-config: 2c86f778-e09b-4440-8b15-867914633a10
x-g-data-mailsecurity-for-exchange-state: 0
x-g-data-mailsecurity-for-exchange-error: 0
x-g-data-mailsecurity-for-exchange-sender: 23
x-g-data-mailsecurity-for-exchange-server: cbe3d3f7-b9e3-4256-b890-f24c4306a01c
x-g-data-mailsecurity-for-exchange-guid: A13E5602-FF9A-4461-B111-6B2BA052CA33
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/O046XrUPLMLRcyjWPcJHaI8srWY>
Subject: Re: [Cfrg] Postquantum cryptography in IETF protocols
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2017 10:54:35 -0000

Hi Aaron,

> NewHope has been implemented in Tor and also in Chrome for testing purposes.
> As for StrongSwan: they implement quite a lot. There's also a NTRU IKE implementation
> available in StrongSwan (https://wiki.strongswan.org/projects/strongswan/wiki/NTRU). 
> Just because there's an implementation of something doesn't necessarily warrant work
> on an internet draft/standard.

The other way round does neither: Just because there are Internet Drafts specifying
PQ-safe key exchange algorithms, this does not mean they have to be implemented. Anyway,
existing implementations are indications for the need of PQ-safe key exchange algorithms. 
Therefore, in my view, it is reasonable to specify Internet Drafts for state-of-the-art
PQ-safe key exchange algorithms suitable for implementation.

> To me PQC is quite a new field and security boundaries are not as established as they're
> for say symmetric or public key cryptography (someone correct me if I've missed major
> news in that area).

I agree. But as I mentioned in an earlier post (https://www.ietf.org/mail-archive/web/cfrg/current/msg09070.html)
we will not lose anything on security if we couple candidates for PQ-safe key exchange
algorithms with classical key exchange algorithms. Not for recommending them as a final
specification but for temporarily using them in applications where PQ-safety is needed.

As I noted above, it depends on the application whether a hybrid key exchange algorithm
is used that has the chance of being PQ-secure at the cost of increased key size and
increased running complexity. But if for an application one is willing to have that trade-off,
specifications for candidates of PQ-safe key exchange algorithms would be very useful. Again,
not for recommending them as a final specification but for temporarily using them in
applications where PQ-safety is needed.

> BTW there was a recent paper with some "improved" attacks on  NewHope (it doesn't
> break the scheme, they just recommend more conservative parameter choices) - 
> https://eprint.iacr.org/2017/221

@CFRG: Is there anyone interested in specifying PQ-safe key exchange algorithms at the
state of the art suitable for implementation 
(e.g., implementations of protocols as https://tools.ietf.org/html/draft-whyte-qsh-tls13-03)?

Kind regards,
Benjamin

v2.23.0 | Report a Bug | By Email