IETF Logo Mail Archive

Re: [CFRG] Google's (current) Threat model for Post-Quantum Cryptography

Orie Steele <orie@transmute.industries> Tue, 12 March 2024 23:43 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A50BC14F69E for <cfrg@ietfa.amsl.com>; Tue, 12 Mar 2024 16:43:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.085
X-Spam-Level:
X-Spam-Status: No, score=-7.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3RqB0SdEVI0x for <cfrg@ietfa.amsl.com>; Tue, 12 Mar 2024 16:43:44 -0700 (PDT)
Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D8F2C14F6B5 for <cfrg@irtf.org>; Tue, 12 Mar 2024 16:43:44 -0700 (PDT)
Received: by mail-pl1-x62f.google.com with SMTP id d9443c01a7336-1dc75972f25so3795855ad.1 for <cfrg@irtf.org>; Tue, 12 Mar 2024 16:43:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1710287023; x=1710891823; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=RdDTeuc6fbNSA5Lf8pG/YQZo1RPqX6alibH/KArF1L4=; b=bEtJV1nJvXfI/EQOD3v/5cEDilqyTxQikfY82uUGibv30GHDGOUiaBzwkpGU+fg7L8 xp0UoXzMXDT6kUEyX614th64oIwi61EtVEVRlsWtArh7ZvViRF1y3xHmNU+T0kwCSL2M dDffHx0OJphjU1hj8ET85i4tbpQ2m1BI6447jXbg2zwPujSd9iaJI1qf/0i52LGXHLl3 UHchB3SVwY3KhgdJXEsCB4tVUZ9FtjOZ+L96UMPlEnqVbb59vQOkFgE+7+IPeTElntN6 vE4y2MD9Z917bz4LJolqbOlvscBTfjrBoMIzu9o6cv8bpUmvNoCO+6DlRemCNNmO/5bz iutA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710287023; x=1710891823; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=RdDTeuc6fbNSA5Lf8pG/YQZo1RPqX6alibH/KArF1L4=; b=gVS/gVyKNyvI/17fFsfTOjyId2SPN8qklg6c+q/LepqnX+iQgRucaoqXcDtKONbUl3 wLQEqUodgJsmqV9LyCS4GYCA8sdbFGO5Jfy/FTszK80tx4Sw/ICvSSRHL4EZJU8hSh/w KfU7nfSclvZUAjvp+VmfqJZkax69nOri0c/C0nFR3Ow4mUUEDbigLFvbn+1/1stjuPEV DG1ftqy9blBoVOqVADIBOLc51jIannM/6GvhFF48R62GKBWbR746WPmtHII2TIgWa9Qq 89AWGrPnq9gRtnd0sva+Xj86Jqd5bZSePGLnO8CPLJp/e4ZoIZdqGNxEFlzuUlsvpCPq pVdw==
X-Forwarded-Encrypted: i=1; AJvYcCUS26w9alaEjDFlw6JXvMnfKYmAlTw0MWRUOv5zTrmfxoYSoj8wLDJHci9iKRaj1qK7wsZVIo88AOoDhDzD
X-Gm-Message-State: AOJu0YwWabYiUajVl3DDOqZyQVLJX+VDLKfo0KT63ljDo5VGKR8Cttj6 UZDmU2K1zWhwApmPt2B8ZSutndmwUOqmsR82gxnN/YraiEBFPZPXLezzcU3vg1dnr5tnojiU1rh CGrQXFqepNOikELUst3yQz9Mh51ehRN+wBN06hA==
X-Google-Smtp-Source: AGHT+IHuaeukYmICW55qNBjJ5TuThV8fEc6nrB13y4tot2Kg2eNUPDflQF3gH6FMtWMwvGaW6ofFSghsVnrEFCX636Y=
X-Received: by 2002:a17:902:eac4:b0:1db:3618:fed5 with SMTP id p4-20020a170902eac400b001db3618fed5mr4371433pld.53.1710287023494; Tue, 12 Mar 2024 16:43:43 -0700 (PDT)
MIME-Version: 1.0
References: <2D2B67B4-9E1D-46DA-A2EE-08D89BFE254D@akamai.com> <CAN8C-_J0_bQRTymi0O+OtNOcid6P5m9EYj-MaZP_MJe=_VXKiw@mail.gmail.com> <3ee20938-95a5-40d3-9930-8ae8db3ed3d8@cs.tcd.ie> <CAEEbLAaXG+=shtAqf4DMJBZXm6qDCqYwh9_9ri1TY05gFW10gQ@mail.gmail.com>
In-Reply-To: <CAEEbLAaXG+=shtAqf4DMJBZXm6qDCqYwh9_9ri1TY05gFW10gQ@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Tue, 12 Mar 2024 18:43:32 -0500
Message-ID: <CAN8C-_JnpB9KXBJrSJhqt7tpzdreVswg19e1HeQBRrzRQSm68w@mail.gmail.com>
To: Sophie Schmieg <sschmieg@google.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000007ff86706137f3a99"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/T-WsC_yzCpd3kxrSqu-1dMlEEZw>
Subject: Re: [CFRG] Google's (current) Threat model for Post-Quantum Cryptography
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2024 23:43:48 -0000

Sophie,

Thank you and your co-authors for this thoughtful post.

The recommendation to use hybrid signatures for software signing, is noted
to have a "relatively relaxed timeline."

I imagine HSM support for hybrids takes a long time to develop, and in the
meantime CMS and COSE will be seen as incompatible with these
recommendations.

I agree that it would be simple to "sign twice and concatenate, verify with
&&" ...  that sounds like a generic combiner strategy to me : )

... We've got some slides for the PQUIP session at IETF 119 to help think
about this.

Making a recommendation to use hybrids, without offering a shared building
block is inviting an alternative interpretation... If that alternative view
gets burned into hardware... I think that would be unfortunate, if it were
so easily avoided... Is this an imagined risk, or a real one?

I also agree with Stephen, that CFRG consensus could save working groups a
lot of time.

I see two ways that time could be saved:

1. CFRG chills out wrt hybrid signatures, and everyone hears the message
and gets the time back.
2. CFRG recommends one or two experimental hybrid signatures, built on a
simple combiner like the one you mentioned.

People who's paranoia prevents them from ever chilling out can implement
these signatures, and provide feedback on the process... and since there is
a limited number of them, CFRG has done its best to limit the timeloss /
damage.

Perhaps smaller PQ signatures emerge in the next few years, and make it
through NIST's process, and we're confident enough to deploy them without
using hybrids.

Thanks again.

OS

On Tue, Mar 12, 2024 at 6:08 PM Sophie Schmieg <sschmieg@google.com> wrote:

> The hybrid recommendations are somewhat intentionally kept vague in order
> to not add yet another hybridization scheme by accident :)
> The unfortunate reality we have to deal with is that we have to use P256
> for compliance purposes in some scenarios, but among hybrids X-Wing is
> currently looking the strongest and is using X25519. I would much prefer
> having a single clear scheme that we could recommend there.
> I do think there is some urgency on the KEM hybridization, because I fear
> that we will see an explosion of different hybrid schemes once the NIST
> standards are out, unless there is a clear go-to choice.
> In a way this is in my opinion an extension of the mess we have with key
> derivation functions in general, where every protocol does their own
> similar but incompatible thing. The worst offender there is ECIES, where it
> took us an embarrassingly long time to finally standardize HPKE.
>
> For signature hybrids, I honestly think just using the simple "sign twice
> and concatenate, verify with &&" hybrid scheme is good enough to eventually
> win even in absence of a standard.
> But yeah, I think in general signatures are far more experimental at this
> point in time, many use cases will require more of an exploratory
> approach, which definitely makes getting the hybrid right on first try less
> of an urgent problem.
>
> On Tue, Mar 12, 2024 at 3:24 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>
> wrote:
>
>>
>>
>> On 12/03/2024 22:04, Orie Steele wrote:
>> >> Our current recommendation is to use either Dilithium3 (FIPS 204,
>> ML-DSA)
>> > in hybrid with ECDSA/EdDSA/RSA, or SPHINCS+ (FIPS 205, SLH-DSA) for this
>> > use case.
>> >
>> > I fear how many different variants of these we may see in protocols
>> without
>> > some baseline guidance from CFRG.
>>
>> I prefer the bits saying to mostly not worry about signatures
>> for now and chill out a bit wrt those. (yeah, my interpretation:-)
>>
>> If we did pay attention to that (and we should) I think it takes
>> away most of the problem with hyrbid combnbatorics.
>>
>> I'd love it if cfrg had consensus on something like that as I
>> think it'd save a bunch of IETF WGs a bunch of time over the
>> next couple of years.
>>
>> Cheers,
>> S.
>>
>> _______________________________________________
>> CFRG mailing list
>> CFRG@irtf.org
>> https://mailman.irtf.org/mailman/listinfo/cfrg
>>
>
>
> --
>
> Sophie Schmieg | Information Security Engineer | ISE Crypto |
> sschmieg@google.com
>
>

-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>

v2.23.0 | Report a Bug | By Email