IETF Logo Mail Archive

Re: [Cfrg] Postquantum cryptography in IETF protocols

John Mattsson <john.mattsson@ericsson.com> Wed, 15 March 2017 17:09 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52E5013171B for <cfrg@ietfa.amsl.com>; Wed, 15 Mar 2017 10:09:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xqO6Vo3VxOS2 for <cfrg@ietfa.amsl.com>; Wed, 15 Mar 2017 10:09:27 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B53C213171A for <cfrg@irtf.org>; Wed, 15 Mar 2017 10:09:23 -0700 (PDT)
X-AuditID: c1b4fb30-25b3698000007738-f3-58c975411287
Received: from ESESSHC016.ericsson.se (Unknown_Domain [153.88.183.66]) by (Symantec Mail Security) with SMTP id E3.B4.30520.14579C85; Wed, 15 Mar 2017 18:09:22 +0100 (CET)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (153.88.183.145) by oa.msg.ericsson.com (153.88.183.66) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 15 Mar 2017 18:08:28 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.onmicrosoft.com; s=selector1-ericsson-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=IP7A1HMYJCs3CAtIg8DG7BKt103fWepm4Jx8Y2JoJDE=; b=U4QD2G3nMPnlTZuuna+z9SAQ4zzhmWvpKYX1pgjICOV7cn7q5z5BQFBrns84c/8OFlQHMv1sEHGJw/e2/XKIV/RzZ7jtnSTCQ8Cg87V15ejfuUiMXk0KgGWMwTMAtzPNN2hQAna/gw9ORShWAY+1cjnv5E0dZNxU0Vtpk7loFu8=
Received: from DB5PR07MB1256.eurprd07.prod.outlook.com (10.164.41.146) by DB5PR07MB1253.eurprd07.prod.outlook.com (10.164.41.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.977.5; Wed, 15 Mar 2017 17:08:27 +0000
Received: from DB5PR07MB1256.eurprd07.prod.outlook.com ([fe80::f4cc:2ed2:b5c9:edb7]) by DB5PR07MB1256.eurprd07.prod.outlook.com ([fe80::f4cc:2ed2:b5c9:edb7%14]) with mapi id 15.01.0977.010; Wed, 15 Mar 2017 17:08:27 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>, "Tams, Benjamin" <Benjamin.Tams@secunet.com>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Postquantum cryptography in IETF protocols
Thread-Index: AQHSnTVSkd2C5muk90qpn8ubO1BhqqGV4MEAgAAlSgCAAC3SAA==
Date: Wed, 15 Mar 2017 17:08:27 +0000
Message-ID: <D4EF2F08.5AEC3%john.mattsson@ericsson.com>
References: <78B0B91A8FEB2E43B20BCCE1326131812D6B62F6@mail-essen-01.secunet.de> <CACsn0cmaE=W=s-uHL3tHFa6zXFnK8OA1BYHYtr5q21VtxxY8Sg@mail.gmail.com> <78B0B91A8FEB2E43B20BCCE1326131812D6B6CC3@mail-essen-01.secunet.de> <20170315152426.GA22135@LK-Perkele-V2.elisa-laajakaista.fi>
In-Reply-To: <20170315152426.GA22135@LK-Perkele-V2.elisa-laajakaista.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.1.161129
authentication-results: welho.com; dkim=none (message not signed) header.d=none;welho.com; dmarc=none action=none header.from=ericsson.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [82.214.42.176]
x-microsoft-exchange-diagnostics: 1; DB5PR07MB1253; 7:D8qUdrAbh45KSs+lwixjhjNsIVgBAEjW6H8peD9RffJSxTe7UzUhU7qTLAMhisPJ59RWqVHvXzLez7hULwS+pFNeZYesJ+j5gdMTKuKPGQd/MG1F0MHluW/GdZowYQxainASb3Yd0/11niL7AD/uAxFMm2MK2lfbpTJd5x/Rdov0HacmOy02ot8TGo1HlZXYd3UfsoyZ9ym2HMkAk3fhtqQrVwbF5yxzioMHZ12Ol2UOZ1el7yehQaaXZscIHDgv8V40YJIeJtGrw3FpFynhNDzZH2B1XbYQvJg1D9rjtwWi+blYXEw1fMKCezIrc+j/WuOfXV4WawyeVPtq624doA==
x-ms-office365-filtering-correlation-id: 06621f06-d8c2-47b8-02b7-08d46bc5e5d3
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:DB5PR07MB1253;
x-microsoft-antispam-prvs: <DB5PR07MB1253A131715364F43CAA0C9689270@DB5PR07MB1253.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(266576461109395);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6041248)(20161123558025)(20161123562025)(20161123555025)(20161123560025)(20161123564025)(6072148); SRVR:DB5PR07MB1253; BCL:0; PCL:0; RULEID:; SRVR:DB5PR07MB1253;
x-forefront-prvs: 02475B2A01
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(39450400003)(24454002)(377424004)(7736002)(305945005)(6436002)(99286003)(6486002)(189998001)(36756003)(53546007)(6506006)(2900100001)(229853002)(86362001)(66066001)(50986999)(8676002)(81166006)(38730400002)(3660700001)(2950100002)(5660300001)(6246003)(8936002)(54356999)(6306002)(6512007)(4001350100001)(76176999)(3846002)(102836003)(4326008)(93886004)(53936002)(6116002)(3280700002)(2906002); DIR:OUT; SFP:1101; SCL:1; SRVR:DB5PR07MB1253; H:DB5PR07MB1256.eurprd07.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <59049A20E8522347B58E656E553002BD@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Mar 2017 17:08:27.3216 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR07MB1253
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprFKsWRmVeSWpSXmKPExsUyM2K7k65T6ckIg6/tHBav731ktej+cZDJ 4v3u6SwOzB6TNx5m89jUuoTV43b3HLYA5igum5TUnMyy1CJ9uwSujCevX7EU3BGpeLmhhbGB cYZIFyMnh4SAicSan7tYuhi5OIQE1jFKTF33kg3COcEosfHXGlYQh0Wgl1mi8ftzdojMVCaJ o5cPMUI4jxklLr36zgIyjE3AQGLungagfg4OEYE4if17tUDCzALKEovWn2ACsYUF7CSat15k BbFFBOwlznZ1MULYThKfu6eygdgsAqoSqxdNAavnFTCX2HP/PZgtJDCLSeLVRRcQm1PAQ6Jv 4VmwOKOAmMT3U2uYIHaJS9x6Mp8J4jcBiSV7zjND2KISLx//A9srKqAnsfz5GmaQ+xkFehkl Gn5+ZYEo0pE4e/0JI4StKHGjfQcrhN3DLPGutwTC9pW4dm05K4y9bPFlqPpsiUWvr0EttpZY 1HAZbIEEyNFfbryFapCR+HvnCpS9k0Vi3sHKCYw6s5AcPgsYdswCmhLrd+lDhD0k/t84wA5h K0pM6X4IZvMKCEqcnPmEZQEj6ypG0eLU4qTcdCMjvdSizOTi4vw8vbzUkk2MwBRzcMtvgx2M L587HmIU4GBU4uH9EHYyQog1say4MvcQowQHs5II76ZioBBvSmJlVWpRfnxRaU5q8SFGaQ4W JXFes5X3w4UE0hNLUrNTUwtSi2CyTBycUg2ME1edOe55eUdJcNZxmZWLf8/KtpgbMTOsScXE LzWvdMHGvkNWy1ccinicse9hxqHVuv9yc1TZ11p76+6fphjW/tbrwjzJ3GQRL/UPxxLiHwj9 YRH+3VfCae6+Z7Po07v/Nnlof0yNc/7C8UI2Pv5EJ0ebZ3hs+NLLe27capm0P3CbzbE1io9k lViKMxINtZiLihMB8WEsiS0DAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/WGwbyU-b-TNyijDpvOgsPl7t0fo>
Subject: Re: [Cfrg] Postquantum cryptography in IETF protocols
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2017 17:09:29 -0000

TLS 1.3 forbids static RSA for a reason, draft-whyte-qsh-tls13-03 seems to
bring it back in the form of static NTRUEncrypt. I see no reason to do
that. If someone wants to do early PCQ in TLS 1.3, I think the two lattice
based protocols suggested by David McGrew (Frodo, New Hope) as well as
Supersingular Elliptic Curve Igogeny Diffie-Hellman (SIDH) is the way to
go. The lattice-based variants are fast while SIDH has much smaller
ephemeral keys.

John



On 2017-03-15, 16:24, "Cfrg on behalf of Ilari Liusvaara"
<cfrg-bounces@irtf.org on behalf of ilariliusvaara@welho.com> wrote:

>On Wed, Mar 15, 2017 at 01:10:58PM +0000, Tams, Benjamin wrote:
>> Hi Watson,
>> 
>> > Why should we preempt the current NIST postquantum standardization
>>efforts?
>> 
>> https://tools.ietf.org/html/draft-whyte-qsh-tls13-03
>
>Briefly read that document. Some quick comments:
>
>- Looks quite confusing. Especially the parts about HelloRetryRequest.
>  But looking closer, that message is not used except for handling
>  missed algorithm guess, right? So that if client guesses right (and
>  it can make multiple guesses at cost of computation and bandwidth)
>  there might not be HRR, right?
>- I don't think extending TLS extensions past 64kB is feasible.
>  Especially in ClientHello It would require changes with nasty
>  side-effects.
>- The document looks to be made for older draft of TLS 1.3. The
>  way key is combined is bit unclear. I presume the key mixing
>  should be done in two steps (adding a new step into TLS 1.3
>  key schedule, as the two existing mixing steps are already
>  used for PSK and DH) because that's likely the easiest to
>  implement.
>- Adding new handshake messages should be avoided, but AFAICT,
>  there are none added.
>
>
>-Ilari
>
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email