[CFRG] Re: PQ KEM Security Considerations
Liu Icarid <icarid.liu@gmail.com> Tue, 23 June 2026 12:29 UTC
Return-Path: <icarid.liu@gmail.com>
X-Original-To: cfrg@mail2.ietf.org
Delivered-To: cfrg@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 9F90C105C0AA8 for <cfrg@mail2.ietf.org>; Tue, 23 Jun 2026 05:29:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1782217799; bh=ErRwY+eU0bkVU7nai9ARsBD0W4qy93F9+OKLVia+HpY=; h=References:In-Reply-To:From:Date:Subject:To; b=OEcWs18hqQNw6Qy2zK1UoU1/jY51bH9QCQX02F8IJqSOP5GZmdSoqL8eLvh7dPtpX FKb6wsjbLVMGhA0RfiIyKxu+MhIrMvmYaTHONDvFi2/H6JMxoOZevLnn6+eZb51M85 y/gYc9aCHr6JP3XDTazPTKdvOPySjNF2ctGa1o2E=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LzXwUp4NOIbV for <cfrg@mail2.ietf.org>; Tue, 23 Jun 2026 05:29:58 -0700 (PDT)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BEFB2105C0AA1 for <cfrg@irtf.org>; Tue, 23 Jun 2026 05:29:58 -0700 (PDT)
Received: by mail-wm1-x32b.google.com with SMTP id 5b1f17b1804b1-491609cdd8fso34587095e9.2 for <cfrg@irtf.org>; Tue, 23 Jun 2026 05:29:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1782217793; cv=none; d=google.com; s=arc-20240605; b=R02Tle0I9XNIj6OromW9X1QoEGOBwFNhD8xrfxC4pxbqwUEynBnL+0R0dKOPwq7kYU zdwfJ/yt+OidfZ5MC/SI2+kFSPnTj4oKGnGbF0xR5E/lZ28H+ew5Uns9RD4V5rq2/qgd CNN6zZR+duYHt8JLiAf8FBoxiwJ508EFHj3xkLHh2C1+UHqgcXbxGBNt7mdSZX2nrvN7 hYHv3eNxLPg7UUM7p/l78cJt4zTEukXQWssUyo5awb//jtcCTjpdby7kRCsBOBkOShwA u2GDZjqgDz7G+WJfhdu0IjU/+rYrc/Md4/96jzoZXRPeXTIdVuAfZMFVBYlHeeg7YwQH l1Xw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=f8PRwLcs8XsdfpdPAHLiD6JQge1hxLb5Eam8UDtO9KE=; fh=FNNUfIArrVOomimc9juX8P5rY4e9QHC0ZHWigw5xmKo=; b=RtBtB5ZjskKYrQwJtKXRktugSEleDS0Ro75JLXlxZxdIL7zbz7Cd9ReMfsZaib8iKJ dqZDGYutjJWs3DlyptRWb7u/j4izNRlKs7XSUfCzK8evlFYot6um5miLtPno3DOfKtRr FuHQgJ/y29J+puX7VXK8w0/RxXiM+ZhZoDCU5xN58tl5eKK0J5nzluYPBXM7pZJLsWl0 b99Yx64r7dy40EwPxnwWJ53SNkHUBFmRoymTChGKqb2D8m6WQ4EsONZpIGJeAy/08Fjb +I1dictxA844sp4pleX+y/1SlxT9GUfe1B2DsaQz6MRKUksQByWa5dgI4bSygoYfCvos pGGQ==; darn=irtf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1782217793; x=1782822593; darn=irtf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=f8PRwLcs8XsdfpdPAHLiD6JQge1hxLb5Eam8UDtO9KE=; b=BEZVZ6rsdsv7VL3AXISs05frjEh5/pnIqQlbO+LrTix2jAI8R06M+LZLyoXf180EVq bkPd1Qr6a4Fp+ngTX8tmEmlf03k4H37fv8KxrhyvJQLPAl9tYtBHjgBHNtCiya0absb+ q+w5YrM7qEjEs5YzrKwh3BRfgV9O2NltxFK/ap54q7KfFVC73RcQ5zyX5OlrLAtQ2Zow XFPY7RftH/gWuliRX5xYV3P7fRPitEn2xL+90RSITem4xZ6QcW5bj4VbYNCDx+OMIVOK 6YF8kYVF3bIgqlXU/Tmj3idpUEqVn99yqmzUGo/Bqc4UXg9ujkvY4ow7XCPtArkuTLEL kqYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782217793; x=1782822593; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=f8PRwLcs8XsdfpdPAHLiD6JQge1hxLb5Eam8UDtO9KE=; b=OX6mhjkcQUYuSQDHBa0r+962uI8j7MZVnFBCHCwyUXEgk4zHyBffs2/kQREHNlrEWp NwSZmPD+7ARl/bo2yafW4Nfeokn5yafj1sgpSsyX14ylWtHUpsNO3eeQYv0By5QM2qRk 6gZOBD8RZc51DtOY920a8LSPZCznDSwAZLMxKZYWpSTZQZ8TXX95FiFY6bMsbaixNGvI qXpBh7tjGS569O3haXUUnJd0amO5p5Wy6DXCcqPvcX48akBgnzfVlWlwl4GsYpnzapLc uykKlt8OybIxNmWopaKBnW4plYUiqjr3nlk7TBxpOXAVWvkZ8iT/hj+6sdW2fb6WNOQY 1IBQ==
X-Gm-Message-State: AOJu0YwRk8S0p1iKLPCCv1aqB5dxV4zTYUf51vv+xFZImcfQJsyuG5a0 vVxtxlBF5FcjgE3S7OYJ7ijh2ahR0TlqxfVzQ5aEFRMxnFRYxCO+7Vg2Gtt3tySrtW5RYac3ZEO NTMkU2vJ870BN/Ilh7xmIiHUSVCxkoN8KpA6AnEhpeFxA
X-Gm-Gg: AfdE7ck/5FHUoRnn+O7MFuKG28o+dIj4mgu433UHnyUdNv/37se1Rg4QhYKPftqRoc7 IcdlRTMF2eV8BiZBdf4l19zwif9mY76x0Hej356XFjbXmMI2QhKE2TAtEOqdXYPFyW3/ALE/HNg lLarJnfuJMazHb8AFTxohWExfA6nVoxCgrDxHXaTzrhdrpUlSs3etQYENH9i6J3WVBKaD6wfzKF jHnnzCQlw/gpZriLjkPNZSt/8Qq7pvoPHclM3U11a3fEQJ3tHE9tAuHeylANC8Qr+L/MiYXx20=
X-Received: by 2002:a05:600c:348f:b0:492:4d52:315f with SMTP id 5b1f17b1804b1-4924d52327cmr189031815e9.0.1782217792270; Tue, 23 Jun 2026 05:29:52 -0700 (PDT)
MIME-Version: 1.0
References: <CABtd3mozQC0YbqP-xz1B7U-4Ub0rHqXsXHaR92a5NWYLhfZOoA@mail.gmail.com> <20260623111110.3782711.qmail@cr.yp.to>
In-Reply-To: <20260623111110.3782711.qmail@cr.yp.to>
From: Liu Icarid <icarid.liu@gmail.com>
Date: Tue, 23 Jun 2026 20:29:51 +0800
X-Gm-Features: AVVi8CeiaFcSnj4czZEpm3Dh9S8ilWcHB39pLOCWgTHJCAMfQHxL_MS-1PwXTNk
Message-ID: <CABtd3moWTJaA5r1stVEyZRveXpzdpG0zrS8DHAAtOpZD8dL8dQ@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="0000000000006bb7810654eaea1c"
Message-ID-Hash: LQG5JL4KBSH6BWK2DITVXOFH47JHTUY6
X-Message-ID-Hash: LQG5JL4KBSH6BWK2DITVXOFH47JHTUY6
X-MailFrom: icarid.liu@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; header-match-cfrg.irtf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [CFRG] Re: PQ KEM Security Considerations
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/nxj33kYgBYV4_y8nTi-lrBdBy40>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
Dear Daniel, Thank you for the comments. The original plan was to write a DAWN-specific per-KEM security consideration draft. After an email exchange with Nick, I understood that DAWN is still quite new and not mature enough for the current standardization discussion, so I changed direction and tried to write a broader security consideration draft for NTRU-family KEMs. I agree that the result is too general in some places. Since the encryption layer of many NTRU-family constructions is RLWE-like, several issues naturally overlap with broader lattice-based KEM review. At the same time, some points in the draft came from concrete NTRU-based schemes, such as the security of tri-cyclotomic rings and the realized standard deviation of discrete Gaussian distribution. My intention was not to introduce another top-down process or delay concrete KEM analysis, but to provide a reference for people considering NTRU-family KEMs. I can revise the draft to make this scope clearer and to move the more general lattice-KEM checklist material out of the main line. Best, Yijian On Tue, Jun 23, 2026 at 7:14 PM D. J. Bernstein <djb@cr.yp.to> wrote: > Liu Icarid writes: > > In response to the chairs' call for PQ KEM security-considerations and > > review-criteria documents, we have submitted a related individual draft: > > Security Considerations for NTRU-family KEMs > > draft-liu-cfrg-ntru-family-security-considerations-00 > > Is there a reason you're focusing this on the NTRU family (i.e., > Quotient NTRU)? The "short quotient in a polynomial ring" part is > specific to that family but many other parts sound like they're talking > about a broader range of lattice systems (e.g. "make clear which attack > is being run, which lattice is being attacked, which model turns a BKZ > block size into a bit cost, and which structural or algebraic attacks > are outside the tool's default model"). > > The chart in > > https://ntruprime.cr.yp.to/warnings.html > > covers a broader range of lattice systems. The distinction between > quotients and products is only one aspect of the risk analysis. > > > Review and feedback would be welcome, especially on whether this > > family-level checklist is useful alongside the per-KEM documents > > I think there was already a big delay for the chairs to come up with an > initial top-down checklist, and what would actually make progress at > this point is analyzing concrete KEM documents. People will naturally > say "what does this mean for other KEMs?" when relevant (rather than > repeating the same discussion from scratch for each example); shared > understanding of the big picture will appear bottom-up. Further delays > trying to figure things out top-down will inevitably waste time on many > issues that don't actually matter for any IETF/IRTF KEM decisions. > > ---D. J. Bernstein > > > ===== NOTICES ===== > > IETF BCP 78, "Rights Contributors Provide to the IETF Trust", Section 5 > (normative), "Rights in Contributions", provides a modification right > "unless explicitly disallowed in the notices contained in a Contribution > (in the form specified by the Legend Instructions)". > > The official language from IETF's "Legend Instructions" for the > situation that "the Contributor does not wish to allow modifications nor > to allow publication as an RFC" is as follows: "This document may not be > modified, and derivative works of it may not be created, and it may not > be published except as an Internet-Draft." > < > https://trustee.ietf.org/wp-content/uploads/Corrected-TLP-5.0-legal-provsions.pdf > > > > The same language is used in, e.g., RFC 5831. The same language hereby > applies to this document. This is not disclaiming or limiting the > applicability of IETF policies; it is strictly following IETF policies. > > IESG claims that the "explicitly disallowed" provision in BCP 78 is > limited to the examples in Section 3 in BCP 78. That is incorrect. BCP > 78 states that Section 5, "Rights in Contributions", is normative, while > Section 3, "Exposition of Why These Procedures Are the Way They Are", is > informative. The opt-out provision in the normative text is clear, and > cannot be limited by an informative section. BCP 78 does not give IESG > any authority to issue changes or purported clarifications of the rules. > > Rationale for exercising the BCP 78 opt-out provision: I'm fine with > redistribution of copies of this document. The issue is instead with > modification, such as (1) IESG's May 2025 posting of an IESG-mangled > version of an appeal that I had filed and (2) IETF management selling > IETF mailing-list text to AI companies. This goes far beyond what > copyright law allows as fair use (such as giving quotes for purposes of > commentary). When I complained about the mangled document, the IETF > Executive Director responded not by apologizing but instead by asserting > that IETF management had the power to do whatever it wanted. > > _______________________________________________ > CFRG mailing list -- cfrg@irtf.org > To unsubscribe send an email to cfrg-leave@irtf.org >
- [CFRG] PQ KEM Security Considerations Nick Sullivan
- [CFRG] Re: PQ KEM Security Considerations Loganaden Velvindron
- [CFRG] Re: PQ KEM Security Considerations Simon Josefsson
- [CFRG] Re: [EXT] Re: PQ KEM Security Consideratio… Blumenthal, Uri - 0553 - MITLL
- [CFRG] Re: [EXT] Re: PQ KEM Security Consideratio… Loganaden Velvindron
- [CFRG] Re: [EXT] Re: PQ KEM Security Consideratio… D. J. Bernstein
- [CFRG] Re: PQ KEM Security Considerations Nick Sullivan
- [CFRG] Re: PQ KEM Security Considerations Haruhisa Kosuge
- [CFRG] Re: PQ KEM Security Considerations Liu Icarid
- [CFRG] Re: PQ KEM Security Considerations Songbo Bu
- [CFRG] Re: PQ KEM Security Considerations Songbo Bu
- [CFRG] Re: PQ KEM Security Considerations Patrick Longa
- [CFRG] Re: PQ KEM Security Considerations D. J. Bernstein
- [CFRG] Re: PQ KEM Security Considerations Muhammad Usama Sardar
- [CFRG] Re: PQ KEM Security Considerations Liu Icarid
- [CFRG] Re: PQ KEM Security Considerations Simon Josefsson
- [CFRG] Re: PQ KEM Security Considerations D. J. Bernstein