Re: [Cfrg] Applied Quantum Resistant Crypto
Douglas Stebila <dstebila@gmail.com> Wed, 25 July 2018 02:23 UTC
Return-Path: <dstebila@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37788130E73 for <cfrg@ietfa.amsl.com>; Tue, 24 Jul 2018 19:23:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BLbF004HZIx6 for <cfrg@ietfa.amsl.com>; Tue, 24 Jul 2018 19:23:21 -0700 (PDT)
Received: from mail-it0-x22f.google.com (mail-it0-x22f.google.com [IPv6:2607:f8b0:4001:c0b::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C250F130E1C for <cfrg@irtf.org>; Tue, 24 Jul 2018 19:23:21 -0700 (PDT)
Received: by mail-it0-x22f.google.com with SMTP id s7-v6so6588942itb.4 for <cfrg@irtf.org>; Tue, 24 Jul 2018 19:23:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Iz4RFZ1AyfIlsbPLTWySRYNXa39lds6pWRnKex2t3As=; b=kPgzr1U2LyDlGyIMih7n/0yHe6Ls5557iGkYJJ4yoVDw7PNfJbFj2DZKc5nWCnvH7y x72c+WhxEmop4W7qL3zW1DCbFHR+TIDiNsRAFR6Qj6H7hraZYwu8fFVGddRrosdEQnAJ YUVpvGtkgmwFNSLHOYX+L+dh7141ccJSoEaBzSa7UK3ixVsyRVwmdHpFC4wRjkv+Lb1/ TCagkbeubDzT47nRvHdR/94CnfzIZndDkgLzDf6GLWFhUm0EfereQLfRU498jxEr7vG8 lPCfp7jBURzUE/9tjtgodb+1tELpDLeuHhQL5j+PvWvlbP63v+1H8D/ssQH6XuC+oSHz CHLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Iz4RFZ1AyfIlsbPLTWySRYNXa39lds6pWRnKex2t3As=; b=T1O9RrahcI/183d0jmKmRCVXZgvFjdOarIptp68q0lsLAqhsrdAcnuHlVe74M2z1OG r29o/kpA9ZxSHn4he5lvTylg9JSQoYe2mKfBw0UirOyUxYlMTuD+1jupFy8J3Yfr8lD1 NNE1VaxltEfTfc+Be6Tz4qowEb9gizlQXO8sJf3rxAdezbpUw0SfnLbyJw0t65hrM42k 1woxwK17K3aEc/4lb3iqEJ3JFGBOXBHO3ecGFuXrPK4/BL26Vg7fjPmvVrnoF/q4eBQo JfR9S7JeFbChIbrp3fVBrQwGNz0vg1kPppe/Csk6NX5Qge8HlCmWJ68Ojj+aARrRoSAQ vjwQ==
X-Gm-Message-State: AOUpUlG0dIzUBTkSdvdvct3PQSvuETPHWZ5bDyM3KmpLqGeEhdMmRvKW pQ+a4mOhD0WiG0zTSIBQXq7WT88P
X-Google-Smtp-Source: AAOMgpdaaBqlx5H/L76t28ENoNZaD++1PhyrpdHyedF1k5oGB+HPHfcLuMpzwmZj6fmBVqd5QnVkEQ==
X-Received: by 2002:a24:3d81:: with SMTP id n123-v6mr4967970itn.40.1532485400986; Tue, 24 Jul 2018 19:23:20 -0700 (PDT)
Received: from [10.0.1.8] (CPE881fa12cf37b-CMa84e3fc93e50.cpe.net.cable.rogers.com. [173.32.144.218]) by smtp.gmail.com with ESMTPSA id a11-v6sm2217204ita.21.2018.07.24.19.23.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 Jul 2018 19:23:20 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Douglas Stebila <dstebila@gmail.com>
In-Reply-To: <42b8b7c9-1440-217d-694f-2971013fddba@cloudflare.com>
Date: Tue, 24 Jul 2018 22:23:17 -0400
Cc: "Panos Kampanakis (pkampana)" <pkampana=40cisco.com@dmarc.ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <ECC1005F-8D47-411B-905F-4DB7A93519F3@gmail.com>
References: <42efe1a4-0532-dbb0-a21a-10120f6656b3@openca.org> <37a4f236-6842-b1ce-68f4-805f2e3f8a48@cloudflare.com> <1b8ed08eaa56457b93e1dfd3b0e7235e@XCH-ALN-010.cisco.com> <42b8b7c9-1440-217d-694f-2971013fddba@cloudflare.com>
To: Kris Kwiatkowski <kris=40cloudflare.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/xBJtuE1I2SCwpIOw36wpSaf1VYI>
Subject: Re: [Cfrg] Applied Quantum Resistant Crypto
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 02:23:24 -0000
Hi Kris and Panos, As part of our Open Quantum Safe project (https://github.com/open-quantum-safe), we have made a variety of prototypes of post-quantum key exchange (hybrid or PQ-only) and post-quantum signatures in (modifications to) OpenSSL and OpenSSH. In particular we have: - hybrid key exchange in TLS 1.2 via modifications to OpenSSL 1.0.2 (see the "OQS-OpenSSL_1_0_2-stable" branch in our openssl fork) - hybrid and PQ-only key exchange in TLS 1.3 via modifications to OpenSSL 1.1.1 (see the "OQS-master" branch in our openssl fork) - PQ-only auth in TLS 1.3 via modifications to OpenSSL 1.1.1 (see the "OQS-master" branch in our openssl fork) - hybrid and PQ-only key exchange in SSH 2 via modifications to OpenSSH All of this is built on our core library "liboqs", which provides a variety of PQ KEMs and signature schemes. There are a few different versions and we are in the middle of some refactoring, so if it is hard to find what you are looking for, feel free to email me and I can explain what's going on. Happy to discuss further and certainly welcome any ideas or participation. Douglas > On Jul 18, 2018, at 5:45 AM, Kris Kwiatkowski <kris=40cloudflare.com@dmarc.ietf.org> wrote: > > Hi Panos, > > Definitely hybrid approach, I just quickly looked at a draft, but I it's good base. Nevertheless > I'm planning to start TLS part somewhere next week and maybe. > > In fact, we would like to experiment with many different KEMs (based on different hard problems). > At a time SIDH looked quite promising (indeed key sizes). It is simply first one to try. It's also > interesting to see if work done around ECC could be "reused" for some parts of QR algorithms. > > Kind regards, > Kris > > > On 7/18/18 4:01 AM, Panos Kampanakis (pkampana) wrote: >> Hi Kris, >> >> Thank you for the update. Interested to see your results and SIKE’s performance. >> >> Were you thinking to use SIKE in TLS 1.3 a similar manner to the one proposed inhttps://tools.ietf.org/html/draft-whyte-qsh-tls13-06 which uses a hybrid approach (traditional+QRC) KEM? >> >> Also, SIKE has pretty small keys, but performance is much higher. From the reference benchmarks performance SIKE seemed to be 10^4 more expensive than the best candidate that does not have prohibitive KEM pk and ciphertext sizes. Any reason why you chose SIKE that you can share? >> >> Rgs, >> Panos >> >> >> From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Kris Kwiatkowski >> Sent: Tuesday, July 17, 2018 5:28 PM >> To: cfrg@irtf.org >> Subject: Re: [Cfrg] Applied Quantum Resistant Crypto >> >> Hi, >> >> At Cloudflare we are currently implementing SIKE/SIDH in Go (https://github.com/cloudflare/p751sidh/pulls). Next step will be to add it to TLS 1.3 (https://github.com/cloudflare/tls-tris). We may want to use it for some some other things. >> I'm definitely interested in discussion regarding QRC in real-world crypto. >> >> Kind regards, >> Kris Kwiatkowski >> >> >> On 7/17/18 8:35 PM, Dr. Pala wrote: >> Hi all, >> >> I was wondering if there are people interested in setting up some sort of discussion forum where to discuss the deployment (from a practical point of view) for QRC in their systems. The intent here would be to share the experiences, provide feedback, and possibly even share implementations/references/etc. >> >> Moreover, being this quite a new field when it comes to real-world applications, it would be interesting to understand the new requirements so that we can plan for algorithm agility correctly and not having to go through what we suffered in the past (and in some cases with current protocols) to upgrade/switch among different schemes/algorithms. >> >> For example, some of the topics might include: >> >> • How to deploy PKI services >> • Mixed environments considerations (QRC and "Traditional" Crypto) >> • Mixed environments (stateful vs. stateless) >> • Encryption and Key-Exchange for QRC - what are the options there (it seems auth is well understood, but other problems are still open)? >> • Are there implications for the deployment of PKIs we need to be aware of and are not currently mentioned/addressed? >> • Any real-world deployment out there (or plans for it)? >> • Algorithm Agility, what to plan for? >> • Applicability to Revocation Services >> Most of the activities to standardize QRC in CMS/SecFirmware/etc. that I can see are related to the use of Stateful HASHSIG and I have not seen any "standardization" activities around stateless schemes (e.g., SPHINCS), but if I am wrong, please let me know (and if you could provide some interesting links, that would be great). I think it would be useful to understand how to practically deploy these new schemes and how to refine / provide the building blocks required for their implementation and deployment. >> >> Here's some references: >> >> Merkle Tree Signatures (Stateful): >> >> • https://datatracker.ietf.org/doc/draft-mcgrew-hash-sigs/ >> • https://datatracker.ietf.org/doc/draft-housley-cms-mts-hash-sig/ >> • https://www.ietf.org/id/draft-housley-suit-cose-hash-sig-04.txt >> • https://datatracker.ietf.org/doc/rfc8391/ (XMSS) >> • https://eprint.iacr.org/2018/063 (Viability of Post Quantum X.509 Certs Paper) >> • Implementations: >> • https://github.com/cisco/hash-sigs >> SPHINCS Related (Stateless): >> >> • https://sphincs.org/ >> • Implementations: >> • https://sphincs.org/data/sphincs+-reference-implementation-20180313.tar.bz2 >> Other Relevant Links: >> >> • https://datatracker.ietf.org/doc/draft-truskovsky-lamps-pq-hybrid-x509/ >> • https://csrc.nist.gov/Projects/Post-Quantum-Cryptography >> • http://test-pqpki.com/ >> I guess this is all for now - you can reply privately at the following addresses: >> >> director@openca.org >> m.pala@cablelabs.com >> >> Thanks, >> Max >> >> -- >> Best Regards, >> Massimiliano Pala, Ph.D. >> OpenCA Labs Director >> <image001.png> >> >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg >> >> >> >> -- >> Kris Kwiatkowski >> Cryptography Engineer >> Cloudflare > > -- > Kris Kwiatkowski > Cryptography Engineer > Cloudflare > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Applied Quantum Resistant Crypto Dr. Pala
- Re: [Cfrg] Applied Quantum Resistant Crypto CJ Tjhai
- Re: [Cfrg] Applied Quantum Resistant Crypto Kris Kwiatkowski
- Re: [Cfrg] Applied Quantum Resistant Crypto Panos Kampanakis (pkampana)
- Re: [Cfrg] Applied Quantum Resistant Crypto Ilari Liusvaara
- Re: [Cfrg] Applied Quantum Resistant Crypto Kris Kwiatkowski
- Re: [Cfrg] Applied Quantum Resistant Crypto Douglas Stebila
- Re: [Cfrg] [pkix] Applied Quantum Resistant Crypto Wirth, Klaus-Dieter