IETF Logo Mail Archive

[CFRG] Re: Progressing NTRUPrime/Classic McEliece drafts

John Mattsson <john.mattsson@ericsson.com> Mon, 27 January 2025 13:32 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9C32C14CE29 for <cfrg@ietfa.amsl.com>; Mon, 27 Jan 2025 05:32:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.255
X-Spam-Level:
X-Spam-Status: No, score=-2.255 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JdCGaQE4__mc for <cfrg@ietfa.amsl.com>; Mon, 27 Jan 2025 05:32:46 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on20612.outbound.protection.outlook.com [IPv6:2a01:111:f403:2614::612]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 177DBC139C65 for <cfrg@irtf.org>; Mon, 27 Jan 2025 05:32:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=GA7jJVIJJIZKxfPesjaXJgkmyu/y2VGVIcMrQYEyu7fIPiBzwhqmxSFDzrpJMXPj0+z5jCFVkxRCzKE1Fl/K23U7CaP/wvy63ZYIToVoaSI/J8Vu+k2jchGUWzSwk9gjAh0VI/p8Z4yKqAtdECGIiMJdR3nhZEDTxnqwDajgw1Ghr42TVnP3MoS9iVwCpB7XEsQAR5F0fPIL0X4hoHZwEHav06+3p4JjIhwDL5Cu8ImJ9obFh3bS7Y+7tYCrntrthhq39WORnHHzaswCx3PINXojTi5OGk1slniNBmPtu+yxBka1wTti+YTNCxRnOlFimR20oW9Mn66CXzCvnrPbPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LxfrzLFsGldXiZKr1r5S0W4W3oianbEnOJyaYxuzFCc=; b=MhhiZj7RaDM4+DvxdK4ta29qARiWnvFaCtioF7B+KKXusSaNIspOJj/BXepvfcyWbisSNZypCNIL98LkGJpc3SDKELvc7xP6GSj6hEnhpcsDe3zjwOM7nvHBxeYr9oESUUHbZbQ3F3zPXkLwp4lXzSGVK6Hh7TEnti0b0ajwvBj4Oz3bnbFNwZpfWM0gcoxxSpsFoAZrNXVf8OvgDYH2m+b04kGzRIlUoSUbDktUja1spGL8oVtWT/6Tp3AZ2GszV2YfMVVwnIQfyPjM9T90zYBKjCmllSQ6qkFl5eWjUF9aAb2d4s13kTYAf3bRUWGmQRYvsLlusNfM1btYj29wUw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LxfrzLFsGldXiZKr1r5S0W4W3oianbEnOJyaYxuzFCc=; b=cyi9v03+B3aCwxJgFjyHB8q9ULWcNRW6PlhMCmWJRIiHGFxA1QUhfWf6Aa1v+6sZ6+mCALuEgwpLLRG1iCojBGvGbgwbjOfEy1YsRI6oWBTA7z14u4ZQnUKtJ+oKcMyAd8X4j0QBfsQcuDqz6Vkr0KzYCUUWWS2Ajh+vw0PUOQ9E3FY1j7Pr3YeiLLRC/QUjDvpo+zL5shshn6fvb5PMFWQ4H0WcAJEuiN/frfoAG3wiA6Oi9UtY+ud240QjIaRNpuuX+wy/k0BC/Q9P5Oh7s+uSolkmNH/q+DC38QA3SUR2MkDHFTTtXzLgwLPMbvVqKIIKgZaTjDuxs8oa4NAjZQ==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by PAWPR07MB9792.eurprd07.prod.outlook.com (2603:10a6:102:385::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8377.22; Mon, 27 Jan 2025 13:32:43 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%6]) with mapi id 15.20.8377.021; Mon, 27 Jan 2025 13:32:42 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Harry Halpin <hhalpin@ibiblio.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] Re: Progressing NTRUPrime/Classic McEliece drafts
Thread-Index: AQHbbuZWhln5+gIMukqFBa0r7RDnT7MqVq4AgAADwICAACfnAIAADqYAgAAFYBs=
Date: Mon, 27 Jan 2025 13:32:42 +0000
Message-ID: <GVXPR07MB967863772E3D5FB39E50D41989EC2@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <CAOp4FwRgTkWtW3iVmLw0ZDD0xPfgLnSX5HQAPSRKhnJ+jwNr0Q@mail.gmail.com> <20250127113904.1293314.qmail@cr.yp.to> <CAE1ny+5S+Jm1ngmT8hu7H5uE5z31O7dkNRetFjmAD3oVR9yzkA@mail.gmail.com>
In-Reply-To: <CAE1ny+5S+Jm1ngmT8hu7H5uE5z31O7dkNRetFjmAD3oVR9yzkA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|PAWPR07MB9792:EE_
x-ms-office365-filtering-correlation-id: 7c3904eb-fe6b-454c-3b39-08dd3ed713a1
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|4022899009|1800799024|366016|376014|8096899003|13003099007|7053199007|38070700018;
x-microsoft-antispam-message-info: pCFzw97qT4OZw/yC942GjIn0+HQdvg/CpTzrWTOka0u5Ib3CICvtGJkiilxIlp+G6h/leXeT/6XJSBuP8IOcxgqevYBhJsHMQsgBRbjYGkgH3Wg+orUyZUCWQoFVSjBarbmgDmpzOVi0Qovcmhfc1XabRCtVYigOmNIsqfeH67h+C77p/fT37VimM8unoBsjK0eVv9XWzLUgSAac1bERD6QN8ANKqb6CI06q9f8EAzubHx9HFfXN9aqadSbVVNWBu9LmlxXJTybtiu0jspz120L0cDoTHVDhVQFi9Q9EbSboJbjefeOuRHG6UXQfnjjca0oat9Vo/lgnx7tXh8HNAH+G8YHt6alfcGSyztcE8UBMDa+rU3GBPUR38I+c+E7kp71mA8QqlTnwHbetwZGCZHfaPI5iPNb9Jlzyk3SC69TWTA1S1MRB+bN5CExXnVXZdnxK3+a5ykAoVeeoIRrpTiKxoWqNYjcVHEEm54OtKRYy38hTK1gPM+6mdd1+x1S8p7npqRo0acDAR7QIkHmXRVo5AarzG6itVg97Zv+7GeCNCgjfXewKoGJ26Ocg8IJJ6Nls4bsI7iu4e3Ak3Vf8zbPj1W0yq61hW7DrrMb9mxwsurx1ZrRAyf38OM4nlRQhmNYHiW1yccSF6pcQtbdebh69vBn6krUrmDgmCI333TnEaObyxw7nt+N+a4h2OVSF7Rvl/XlHWChrdP4ICO7KlkhBkq8JgHDEmdSDRhSEKLicAp4V/1CXZe6gso/j2UpT4cJK2PxpP5N3u5mYqFJLgLoJ7H07wGsL1u7hDu+ZP5k1EeNhtHI8LTOrFnl4nT1O7+uX7bXlCDUor+ZSLyyR4LmzRZc4jxClVpolXFoEMjD3Bhc8J+9GiUeC43DQ9kNQrJhKgRM2i4lcV+J7kAGzRxDNAqNbtvIa0DZFGzxnz8OVItxT4IImBoYBKBstgpq09CfE13lPfLm0jm7lK18kBii571PX8MSo6wsIMdeGu3AbArGARk1k8+Y1oW2wGGvrOChhBYQxGvlSbGCgyMa0/WkaphnnQF2eDVvP54TdjOPnCoi/VDQUhwu4Bg4q3dCZT/wDgjCaRE7QhnDN82UhGGdY7pTxV6WMXaYgFEtzXZKvIPEw24k6L6vvdmk6xCIPeU80WMaoSRXPLwi9Nx5sICtDcNhYFDp7UIrC5NG1yD0l0w0mpLqt5IMFxLJj9Kn6XK8CYZ+JReaQjfpWqN3fKuHzTrxkWHBZnHH4qbF9mXgaJnRUNrzlZ8Ta8Pj/QPGa/PgIZVQHyOP7pLKx2d6aGWuU7ocyCXO2b0KzTlgpBkASFd4IYtq3q6fOKC4COTB3JoxpJERdb1uEgcKigZVhsbWF6IgaQ8ErZFCdpNrW5NdH5bH4sD8zQA26mMpYbejh
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(4022899009)(1800799024)(366016)(376014)(8096899003)(13003099007)(7053199007)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Vr9Pg5Htf8qlVN4wUbn6qqvcVdJC+6B8etDdyztOaOM/dxkfq6uJ8ZAKHpj3QfAUyH9uSO/COj6HLjckWihi+1VLVcmDcx++pN7lRwXSYJ1XPqJsWgH0WX5CcCbo62art8cLWMDQJtGgNc/SttWm8VwzP6U2dE9Ht8LUCHmGMDnkjqSfXs2U2YBDWsV1xJ4qm6N+mdvdVYC84utcPWM4cwBtQwx3ypYQlT1lgaTzK54lyqzDUSvpXcJqTiAiFj8fKoNkjp64m2jeG4NmWZ4iEc23g90Ur704aCKR28atMT70P63xiIDg79aX+5HzGuScVUUbxiatHFhxA3aSGddG3esgBvMEyCL9SlfQIzsQHXd64wHUBqQW8J8Ks4slWp01piqwhg8tPpEwguhdD09H3Am8Yy1LIvJJP3fRjb8CyFiUAuKSutWS0wRRCRIzdwhcVoYT/GCvQSjwjnjXXn4HSZwGBwOmD4MwTJDVVHe0QweGecnyQDShpmJwerSgvW4DY5yHRLsNiGeckdEub/jTz7lh3NwqzUEfN6MEC8xrpLqgPsEYwsCKiP823OfXCYcc30vQDbWuN4soTSF/DwGnqLImY0d2ZVnyHcRw9uTnovNJCFpay8BTKo06IDge5QdHSeKIORPMYZ4/8bYahxeLCDt0wHyO++LHmewcZGs+Wtfz9T6CqqeVYStwIbpkJ1rUJG76fBzXXhwoo2hfQ6wIqBJCQC4gXWPPIBw1HydtS0RIDoqBPoPfaMpV8SDFY5ekwBM4VR4DdDAS76jjyAz0M4+OKNa3RoEpFNfn2kaNtNVMHRjlXGHyihs1aZkGiuT+q90+blwrxHhzznL1l8fNVeNb4jQvZzbvVSNSXJiddbq3d1DGwZcN1geFzspTRgpAn/6ou3fv6WWJqK+BxQ+wNzy2UhYN8gSDdR0eIyIN9G1VsWpbRuHVvoG7UGhomcw1F1q0RLnDWhe+sM+WmcqT1AbmT/dNhpOew8Uld2mtQWJm2vyoi0uUrH91TDFoU6rjr6G/PXxsq6hSl8E4qVzyUO71gtPiiZzl0p7CuEIZxaJ4W+N7wKxWg6WBFOqzCqxdUrgThXj5PZ/xXnyWyvvKX2wPdQk3Z7laBmASy2U5jNDhQg8N3EnYD9/mBI09sF94X4WuheWbWa3BlGa5KztuaS4B3aSMg71rQoTUXotS7m5A7L0KuxhoZCMOOjRYNvzkCfMl9wC6ICW89T9dxoqaKu83RoiRbbZsd1IcPOatr817IjYaWG1JfclXUgWcl0LoZMPfIueNQsOwJhVZ+CFlSEyCjWj6GosTgK/ESkB3MfgRg3LLSwZ+g5MsQNmnl+w2cBOVHa1IZltGLj/BLtC+nsp0HYpqLSoZWglFgCCml8Hw0eeVAdbfqixXx7t6xw85wortuJfa6XMcceGOw/qWor63c/L+AvU1IdJzwnwHopsWylKU6T62aRPzpCanlD0lh5IQkJWtbpFgUIGCBLKHAnyeSbdxcugtr0BBLH4VMfUbefZuVE5hgaiysOKy/roCSVKtWGW4wrdN+nZb258YvMpGnLVknMg67iNvG3o3lHpRGtW/+LR9jBzlpl4AFjY1klwm3UOXtasnNDdnnAwubugRpiom5OwszvpgY6d9PNg=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB967863772E3D5FB39E50D41989EC2GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7c3904eb-fe6b-454c-3b39-08dd3ed713a1
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Jan 2025 13:32:42.4194 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /i/TSfQlUKK0p9Le8MeHKev46tyGU6tg1Fk+o2/HJ+GVIFB3gnWtRaxkL01OcxhtjcbmpDNDmm8uaXr10EOfCzbM/32iwoH9lNAM1GPMWCA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR07MB9792
Message-ID-Hash: M6VJ74WFBUDWEQ3XHNSXEOYJQPHMRXVX
X-Message-ID-Hash: M6VJ74WFBUDWEQ3XHNSXEOYJQPHMRXVX
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [CFRG] Re: Progressing NTRUPrime/Classic McEliece drafts
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/yNB_vbGS_5L0-CR-jinB4hBGoWg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Hi,

IETF has never limited itself to NIST-approved algorithms. A lot of IETF protocols specify use of MD5, ChaCha20, X25519, X448, Ed25519, Ed448, Camelia, Brainpool, GOST, SM, Seed, Aria. CFRG/IETF furthermore specifies OCB3, Argon, AES-SIV, AES-GCM-SIV etc. I expect the same to hold for post-quantum cryptography.

Hopefully NIST will standardize Classic McEliece. In that case I do not see any need for a CFRG specification. Two specifications are worse that one. While NIST reviews its specifications every 5 years, invite comments, publish the comments, and updates specification based on comments. RFC like RFC 3610 and RFC 4493 will likely never be updated.

Using non-standardized crypto from a single person does not seem like a good idea... And not trusting ML-KEM, ML-DSA, and SLH-DSA because they won the NIST competition does not seem rational. They were designed and analyzed by a huge number of cryptographers from all over the world. I think the ChaCha20, X25519, Ed25519, and Classic McEliece should be used because they have superior technical properties for some use cases, not because DJB designed them.

The lessons from several recent events should be that SIGINTs globally try to weaken security in implementations. That can be done through standards in any SDO, by paying persons or organizations, or by affecting implementations. ISO cryptographic specifications is much worse that NIST’s with a huge number of insecure options.

I don’t think the deployments should be the deciding factor. I think IETF/CFRG should use and specify algorithms based on technical merits. Existing deployments are often, but far from always, a sign that the algorithms have technical benefits in some applications. I am very much against the idea that IETF should have it as a goal to use non-NIST algorithms.

Cheers,
John

From: Harry Halpin <hhalpin@ibiblio.org>
Date: Monday, 27 January 2025 at 13:32
To: cfrg@irtf.org <cfrg@irtf.org>
Subject: [CFRG] Re: Progressing NTRUPrime/Classic McEliece drafts
We are also working to deploy Classic McEliece in our VPN software: https://nym.com<https://nym.com/>.

The SimpleX chat protocol is using Classic McEliece:
https://simplex.chat<https://simplex.chat/>

At least my company, Nym, would be disappointed if IETF protocols and  algorithms were limited to NIST-approved post-quantum cryptography.

As an advisor of the Progressive International (https://progressive.international<https://progressive.international/>) various governments outside of the USA and Western Europe that we work with (mostly in Latin America, and I happen am in Middle East rn) would also be disappointed. Although everyone in the US (and many in Europe) have forgotten the Snowden revelations, including the problematic relationship between NIST and NSA, various governments and organizations in the Global South do tend to trust DJB-approved crypto more than NIST-approved crypto.

Of course, we want to avoid too many algorithmic options, but that is not the case with Classic McEliece. In general, support of NIST should not preclude other deployed non-NIST approved algorithms if there is reasonable evidence of deployment, although reasonable people may disagree on what is reasonable.

  Yours,
     Harry

On Mon 27 Jan 2025 at 2:40 PM, D. J. Bernstein <djb@cr.yp.to<mailto:djb@cr.yp.to>> wrote:
More data points regarding Classic McEliece deployment: https://mceliece.org<https://mceliece.org/>

Rationale for deployment: https://classic.mceliece.org/talks/20240917.pdf

---D. J. Bernstein

_______________________________________________
CFRG mailing list -- cfrg@irtf.org<mailto:cfrg@irtf.org>
To unsubscribe send an email to cfrg-leave@irtf.org<mailto:cfrg-leave@irtf.org>

v2.29.0 | Report a Bug | By Email | System Status