Re: [IPsec] New Liaison Statement, "Quantum Safe Cryptographic Protocol Inventory"

John Mattsson <john.mattsson@ericsson.com> Sat, 24 February 2024 14:40 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DC87C14F5EF; Sat, 24 Feb 2024 06:40:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mzdY_jGf9AoS; Sat, 24 Feb 2024 06:40:36 -0800 (PST)
Received: from EUR02-AM0-obe.outbound.protection.outlook.com (mail-am0eur02on2060.outbound.protection.outlook.com [40.107.247.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8EEDC14F5ED; Sat, 24 Feb 2024 06:40:35 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kXRp72T4m0NbrQ/MbwTSR6xjkKjKwdoP9N68DNFEG9rh0dfhxvs1gdqsibbu5qnnkMvJnQvP25XgHcm/YCBWChUFeYdp6GS1Pq1kZaIUvdNdg6oMq/CSCFjXzuk+0/mbnYSuCS20FL8IOwbEE46nnwlK7+vwXoo4Rs3VltY4OjhXtRtFd/9IwUNju1W7/hP9KagBv861LLY2RRe9s9U1m3nqqDMZBuM8KD8pupbp9oEdWKxU1EzJSEQEQ4Reov1jeoDyRDGTk81DXSdn8tilO2aKbKrjRjFGOKObAhLWyYM/kFHIgfimaxWkh3NsuvY3aVIF9x+4ubR//9hWmoBdQQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yFZ1gOka8fJAE2vU3mwpOxpbZy8bXbnvvr0vwLixm+w=; b=HoO1eSvyfTv0WWJdMZ0F6jh2DO5Gor4RvXXMyqfzED8tKkn1FpUSG20MBfD9zzI4tL9gr09Ktvhn6vcNsx5SRCEyvFeumdLvJCEyaSNmDtn//0jOu/4VZFgBCBtIq5omWe65qAitXWW8kk0cesR1aBGgHf79HlWvaO4TV/lZs817F70zvtON//YZtb01LQbKeIk6dFmFxS0T55zQOTD5Gd4zTVJZVStHBhXIpTPfDu5XON2GKJx15dREwgTXYys4B8ijzb4R/imQneGwY3GdjCzv83BiPxNwjZrxSpX3BSZ7hjDGjOzc0EVcqIWSiT2KM/+2JnV9E67GCGdsbxIKJw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yFZ1gOka8fJAE2vU3mwpOxpbZy8bXbnvvr0vwLixm+w=; b=mpBlWqp6bo9RKdPg8pvrzckQ8lZG2mXsLqrFHk19gnZhvnU0YN+XeUwEp+onbkD+sArsrSd2qUZAsOuXmjPxkUGAsoj0MJLG2TBMFpt355sKnMMry+HoB7SgVFi1cvCYdJdiN+HSyIWEyTZb3hngCmlFEPFFm2WJIy5YzNscK7+jMmahF7MXcTjKUjGRDrY/wdDMmBDD2vqJLy+x8j9kE3A0Dxs8QLSOj7HVxWKzZeSjcpQAWRIaF1RMGXZNawF1bnXRwN9X4dHzz/s2qcNYYfeK7x69G9IllhQRY7jU2DxjK6GSoXBf6m5ik2juGZ4vuWyvnhAiitXR8KVg0ibRlQ==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by PA4PR07MB8389.eurprd07.prod.outlook.com (2603:10a6:102:2a0::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7316.22; Sat, 24 Feb 2024 14:40:32 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::5052:f515:10db:3c95]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::5052:f515:10db:3c95%3]) with mapi id 15.20.7316.031; Sat, 24 Feb 2024 14:40:32 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "ipsec@ietf.org" <ipsec@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, "pqc@ietf.org" <pqc@ietf.org>, "TLS@ietf.org" <tls@ietf.org>, IRTF CFRG <cfrg@irtf.org>
Thread-Topic: New Liaison Statement, "Quantum Safe Cryptographic Protocol Inventory"
Thread-Index: AQHaZyvS3s4kq8VOAEme9b7pPJ7mnw==
Date: Sat, 24 Feb 2024 14:40:32 +0000
Message-ID: <GVXPR07MB9678A769864B5AA50B2F118D89542@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|PA4PR07MB8389:EE_
x-ms-office365-filtering-correlation-id: e38b3c15-1fde-4b6c-1b3a-08dc35468df4
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8rk0PlTAPW/lc/HGc2TdoAGVBiTjqTsSeERJIf2xpRFnMAS8VLiNdVpbzPkVFWJW/tAStE+IjowNucpuHF3v1pX+gRNPdjXE8AQvSjJAjf7VEuuoWQML4ADg8xAdjkO6fX+NbtY9UqWADU02jnQ+b18Vwl/OoWlzccoyreIgEn/gu03lfl7/LlHQFBbbK6wKmFGe8TZgdh4P0sP1kMlnYa2J2ORZsjcXifojUTHN1iAU5rGQbBz17uyhynJ9GMEJmpSrWT0h/OhH1FVqt16+vltqQu+X7LbqFrXOpS/sF40Ow8sneRce7aweGCLzuZfyfpVgG/rrQoPB7GUtQsBmBS2lsQAgTMTrXyscKjBdDv0zUST7RDs/ZUxVuzdgt3usH0MSfr53s3kR9Vtf44tUozu9H7olHqW6aHZfbOqA7dZSuKYvXLu+125tMmiUSvCe+MtIMKlqtnIEG/rw2iaSXWt6lD3lEjmGpd7dVGch0jwEEEZjiqggJClgHbLttlRsAbnh8ccmRrsQfpAo4kll5GEkDQWShuKDsqfviDuDVlxZduM9mM/imlBoFKQk1xfvwA0j0G3eCPYm0tGftYY5YsRr8u0ljP3XymMjINHawuw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Q9K/fDZfpHzW2eZLBS5NoPcmocy68xj32b6FSjL29a5TY7W5wSF4eiDexWuLHaxvxdOv0VQztncv5JNgJGpWH5E2Ht4gZEDVtEBgRvSnQYI8mSquGaDMqHiMAtAVaUjUDqVqFdYHR8vA7NT7Q++xArVlerXpdcumHqRmGH1F9Zc2ZdyQdgcmAD9Y/Esa+icHAm5+8PoGQNxsMlTeAq6QlnTYu+mgzUpFy41FmwNmfhfEEG3Eh9axBg3bKAnjW6M5j1Q6NtqbYS4U1dGERliXWMSgoqAFnNrQeuwlh9FniVW8BurW3hkLR9RkUJPUg0B8dBUI7hYAql9ttkd4lRB/XIXNOro2suw/T4HgD0rk9vlfAFgT3nMJ6uITYjjkGUliIcjhvSl2jJVf0P7ZHazm5iXEHR+/sWU1/hw7niUvBpv7B4cBng2gZL3Aq1jeh0EDQvnFBpcV9M8FNNWTr1GlRRznQOY96iAVe1f5ueMXWOb5+C0MFFQlrJEutuwWqI0YM0T8mrgWIZbmL+ztFFFRZKoN4rUR2nivwt+4GRruR+drNUX0a4tRvut5VqU5QbqKLi5vgn6BNzQX4nDsl0KXuMu/7lr1OL24UKRB3sdoe3lV1zpPL5gjCShpOnKCULm2m3kPsNWRROtxwKb1/WwCj9VZuLSBkbhIyOxxwf3W+IouN6DU/DMc+uyIYRxvjJgZTDl+AFiajbPN22GP2G1Q60UX0v8UTqcdZerp2BAuXlmCJemFZE0KMcTcj6CC/+MqoHyqSrK19NHOzrkMB1Q0AtNU0XLyueU8IQxhSTjA3Vq3KjOqNINuAyfdUP79dE1SBm7WGO4sLr2qtCZRMnzs5sa2z7zBv+c5KwgB+7f4n7LJ0W9E8re2LKPYNbb6t4izGfgX41FdxaePGgJhn8IhkA3i+Pu96El7FI4kVwyZxtghuRTfJ3J+JC8cDPEOEj9bWWqAuXz3rMHm2wgoqsQT39rD0uWNqVwjAPbBL5ldvRER8afrQtmiyJ+4gIF6xre7JRAdh6RBJd0uUCg1a4xDZ/Am9hSK82HMa8Ifv0qVFOqrXWBAiw06zwrSMPosFBMU7Qty2PFL8rCJURc01E7AqAjY6gQpLwUuwROa7sIUXB5YxSHdXu+E5L1iH68CWZK/z3mBNR6ZwI60hijaUzdSZBIYt3/7xCGLOs+yx8N/OSlTEuKGqdZwiJyxngkZLMEj7BxzoIzAUojyE0yPteUO9PTx4s88+tLyW0sCAxNWDF04nUrYgPWiptfigNzecKnLfxiGhRXwYg3Xkl8P6EkPcTGbcBotfPmJXjq2WuINSbMpmmbty92tAz++r0NvXlt5aKjjxOrqV4POHiL1FH/sdjatc9/7+4SPHTTCAhPBruWlvLDLXLzVlio6TkxQyO7WAxB5jjoCR65WVryRGutPbvjmlQabUeP05a++DmAcxyJ6XRwiGAc8dqRLhF/jEWPJyxnNGvdEAX1mUu3nWzMhpFBvJAGIOStIQOnX4RlUOfrbrUppz9r5ntGEopCfJS6kZQAf2l0VKzkyi7D4JDjp1xFwLyzldomGv864rxecY2Ba38XvdXYCQQgMve/vuFA3hx94PfBktztGRIIfBk+NpJKeoomuOX0IAaX92HWCDL8=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678A769864B5AA50B2F118D89542GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e38b3c15-1fde-4b6c-1b3a-08dc35468df4
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Feb 2024 14:40:32.5033 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GeinuEYPaCWBIgwCYB0IggY23qZsOpqPH2pHISsdSnx7KNYMkBisqnWJlUQxXvhOGdcQrwqSp9km04DKBghfFnan37jMU4SvdkVlH6tt/kA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR07MB8389
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/cqb1QYOsi3DjSF8LNVMs1EIU9Qo>
Subject: Re: [IPsec] New Liaison Statement, "Quantum Safe Cryptographic Protocol Inventory"
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Feb 2024 14:40:41 -0000

Hi,
Even if JOSE WG is not included in the recipients, I looked at this LS and TR 103 619 that the LS refer to. In addition to the requested information, I think IETF should send ETSI CYBER comments on TR 103 619 that the LS is based on. My suggestions:

---------------
IETF kindly suggests that ETSI CYBER makes the following updates/corrections in the next revision of TR 103 619:

  *   IETF suggests that ETSI CYBER uses the established term Cryptanalytically Relevant Quantum Computers (CRQCs). It is important that readers understand that there is a huge difference between current quantum computers and CRQCs.

  *   IETF suggests that ETSI CYBER uses another term than “classical cryptography”. Quantum-resistant cryptography like ML-KEM and ML-DSA runs on classical computers and code-based cryptography and hash-based cryptography was invented in the late 1970s.

  *   As ETSI CYBER mentions that Quantum Key Distribution is not vulnerable to attacks from CRQCs, ETSI CYBER should also mention that Quantum Key Distribution is neither a practical nor a secure solution [1-2].



  *   IETF advice ETSI CYBER to update and correct the information regarding symmetric cryptography. The idea that symmetric cryptography will be practically affected by CRQCs is now seen as a misconception. The “bits of security” concept does not work with algorithms that are not parallelizable and NIST is therefore transitioning to quantum-resistant security levels based on symmetric algorithms where level 1 is equivalent with AES-128, level 2 is SHA-256, etc. [3]. UK government assesses that “symmetric algorithms with at least 128-bit keys (such as AES) can continue to be used” [4]. While classical supercomputers might be able to brute force AES-128 around the year 2090 [5-6], a huge cluster of one billion CRQCs (according to one estimate costing one billion USD each) would take a million years of uninterrupted calculation to find a single AES-128 key. Algorithms with quadratic (𝑛2) speedup like Grover’s algorithm (which is proven to be optimal) will not provide any practical quantum advantage for breaking symmetric cryptography and likely not for any other problems [7-8].



  *   The name of the X.509 field is “Subject Public Key Info”, not “Subject Key Info”.

[1] ANSSI, BSI, Netherlands NCSA, Swedish NCSA, “Position Paper on Quantum Key Distribution”
https://cyber.gouv.fr/actualites/uses-and-limits-quantum-key-distribution
[2] NSA, “Quantum Key Distribution (QKD) and Quantum Cryptography (QC)”
https://www.nsa.gov/Cybersecurity/Quantum-Key-Distribution-QKD-and-Quantum-Cryptography-QC/
[3] NIST, “Comments Requested on Three Draft FIPS for Post-Quantum Cryptography”
https://csrc.nist.gov/news/2023/three-draft-fips-for-post-quantum-cryptography
[4] UK NCSC, “Next steps in preparing for post-quantum cryptography”
https://www.ncsc.gov.uk/whitepaper/next-steps-preparing-for-post-quantum-cryptography
[5] CRYPTEC, ”Cryptographic Technology Evaluation Committee Activity Report”
https://www.cryptrec.go.jp/symposium/2023_cryptrec-eval.pdf
[6] CRYPTEC, ”Japan CRYPTREC Activities on PQC”
https://events.btq.li/Japan_CRYPTREC_Activities_on_PQC_Shiho_Moriai.pdf
[7] Hoefler, Häner, Troyer, “Disentangling Hype from Practicality: On Realistically Achieving Quantum Advantage”
https://cacm.acm.org/magazines/2023/5/272276-disentangling-hype-from-practicality-on-realistically-achieving-quantum-advantage/fulltext
[8] Babbush, McClean, Newman, Gidney, Boixo, Neven, “Focus beyond Quadratic Speedups for Error-Corrected Quantum Advantage”
https://arxiv.org/pdf/2011.04149.pdf
---------------
Cheers,
John Preuß Mattsson