Re: [openpgp] PQC encryption algorithm selection
Paul Wouters <paul@nohats.ca> Wed, 07 February 2024 16:45 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D9E9C14CEE4 for <openpgp@ietfa.amsl.com>; Wed, 7 Feb 2024 08:45:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.405
X-Spam-Level:
X-Spam-Status: No, score=-4.405 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QjGGjWEul12t for <openpgp@ietfa.amsl.com>; Wed, 7 Feb 2024 08:45:18 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E8C2C14CEED for <openpgp@ietf.org>; Wed, 7 Feb 2024 08:45:18 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4TVQvv1HbvzD5X; Wed, 7 Feb 2024 17:45:15 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1707324315; bh=QVDQfabpe8zZYthmO58bBV/+fmi+WgGRwc7pXGKhDyQ=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=GNrkiLMrbpruPpBQdw+ctp38+6qDMcBMy0iUqsKzPC+iRy1AQK4ycJCgXaWRrm4sb 5X1GNw3I7NWzh2rt/OW4IMoNaPJnNz4VOtfN6nLpyTCw1fYCFeDXjwdraxJ7VtFpFK xVy2obILd4lvWiVfkNuUWiu6cSkMkoBROMgNxFyM=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id lazvNiWfun6t; Wed, 7 Feb 2024 17:45:14 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 7 Feb 2024 17:45:13 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id BAD411118503; Wed, 7 Feb 2024 11:45:12 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id B9DCA1118502; Wed, 7 Feb 2024 11:45:12 -0500 (EST)
Date: Wed, 07 Feb 2024 11:45:12 -0500
From: Paul Wouters <paul@nohats.ca>
To: Aron Wussler <aron@wussler.it>
cc: "openpgp@ietf.org" <openpgp@ietf.org>
In-Reply-To: <WlmG-t8W8gPB6BePADYNwa365fmk6DGf3GF8Q4XZ3Ho1X3h0W9wykE364A6KDLQvU2p-lUKsftm0rQEe8V5p2jTuQgUEOQWOnlnhQJzdsgs=@wussler.it>
Message-ID: <cd68a5bb-7ed9-c1f9-ab4e-c1466d96ebae@nohats.ca>
References: <WlmG-t8W8gPB6BePADYNwa365fmk6DGf3GF8Q4XZ3Ho1X3h0W9wykE364A6KDLQvU2p-lUKsftm0rQEe8V5p2jTuQgUEOQWOnlnhQJzdsgs=@wussler.it>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/-anv42IK8QaML4skmWivIGT_x-8>
Subject: Re: [openpgp] PQC encryption algorithm selection
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2024 16:45:23 -0000
On Wed, 7 Feb 2024, Aron Wussler wrote: Speaking as an individual only. > To keep the discussion focused we're going to start from the encryption algorithm selection, KEM combiners will follow (since it may also depend on the algorithm selection). Digital signatures will also follow in another thread. > > Right now, we have the following list of algorithms (in table 1) > +====+===============================+=============+=============+ > | ID | Algorithm | Requirement | Definition | > +====+===============================+=============+=============+ > | 29 | ML-KEM-768 + X25519 | MUST | Section 5.2 | > +----+-------------------------------+-------------+-------------+ > | 30 | ML-KEM-1024 + X448 | SHOULD | Section 5.2 | > +----+-------------------------------+-------------+-------------+ > | 31 | ML-KEM-768 + ECDH-NIST-P-256 | MAY | Section 5.2 | > +----+-------------------------------+-------------+-------------+ > | 32 | ML-KEM-1024 + ECDH-NIST-P-384 | MAY | Section 5.2 | > +----+-------------------------------+-------------+-------------+ > | 33 | ML-KEM-768 + ECDH- | MAY | Section 5.2 | > | | brainpoolP256r1 | | | > +----+-------------------------------+-------------+-------------+ > | 34 | ML-KEM-1024 + ECDH- | MAY | Section 5.2 | > | | brainpoolP384r1 | | | > +----+-------------------------------+-------------+-------------+ If we pick 29, I think we should make 30 a MAY. We should pick at least one SHOULD/MUST that complies with FIPS We should pick at least one SHOULD/MUST that complies with BSI/Europe I would argue that perhaps it is a bit too soon to make these decisions now, and that it would be good to look at other WGs such as TLS and IPsec before making a choice for OpenPGP. > Finally, please note that this is not the sole opportunity to standardize PQC algorithms: as of the crypto-refresh, new algorithms will need a specification and designated expert review, and not an RFC. Right, but I think going that route would mean your algorithm really can only be a MAY. Standards track action should be needed for a SHOULD or MUST. > [1] https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-00.html#name-algorithm-specifications Note this draft is using the "old" names for the registry that the crypto-refresh document updates (eg PGP -> OpenPGP).
- [openpgp] PQC encryption algorithm selection Aron Wussler
- Re: [openpgp] PQC encryption algorithm selection Simo Sorce
- Re: [openpgp] PQC encryption algorithm selection Bart Butler
- Re: [openpgp] PQC encryption algorithm selection Simon Josefsson
- Re: [openpgp] PQC encryption algorithm selection Stephen Farrell
- Re: [openpgp] PQC encryption algorithm selection Paul Wouters
- [openpgp] Fw: Re: PQC encryption algorithm select… Aron Wussler
- Re: [openpgp] PQC encryption algorithm selection Daniel Kahn Gillmor
- Re: [openpgp] PQC encryption algorithm selection Aron Wussler
- Re: [openpgp] PQC encryption algorithm selection Daniel Huigens
- Re: [openpgp] PQC encryption algorithm selection Daniel Kahn Gillmor
- Re: [openpgp] PQC encryption algorithm selection Daniel Kahn Gillmor
- Re: [openpgp] PQC encryption algorithm selection Stephen Farrell
- Re: [openpgp] PQC encryption algorithm selection Falko Strenzke
- Re: [openpgp] PQC encryption algorithm selection iang
- Re: [openpgp] PQC encryption algorithm selection Daniel Kahn Gillmor
- Re: [openpgp] PQC encryption algorithm selection Kousidis, Stavros
- Re: [openpgp] PQC encryption algorithm selection Justus Winter
- Re: [openpgp] PQC encryption algorithm selection Daniel Kahn Gillmor
- Re: [openpgp] PQC encryption algorithm selection Johannes Roth
- Re: [openpgp] PQC encryption algorithm selection Daniel Kahn Gillmor