IETF Logo Mail Archive

Re: [openpgp] PQC encryption algorithm selection

Simo Sorce <simo@redhat.com> Wed, 07 February 2024 14:03 UTC

Return-Path: <simo@redhat.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B169AC14F60B for <openpgp@ietfa.amsl.com>; Wed, 7 Feb 2024 06:03:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RFAVXgNwqhMU for <openpgp@ietfa.amsl.com>; Wed, 7 Feb 2024 06:03:58 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 451DBC14F5FE for <openpgp@ietf.org>; Wed, 7 Feb 2024 06:03:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1707314635; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OLEjWnMaNbHJNqbUbUqcH1lFA0Y8a0CNpTHPiHh7l1I=; b=TDlEWlkdSDR5lyBBd/34sFdxyHTXMzMu6jjAO3rVt7jCBJSNJfSsu9moUQKYVnVsfE/gUE E7MVqP0oNbmGr5+zZO0xkw7Ph8Tlxfp43Tsg/JiVfkiCFB5e106zgcsvD7W396OcVp8BlV rK7HjpRWTpWxKWVNNDvFQbqM5fA8LdQ=
Received: from mail-qv1-f70.google.com (mail-qv1-f70.google.com [209.85.219.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-416-G5pqp3YNOW6_Kt47FnyNrw-1; Wed, 07 Feb 2024 09:03:54 -0500
X-MC-Unique: G5pqp3YNOW6_Kt47FnyNrw-1
Received: by mail-qv1-f70.google.com with SMTP id 6a1803df08f44-68058b0112cso11019306d6.1 for <openpgp@ietf.org>; Wed, 07 Feb 2024 06:03:54 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707314634; x=1707919434; h=mime-version:user-agent:content-transfer-encoding:organization :references:in-reply-to:date:to:from:subject:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=OLEjWnMaNbHJNqbUbUqcH1lFA0Y8a0CNpTHPiHh7l1I=; b=r4HJNMhuqLbHrMmoPY4sEKJ5vRJdcwXq2/PVswsBOfswqMF/TaERxrEOiWD6khW3j9 YoR89gAaquaS/G4icq0gS/VbbB3o42MGA3SUGU2C/DeCImu4Myg92ohTa9negWrO6JGz 7KdPaR9rkG6LmrDZk2q3nNQiVLaa2zfESdw5ckgyjIWxsZ/8IgAZQ7MpSy6jJ5j6wng2 hkfzrx1MjqXdLvFRcEgMTZcQd3gc/YzOOx6W/IfCCfzuo+w+6WN7HeoQPgA9QAm01liC chHFIlWL3Sukm3KVx3iSNf1Cw4DnLxi02+cjTYhawWwpE7obGAwNaEUSvBHGiPQwhrEN Wy0A==
X-Gm-Message-State: AOJu0YxcdO825+cMn5o15D/C3d78TLZc/QXA1koMCLwKuhd8r21LBYGV R281hPk79jZC6ii7CC9xvcpSxtla/lsAeuRqZjTOGdKUFWSJb9cPy3A2J55iTAm20aSs8ZbcVbm 6mCCooIrJKq1KEpzk/9aL1Nsw+VmY4Y8xaFGNIb0Lcezk/i2oh1Q57Q==
X-Received: by 2002:a0c:f012:0:b0:68c:7e7f:7348 with SMTP id z18-20020a0cf012000000b0068c7e7f7348mr5167278qvk.48.1707314633614; Wed, 07 Feb 2024 06:03:53 -0800 (PST)
X-Google-Smtp-Source: AGHT+IH1YPzgM+OEJLarukv1s6PRHTAZpgPBodztOiNmue+vMv8o3/8yiixoKG/JpZrlI7JHYdp2mg==
X-Received: by 2002:a0c:f012:0:b0:68c:7e7f:7348 with SMTP id z18-20020a0cf012000000b0068c7e7f7348mr5167256qvk.48.1707314633300; Wed, 07 Feb 2024 06:03:53 -0800 (PST)
X-Forwarded-Encrypted: i=1; AJvYcCXe2bfZETXQY7mk3gx8pLcyPWqCUK5mGKcPrwBALlfdYg/nm1NmEsNI/US6spsq5a+4ivHsu81bHVXAiiMRvs2Y
Received: from m8.users.ipa.redhat.com (2603-7000-9400-fe80-0000-0000-0000-0657.res6.spectrum.com. [2603:7000:9400:fe80::657]) by smtp.gmail.com with ESMTPSA id op5-20020a056214458500b0068cb0453881sm602734qvb.96.2024.02.07.06.03.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Feb 2024 06:03:53 -0800 (PST)
Message-ID: <1bbfbdbb7c927a0d5a3fc408ef2f1a02d3447a65.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Aron Wussler <aron@wussler.it>, "openpgp@ietf.org" <openpgp@ietf.org>
Date: Wed, 07 Feb 2024 09:03:52 -0500
In-Reply-To: <WlmG-t8W8gPB6BePADYNwa365fmk6DGf3GF8Q4XZ3Ho1X3h0W9wykE364A6KDLQvU2p-lUKsftm0rQEe8V5p2jTuQgUEOQWOnlnhQJzdsgs=@wussler.it>
References: <WlmG-t8W8gPB6BePADYNwa365fmk6DGf3GF8Q4XZ3Ho1X3h0W9wykE364A6KDLQvU2p-lUKsftm0rQEe8V5p2jTuQgUEOQWOnlnhQJzdsgs=@wussler.it>
Organization: Red Hat
User-Agent: Evolution 3.48.4 (3.48.4-1.fc38)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/1nTTZVyJfdSBjP9w4iq99Qcp9Mg>
Subject: Re: [openpgp] PQC encryption algorithm selection
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2024 14:03:58 -0000

Hi Aron,
Why so much redundancy in EC curves?

This is basically the same thing 3 times over, wouldn't it be more
appropriate to just allow a singe EC curve family so there is no risk
of interoperability issues between implementations ?

Simo.

On Wed, 2024-02-07 at 11:39 +0000, Aron Wussler wrote:
> Hi everyone,
> 
> In the next weeks, before IETF 119, we'd like to collect feedback about the algorithm selection implemented in the draft [1]. We're interested in presenting some vectors for the next meeting. It would be great if you could provide feedback by March 1st.
> 
> To keep the discussion focused we're going to start from the encryption algorithm selection, KEM combiners will follow (since it may also depend on the algorithm selection). Digital signatures will also follow in another thread.
> 
> Right now, we have the following list of algorithms (in table 1)
>     +====+===============================+=============+=============+
>     | ID | Algorithm                     | Requirement | Definition  |
>     +====+===============================+=============+=============+
>     | 29 | ML-KEM-768 + X25519           | MUST        | Section 5.2 |
>     +----+-------------------------------+-------------+-------------+
>     | 30 | ML-KEM-1024 + X448            | SHOULD      | Section 5.2 |
>     +----+-------------------------------+-------------+-------------+
>     | 31 | ML-KEM-768 + ECDH-NIST-P-256  | MAY         | Section 5.2 |
>     +----+-------------------------------+-------------+-------------+
>     | 32 | ML-KEM-1024 + ECDH-NIST-P-384 | MAY         | Section 5.2 |
>     +----+-------------------------------+-------------+-------------+
>     | 33 | ML-KEM-768 + ECDH-            | MAY         | Section 5.2 |
>     |    | brainpoolP256r1               |             |             |
>     +----+-------------------------------+-------------+-------------+
>     | 34 | ML-KEM-1024 + ECDH-           | MAY         | Section 5.2 |
>     |    | brainpoolP384r1               |             |             |
>     +----+-------------------------------+-------------+-------------+
> 
> Please provide feedback on the algorithms, and if you think they should be "MUST", "SHOULD", or "MAY". The proposed list is derived from the results of the NIST standardization process, hybrid with the curves already supported from OpenPGP for compliance purposes.
> 
> Finally, please note that this is not the sole opportunity to standardize PQC algorithms: as of the crypto-refresh, new algorithms will need a specification and designated expert review, and not an RFC.
> 
> Cheers and thanks,
> Aron
> 
> 
> [1] https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-00.html#name-algorithm-specifications
> 
> --
> Aron Wussler
> Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp

-- 
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc

v2.23.0 | Report a Bug | By Email