Re: [openpgp] PQC signature algorithm selection
Daniel Huigens <d.huigens@protonmail.com> Fri, 23 February 2024 17:13 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BBE1C157915 for <openpgp@ietfa.amsl.com>; Fri, 23 Feb 2024 09:13:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PJbVk8AHpuq9 for <openpgp@ietfa.amsl.com>; Fri, 23 Feb 2024 09:13:50 -0800 (PST)
Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64F85C1516F8 for <openpgp@ietf.org>; Fri, 23 Feb 2024 09:13:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1708708427; x=1708967627; bh=8Zs4O3sJrkUQeiHjcYlJXLu1aAYsr3YbHJKX1rXYQFc=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=CpQ330JMjkrAE6tjH4GFlfoBOqExjwQcfKPfsNzWXwMcNMdMzePE/ejf8htRUQ4OT 402Wnyosf/CG6hiCxzcFuzjmaC9W+W9Hfh8CPia0TneaS8VMaqQVjeCaaOMCgaUpLL hoq52z/xlJKbGQOwb+xs9az+eNmur0ah5LaeL3IT8OtkBkN0lrAQ/s3yV5g4305Eei rkbXxBOIqZwC8uKYXeAvcFvSmm4iI+LSNYno+XCRK7oXhCSdrXCPk4kWOw+ljNprW3 6mz98GSM3Hfm4EMfU0IBNd1Ll1KyBIdL/I7M3LOm6cq1HGBTGpYEhnP7wAzb/VA7kC mp1ss3yKcMklQ==
Date: Fri, 23 Feb 2024 17:13:34 +0000
To: Werner Koch <wk@gnupg.org>, Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Aron Wussler <aron@wussler.it>, "openpgp@ietf.org" <openpgp@ietf.org>
Message-ID: <djKzpnksQ-GpRlLASRuYHIOpi9dxvH1bYNS7FIT2VXlVXXDKYHfm5vjDPVqIkBqhtSim170atawNrr7AJcnpY2lXVvClQxJp1oZe1ZnhqQc=@protonmail.com>
In-Reply-To: <87o7c737in.fsf@jacob.g10code.de>
References: <KoQWmWaeY2lKLiKIiFQelFQ49xHnFQV6SVrWGMjUtMcF237bLEyMEUuqHLgbJGk1mg9M6Aw7UCCgTYTVlWcRmviOEOzq1Gk1mB7UA6vlxTk=@wussler.it> <6f322608-198d-41bd-9396-c2fc3c523f0b@cs.tcd.ie> <87o7c737in.fsf@jacob.g10code.de>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/7n22VzjRwZJ7n-Je5tEox1Qz1Mc>
Subject: Re: [openpgp] PQC signature algorithm selection
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Feb 2024 17:13:55 -0000
On Friday, February 23rd, 2024 at 09:32, Werner Koch wrote: > A modified PGP 2 implementation once used algorithm > ids 2 and 3 to add key usage restrictions to RSA. This was also the > wrong way and OpenPGP sorted this out. Having a single algorithm ID for RSA signing and encryption has caused some issues in practice, for example, some uncareful implementations have used RSA signing keys to encrypt, which forces us to now carry a `allowInsecureDecryptionWithSigningKeys` config option in OpenPGP.js, for compatibility reasons. And, signing and encrypting with RSA really is a different operation, and should not have been intermixed, IMO. Of course you might argue the difference between ML-DSA-65 and -87 is not as big as between RSA signing and encryption, however, I hope you'll agree that Ed25519 is a different algorithm than ECDSA, and so Ml-DSA-65 + Ed25519 should also have a different algorithm ID than ML-DSA-65 + ECDSA-NIST-P-256, for example. Beyond that, having fully-specified algorithm IDs (i.e. with all the parameters included in the algorithm ID) also simplifies the implementation, and since there's not really a risk of running out of available IDs, I would prefer to keep the current separation. That being said, I personally also (like Simon) think the current draft specifies a few too many combinations, and I would support splitting some of them (e.g. the combinations with NIST and Brainpool curves) off into separate documents. So I would tend to keep: - ML-DSA-65 + Ed25519: MUST - ML-DSA-87 + Ed448: SHOULD - SLH-DSA-SHA2 or -SHAKE (no strong preference, but I'd keep at most one of them): MAY And even for SLH-DSA, I would tend to pick one or two of the parameter sets and specify them in the algorithm ID, rather than having 2 * 6 parameter sets. Also because if we have ML-DSA-65 and -87 as an option as well, perhaps we don't need the full range of security & performance possibilities / trade-offs of SLH-DSA? On Friday, February 23rd, 2024 at 12:26, Simon Josefsson wrote: > 2) Mandate two different PQ algorithms to get PQ-interop which reduce > the risks that the protocol is designed around one particular PQ > algorithms that does not generalize to others. It seems like SLH-DSA isn't really feasible to use for all applications (in particular email), and so I wouldn't like to mandate it. Also - since the protocol already exists, if there's something that needs to change to adapt to SLH-DSA, we'll have to do that separately anyway, and writing a MUST here won't really be enough by itself to make that happen, I think. > 4) Don't reduce security along the way. This argues for strong > conservatively designed combiners of PQ and non-PQ algorithms, and > always avoid using PQ-algorithms in non-hybrid modes. I agree in general, but AFAIU, SLH-DSA is battle-tested enough by now that it can be used by itself, without a fallback on EdDSA or ECDSA. That being said, it probably doesn't add much to the size or time required percentage-wise, so I wouldn't strongly object either. Best, Daniel
- [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Werner Koch
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Simon Josefsson
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Orie Steele
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Derek Atkins
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Daniel Huigens
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Daniel Huigens
- Re: [openpgp] PQC signature algorithm selection Daniel Huigens
- Re: [openpgp] PQC signature algorithm selection Falko Strenzke
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Daniel Huigens
- Re: [openpgp] PQC signature algorithm selection iang
- Re: [openpgp] PQC signature algorithm selection Michael Richardson
- Re: [openpgp] PQC signature algorithm selection Michael Richardson
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection iang
- Re: [openpgp] PQC signature algorithm selection Falko Strenzke
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Falko Strenzke
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Justus Winter
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection iang
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Simon Josefsson
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Daniel Huigens
- Re: [openpgp] PQC signature algorithm selection Justus Winter
- Re: [openpgp] PQC signature algorithm selection Michael Richardson
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Falko Strenzke
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Michael Richardson
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Justus Winter
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Michael Richardson
- Re: [openpgp] PQC signature algorithm selection Daniel Huigens
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Daniel Huigens
- Re: [openpgp] PQC signature algorithm selection Michael Richardson
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection iang
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Daniel Huigens
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Justus Winter
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Falko Strenzke
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection iang
- Re: [openpgp] PQC signature algorithm selection iang
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Falko Strenzke
- Re: [openpgp] PQC signature algorithm selection Bart Butler
- Re: [openpgp] PQC signature algorithm selection iang
- Re: [openpgp] PQC signature algorithm selection Falko Strenzke
- Re: [openpgp] PQC signature algorithm selection Daniel Huigens
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Daniel Kahn Gillmor
- Re: [openpgp] PQC signature algorithm selection Simon Josefsson
- Re: [openpgp] PQC signature algorithm selection Derek Atkins
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Daniel Kahn Gillmor
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Daniel Kahn Gillmor
- Re: [openpgp] PQC signature algorithm selection Daniel Huigens
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Falko Strenzke
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Bart Butler
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Michael Richardson
- Re: [openpgp] PQC signature algorithm selection Aron Wussler
- Re: [openpgp] PQC signature algorithm selection Derek Atkins
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Simon Josefsson
- Re: [openpgp] PQC signature algorithm selection Andreas Hülsing
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Simon Josefsson
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Andreas Hülsing
- Re: [openpgp] PQC signature algorithm selection Justus Winter
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Stephen Farrell
- Re: [openpgp] PQC signature algorithm selection Steffen Nurpmeso
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Andrew Gallagher
- Re: [openpgp] PQC signature algorithm selection Simo Sorce
- Re: [openpgp] PQC signature algorithm selection Michael Richardson