Re: [openpgp] German BSI, PQC for OpenPGP in Thunderbird,
Alessandro Barenghi <alessandro.barenghi.polimi@gmail.com> Fri, 25 June 2021 07:07 UTC
Return-Path: <alessandro.barenghi.polimi@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AF263A3E43 for <openpgp@ietfa.amsl.com>; Fri, 25 Jun 2021 00:07:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UEQPC4nNFnSn for <openpgp@ietfa.amsl.com>; Fri, 25 Jun 2021 00:07:49 -0700 (PDT)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 268B43A3E3E for <openpgp@ietf.org>; Fri, 25 Jun 2021 00:07:48 -0700 (PDT)
Received: by mail-wm1-x334.google.com with SMTP id n23so5572017wms.2 for <openpgp@ietf.org>; Fri, 25 Jun 2021 00:07:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=ud3Uxnqrqm5dz4+Kh7auidlUeS93XvRpozJpxqAK5PQ=; b=ceoOjqP7+RNpfoGr2iL6+4lcV1/vT1vBWdVdtG4PuFlJcWzZVhgqbMYgS+1ZDhF9ep KYp6xt4zJd5Pu+X09SYjEY7ylAa1OeWkAwMquFG46Af+BbLCUj7WUvZoQ2TJjs3zKfly LMYToPBsuJ9KrMUbdpiY7R5j33F/m+3SaYRbwP4IXL5VHn2Tz3Y/ruyBNEja1YbbudgU Xb8TooBuKtoAvK3Jigbqu8SeUPBNmZtptrSthQGKK6rmX/DVoOAOoQJ6eRaCQxojS+5N 1eZpJ/6Rh91gfhqy/HGPkH/9q3TL0W0JqtQ55Q+De5sFFVAfJhtLjtvZ+5lf8VONK+C9 9L/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=ud3Uxnqrqm5dz4+Kh7auidlUeS93XvRpozJpxqAK5PQ=; b=idZWJvGQrrgZY+ljepVc3KgVHyXpGI6W1P8Li6+JQ+wE9o64HR7/ybTZEFEfUU0Uwo z/aEbSMk6Ea3xYzEZ5gs8mCafPr9QMVsLFaVugOEVn4mY74EMO5UyJkfUDUVEQ2YtfT5 API4DEPatl2/dbED0Gh7Ch4LoKU7kYtQdZ+BGYdyLKKDOj8gXU+4XEZw4iV2ThKI4//j oHTt1pbmaxb6zPfcGOjJ0AiVaoTSCTYyYASxTpoT4jp51A+uIf3f6JO2CLSh4+Wmic/0 HTmrw1L0MvVqdqsn6PvIUyiWMBPQGhW+av1t93pFvlZLQbQXJMwjoonviqcitFlynq8w 5Qjw==
X-Gm-Message-State: AOAM531vk6kRAqDmBTHzbZAmCG+YtCaZ2mZzsv0GM5NKP05dUvBHjs1s H7wxp3JOX8g0lYpiR/Ex+KoefrnS4RWMtylstN5VYM4YGFk=
X-Google-Smtp-Source: ABdhPJylASdvR8RZxI5nxRvCArzr0jTaWej4JkcBFV2dXFRIadrzmL2EbljbFu0WqUHGy5OeSDv/xPe3dLTxCKn1LM8=
X-Received: by 2002:a05:600c:4417:: with SMTP id u23mr8830538wmn.26.1624604866042; Fri, 25 Jun 2021 00:07:46 -0700 (PDT)
MIME-Version: 1.0
References: <c2b4b0ea-ed14-79a0-c547-5fe79fc35fc0@kuix.de>
In-Reply-To: <c2b4b0ea-ed14-79a0-c547-5fe79fc35fc0@kuix.de>
From: Alessandro Barenghi <alessandro.barenghi.polimi@gmail.com>
Date: Fri, 25 Jun 2021 09:07:35 +0200
Message-ID: <CA+DWVEPEmeCNQE+L5Vu_0CJBoLq7-vkpJoRxLwv47Ycj8P63=w@mail.gmail.com>
To: openpgp@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/GDsr8wxRCcifsg6BWTg97vPBvXs>
Subject: Re: [openpgp] German BSI, PQC for OpenPGP in Thunderbird,
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jun 2021 07:07:55 -0000
Hello, On Thu, 24 Jun 2021 at 15:52, Kai Engert <kaie@kuix.de> wrote: > > Hello, > > I'd like to make you aware of a project call by the German BSI (a > federal agency for IT security), which was brought to my attention. > > I've posted some information on it on the Thunderbird planning mailing > list, see the following thread, which has multiple messages from me: > > https://thunderbird.topicbox.com/groups/planning/T5abbf135db2f3c1c/the-german-bsi-intends-to-sponsor-pqc-improvements-for-openpgp-in-thunderbird > > In my understanding they intend to pay a contractor for a wide set of > tasks to bring PQC to Thunderbird, including the work to standardize the > use of PQC with OpenPGP, including implementations for RNP, Botan, GnuPG > and libgcrypt. > > It seems the BSI has already made a suggestion that they want to require > the use of CRYSTALS-Kyber and -Dilithium. > > Is that a reasonable choice? (Disclaimer: I have been involved in the NIST contest with a submission which made it to the 2nd round. I am not part of NIST personnel, opinions following are mine only.) Kyber and Dilithium are two of the finalist algorithms in the current NIST PQ standardization effort and, as things stand now, thus potential candidates at the end of this year. >From the latest update on the contest ([*] , slides 10 and 11) they are both likely to be chosen as standards. > Does it make sense to define a limitation to these methods at this point > of time? > NIST is planning to announce the choice of the actual winners at the end of 2021/early 2022 at the latest. While writing down actual standards will take a bit more, the cut-down on the algorithms will be significant. We expect a single lattice-based KEM and Classic McEliece for diversity to be selected for KEMs, and a single lattice based signature to make it in the standard which will be announced at the end of the year. NIST also has plans for a fourth stage of the competition, where they will accept proposals for non-lattice based signatures and analyze further the current "alternate" candidates. If the idea is to understand what is the impact of the choices made by NIST when implementing, it may be a reasonable time to keep thinking about all the candidates in the NIST PQ standardization process. An interesting bird's eye view on the sizes of ciphertexts/keypairs and speed of the current third round candidates is available here[**] (from slide 100 onwards). Hope this helps, Alessandro [*] https://csrc.nist.gov/CSRC/media/Presentations/status-update-on-the-3rd-round/images-media/session-1-moody-nist-round-3-update.pdf [**] https://csrc.nist.gov/CSRC/media/Projects/post-quantum-cryptography/documents/round-3/seminars/oct-2020-gaj-kris-presentation.pdf
- [openpgp] German BSI, PQC for OpenPGP in Thunderb… Kai Engert
- Re: [openpgp] German BSI, PQC for OpenPGP in Thun… Derek Atkins
- Re: [openpgp] German BSI, PQC for OpenPGP in Thun… Daniel Kahn Gillmor
- Re: [openpgp] German BSI, PQC for OpenPGP in Thun… Kai Engert
- Re: [openpgp] German BSI, PQC for OpenPGP in Thun… Michael Richardson
- Re: [openpgp] German BSI, PQC for OpenPGP in Thun… Alessandro Barenghi
- Re: [openpgp] German BSI, PQC for OpenPGP in Thun… Daniel Huigens
- Re: [openpgp] German BSI, PQC for OpenPGP in Thun… Werner Koch
- Re: [openpgp] German BSI, PQC for OpenPGP in Thun… Justus Winter
- Re: [openpgp] German BSI, PQC for OpenPGP in Thun… Kai Engert
- Re: [openpgp] German BSI, PQC for OpenPGP in Thun… Daniel Kahn Gillmor