IETF Logo Mail Archive

Re: [openpgp] PQC signature algorithm selection

Simon Josefsson <simon@josefsson.org> Mon, 04 March 2024 22:24 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A010AC180B7B for <openpgp@ietfa.amsl.com>; Mon, 4 Mar 2024 14:24:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.407
X-Spam-Level:
X-Spam-Status: No, score=-4.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b="YrR6UJGh"; dkim=pass (2736-bit key) header.d=josefsson.org header.b="CNqCJjg1"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UE0RrRHRsY_d for <openpgp@ietfa.amsl.com>; Mon, 4 Mar 2024 14:24:52 -0800 (PST)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8663C1C4DAF for <openpgp@ietf.org>; Mon, 4 Mar 2024 14:24:51 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2303; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description; bh=kiDnZWbLk2svGKv9yAfg7St0CQ0Df77oJhwCmGbUyGc=; t=1709591089; x=1710800689; b=YrR6UJGhxYdraJgAkEZpvQzwWkgwuYp9UMUmkaiWP0bqLQ6VioTYLA7h347XW8W1QgDO5IqPBzF 1t8Tj0Tc8Cw==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2303; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=kiDnZWbLk2svGKv9yAfg7St0CQ0Df77oJhwCmGbUyGc=; t=1709591089; x=1710800689; b=CNqCJjg1CP9kK88L+lavH/xuqE5uQki6rMBVBLHX+ET3XJn4qfNl4Xu/ThrDbB0ooDtwJ78vFAf 473/qyzo2aQ1nyzsXHSdW0vaVRjJEYkJP4s53w6JK09BC/iJ+Ld6Y6lvo+ISqKGm5ZNb/dCOlZVo2 D+aLQoKyeUXHWviaEkJDMmj2pMGayneQnql6+NxbQe0apsGEiUJtTdQuMOuYhffXmzw67Kfkvof3C dmzowb4VcBUIZN03BjXglk1FcGf01YLqEYZ6SPct2fZHX5UZ2Ut4KpGM/0P6UImf8yJRlXdZooRUX BRDT5XtyMuF2+pKCp+GvlS5UmxrO99gIUoaOj9SWCuRZ0yyU7e++N54QYudYXX3loQBI3E2qChXrU OZmS/aoeFEV025T2xU53Hwg3I5KWpNgtfRlFw6kKkdaGqhpM350sjXbc4JJ2znFu1pL8SC6bL;
Received: from [2001:9b1:41ac:ff00:472e:4b49:56c6:2c7b] (port=51622 helo=kaka) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <simon@josefsson.org>) id 1rhGjk-003mbn-MU; Mon, 04 Mar 2024 22:24:44 +0000
From: Simon Josefsson <simon@josefsson.org>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Falko Strenzke <falko.strenzke@mtg.de>, Aron Wussler <aron@wussler.it>, "openpgp@ietf.org" <openpgp@ietf.org>
References: <KoQWmWaeY2lKLiKIiFQelFQ49xHnFQV6SVrWGMjUtMcF237bLEyMEUuqHLgbJGk1mg9M6Aw7UCCgTYTVlWcRmviOEOzq1Gk1mB7UA6vlxTk=@wussler.it> <0b7f7248-852e-4d15-9be6-8f5bfd8a954f@cs.tcd.ie> <62dc21b7-51cd-440c-9508-40c41dc97716@mtg.de> <b8e7b191-0bb9-4728-bd6a-6383a7534201@cs.tcd.ie> <97f46a20-6acc-43cb-b1c5-1a7628c6990a@mtg.de> <663abe82-5fb2-4e78-9af1-84a63409e60f@cs.tcd.ie> <87sf1bigvl.fsf@europ.lan> <c94d2c57-45c9-4134-b055-b75d47470b2e@cs.tcd.ie> <87plwehwwo.fsf@europ.lan> <eGL0lJKthvRQj1pU6zb5yXxeLiCQQrl2ZEopegTm48Jtmc1u4O4YKUpUEFM2K2l0fw7FIcJUnRnHdqq2vffZhf5HKve8h_T98qVM3XoGJLE=@wussler.it> <98b6de0f-635e-4d30-93e9-29e3930e6c68@mtg.de> <87wmqh7pf0.fsf@fifthhorseman.net>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:23:240304:aron@wussler.it::8j9OPNTBXWdY7aIA:0Mmp
X-Hashcash: 1:23:240304:openpgp@ietf.org::xm4ehBRzNvwLXD0M:754p
X-Hashcash: 1:23:240304:dkg@fifthhorseman.net::Vm5hTJDkGpAuEgtL:BxG/
X-Hashcash: 1:23:240304:falko.strenzke@mtg.de::8lheIGVyN12kVBVL:DBgP
Date: Mon, 04 Mar 2024 23:23:58 +0100
In-Reply-To: <87wmqh7pf0.fsf@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Mon, 04 Mar 2024 14:44:19 -0500")
Message-ID: <87edcp4ow1.fsf@kaka.sjd.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/HBsMjhgiMYFBDyQmleF5ZxVdCT8>
Subject: Re: [openpgp] PQC signature algorithm selection
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2024 22:24:58 -0000

Thanks for summarizing - I agree with the BaSFN approach.

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

> The conclusion i've reached here is what i'd call
> "belt-and-suspenders-for-now" (BaSFN).  That is, i think we should just
> define a composite ML-DSA+EdDSA scheme (perhaps allocating two
> codepoints so that we can have two levels so folks can make a single
> binary strength/performance tradeoff) and leave the application-level
> semantics intact as though the composite scheme is an entirely new
> signing scheme.

Here is my only disagreement with your discussion and conclusions,
assuming I understand what you meant here - please don't pick two
different security levels.  Doing so generally leads to parametrized
implementations with worse performance, more complexity, harder audits
and as a result less security.  Instead, pick sufficient secure
parameters and hedge the choices on different algorithms.

Select two hybrid signature schemes as MUST algorithms by selecting one
trusted non-PQ algorithm such as

ECDSA-P256
ECDSA-P384
ECDSA-P512
Ed25519
Ed448

and combine it with one currently popular PQ algorithm like

ML-DSA-65
ML-DSA-87
SLH-DSA-SHAKE

I suggested ML-DSA-87 + Ed25519 and SLH-DSA-SHAKE256 + Ed25519 as the
two MUST choices before, and this still seems consistent with the above.

If the NIST crowd insists on ML-DSA-87 + ECDSA-P384, or BSI crowd
insists on ML-DSA-87 + brainpoolP384, those can easily go into a
separate draft on MAY level.

/Simon

v2.23.0 | Report a Bug | By Email