[openpgp] Re: call for adoption of draft-ehlen-openpgp-nist-bp-comp?

"Hale, Britta (CIV)" <britta.hale@nps.edu> Wed, 04 September 2024 05:42 UTC

Return-Path: <britta.hale@nps.edu>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F24B7C15155C for <openpgp@ietfa.amsl.com>; Tue, 3 Sep 2024 22:42:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WZXdHfpB1-0f for <openpgp@ietfa.amsl.com>; Tue, 3 Sep 2024 22:42:32 -0700 (PDT)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2063.outbound.protection.outlook.com [40.107.244.63]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45572C151548 for <openpgp@ietf.org>; Tue, 3 Sep 2024 22:42:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=KWKMS4uHgCM4Nd17SM65fvanGpcmOi5jgBYMLHeAV/smsS6xK8Me7Gz+Xh+NLs0gx1MJTqnkGwncq8o3/mKJMc5SFAdsJLom8CP4vbyHXsYHeI+PqzCHWnQDSfpn84vf/t96hyYBMD9i75ER+OhXxdOWSnfQJ9ma0IXypOaCyBJnh8Albb3b/9sbCIUs9mpZ1/v1N2tw0W1UUempJNIfX8Qhaz+XSzRJhDvJPPjFvJOYEhcFGAAg4djdu7+31BesJk7Lz9+uGJTMnaU3lzT/DRNs7Ucbzk9cTzHjxgKRxNMDILk693XtdlITv1qXZv1uW/AWfH3WO17xCMcGNCP5kw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CKGNFUA5y0uGfTGqVgfuJUV7I0FYAStPNJR+GG0oi10=; b=Tsd0omJRb/sDW9e4mivUzApgYCN6V+QZJSEYbUrtrf/TnMkPLec/jpHJOd5PVMwXpFEL1QD/24Dg734dkoEpRiLBpJwZBndHXP9O8JMMIteTPnRKP9LNU8X0ZRggaJq+Nol55/yISiV3+NGVnbO2FdBdIy2ObI1LtqF/rReGJMmcDexhsX6rOuPinhRleCxQSKPx+pfJfiYjxsHRHExq9xkVZLpWCAlODxxZ+r+1VlUrKkqNriu5XLLi5Ed0m3EjUNe0EmL95Uqq+t7l0RrB+aT2mktF+ayyjNX4YD6VtJ1xuirkLErQ0HGqZE79KnjV6tl9Coyw3khBYY5+wckJlw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nps.edu; dmarc=pass action=none header.from=nps.edu; dkim=pass header.d=nps.edu; arc=none
Received: from BY5PR13MB3348.namprd13.prod.outlook.com (2603:10b6:a03:1aa::23) by SA1PR13MB6541.namprd13.prod.outlook.com (2603:10b6:806:3a7::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7918.25; Wed, 4 Sep 2024 05:42:28 +0000
Received: from BY5PR13MB3348.namprd13.prod.outlook.com ([fe80::e4c7:c5b3:6a81:8232]) by BY5PR13MB3348.namprd13.prod.outlook.com ([fe80::e4c7:c5b3:6a81:8232%4]) with mapi id 15.20.7918.024; Wed, 4 Sep 2024 05:42:28 +0000
From: "Hale, Britta (CIV)" <britta.hale@nps.edu>
To: Falko Strenzke <falko.strenzke@mtg.de>, "openpgp@ietf.org" <openpgp@ietf.org>
Thread-Topic: [openpgp] Re: call for adoption of draft-ehlen-openpgp-nist-bp-comp?
Thread-Index: AQHa/oQuuKEYYpzxzkmCfDG1ueqZLbJGqBGA
Date: Wed, 04 Sep 2024 05:42:28 +0000
Message-ID: <4228D734-7B55-4E5F-A9C3-0862F822024E@nps.edu>
References: <563556e4-6a57-41e5-a8da-ae1ff27c08c6@mtg.de> <D753AC29-A81C-49D8-B9A0-7FF0E443D3B8@nps.edu> <27a58bc9-a1d3-4d7e-b06c-c50a08289d04@mtg.de>
In-Reply-To: <27a58bc9-a1d3-4d7e-b06c-c50a08289d04@mtg.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_acbbd4a6-dc2f-44d9-ad2c-c28d4679873f_Enabled=true;MSIP_Label_acbbd4a6-dc2f-44d9-ad2c-c28d4679873f_Enabled=true;MSIP_Label_acbbd4a6-dc2f-44d9-ad2c-c28d4679873f_Method=Standard;MSIP_Label_acbbd4a6-dc2f-44d9-ad2c-c28d4679873f_ActionId=56c1a719-eb86-4539-a6a8-4aa9b49258bb;MSIP_Label_acbbd4a6-dc2f-44d9-ad2c-c28d4679873f_Name=No Label;MSIP_Label_acbbd4a6-dc2f-44d9-ad2c-c28d4679873f_SiteId=6d936231-a517-40ea-9199-f7578963378e;MSIP_Label_acbbd4a6-dc2f-44d9-ad2c-c28d4679873f_ContentBits=0;MSIP_Label_acbbd4a6-dc2f-44d9-ad2c-c28d4679873f_SetDate=2024-09-04T05:01:46Z;
user-agent: Microsoft-MacOutlook/16.88.24082514
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nps.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BY5PR13MB3348:EE_|SA1PR13MB6541:EE_
x-ms-office365-filtering-correlation-id: cc4b26fc-74d4-45ba-05dd-08dccca45cc7
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|376014|4022899009|1800799024|38070700018;
x-microsoft-antispam-message-info: l0Q4d3GfBkE47gqmHABw3MsgDoZ1ibrrl8sXjWbt4pfJSZn2bkEc+QTx7uzaoe95nw3vSSLb4RUVbSNs+HQnA0scWAj4eJhx35Lw32YvJ2I8VcDZo+DP7XNAw4qNGpt+BEv4TuITcyFf/pYWrdv6RbchGu9yqd9X83NDxEUkMhx6jpF2kvFVIB9/e9qkxvjcEEPMBntQl4Ily1foOvs5Ppd5CTOTl5e4SEiPPTnynMx8zzL3RIMm113PilMcwNvH6uGfnVSMKxHG+M9u566V0rClIDqE3x/0V7hF9+L3yuCSNYjhHC7dWD5yvf9vbC3qTR9Z7SVmfpn69/q+MIedNPBn9Hd2xrf26j13RzyPgojkFg5nHTDidA9qQoIHjY1XkGnJyeVUZxe79qha/bIZVHGrkb01klQvlpPc4qs0HgQl9M73Xrv6OTVCIWRFix4QsT9SNzF0ln1xzMMJYkTaoV7OJwC3XLFWnVXAwRjEEvNQBVg3zysGWI94qtdPJcmDZaD5EVMith86SwdqKKSq/umtjEJ41M9t8/YguyS5SjzJmnUDfqkLRSGNxZBtU1mUUsHagOZe/8Jh9g5mzQtVXOMS/mesFhqUSHV6L+KMOvw045RirFgrV3muz3kfzuRTFu26+373IGQbLOXNZOMmgyt4I0FeALTfFCAl4BmE+1E4RaidhmDeS6fj0IvoKUB4nQn6yXgA+qUJEMFlc5+Mc/b7dMw9/rk8YDLe2TsgfBlCiLS0fdOqS+gozUTFExUIepdqoHAeFUxdfwfjA85BxtZywGyotjAVUabZ4Or5U+xhTf5RJAuW7T7gO4r731ZKmWN25VvRKRoLixX/OWyLPfkFd5/sWSYuVhJH4D4i1Jw1UwV11WLbhxcRBg7e0La2bRLxcE6E9wkKGgehCya7D42wOpp0h4yhGO3zwacXjiZaFs0Lu1jpvWoz16WsdujQsB41khQrwj30FxUepa1aHtS3WX5ELATiUuacyl9JjwjR+KwcQ+S7ObNfRP/Ud8ya/SEOmCPxJNSTLGpAFGODXSvIGQ7kG/P2x4eIkWKBpYtV8nXJEHVnLabykrQqXzCou/uB/yR0JdhzytWItJFxVlqQ9hobvsKfnnqeXtmtyydVUbBNpTBLX2uCeM8egTtI9f+sspOS9e4+xrDkratp5ZWyI5lfM4CU7zDT48O6IBFpTeZSjILlzkhU5XluLHsaAKWvwVppNmRxZ6i+/p4cE0US+nNVsn4hDOSVKeQTm1Z4IIfPGvA1K5fc5q+g+SLWW+pxjz/dg31qivDPit4fYz8pt3ge2vKkH+CanFwrsKyhfvUBdyfCC2iHM0vau8eB6IT6hDftwXeAjrctOs9bPX20aH66FHRo7oTJxT3fXH4=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BY5PR13MB3348.namprd13.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(4022899009)(1800799024)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: qhcCkkqgU0SdcWTa7EL4b6IllJ1cJv04sJgvV0ngZW/PTyHpl3sK73fvJ/r3c9Ks6WJfHGhL5Yo9aGRXJB1uenkUwOCZPiiBsZe/ur2Y7E07zyWtPTAlcqdNJWIuBE1XjnYqNMfxZAhecgLHnZVD2R9TjRSgZblsfSCJ2kQgZ4BjwwQZLgGJOU0VFYm4ZI9PNZg6EaX8zAoz2V6Sdz03A55YpZVhIkYgWoMBnTepvD3bzHsSE37Ds45sUsuMdYujoukIvfnsuM2fd2fQqfgI6oRHLK4E1FBgWsWxOg6zlo8q3PPDN+jDJRiWkuVUtw0PSZxgqOvKp7Q3TdeCdERrrLkfmpWxOwbOukavsRjgfl+upZpFJvfXCQdtK/2+FvxGHXELAJQ1eVdbFJJWs1tuKo0ZD7p9lHNT/HeJ+ThMuFIM3nHVpzZcuvyhKcE0c4MXnUK+xf4VAM9BnJ+x2zQ+JpTtUSh2Rodr9iv1iraEVzEEWl3TQ3OBpvbpnjKdsgPLBSWr7KI8qLy2b6NkMYBNTKX8+2Lx4b2NCLcojtSNt/ItipIMTnj4mHxbKw2oyQKekpBvQ/14RUDe69jK7SSz+p5JPt6juKfUwRdv/ZJRxdw0om3yHZ43TjbXxwhayxoURhsplAvsMd6PSnMUaHi7+PjUljrTkEfaPM78H/t0Y7jlO+j+f1NrBjagj7yuTe8eeytWh14T45s34AXAmrK0V1dh1H2qVfOMWpJbczGwD2vLCHDiaCDaC+SIKk+w15JtK6ceNHDBoUsbOFS7+UH31I6gQAtEhdauuliAQio167/CE2mQl5+LjkpKyotEDWkOA/21K35ig976kQmf5Dg3ll82xJndpd5st8VCjIJPYcWdM0wDNF8JfTOjkzoLDgx3lmsZL7JUlIIhWQDGUstbn9/qoVa3o77WzQ4IG0NMlY9HfrzG1cLRMJX5F2VinaVhXxTsd7gDyvjjClqq5L3sjStTWmIcyilVxN6XAFeqQ+ziyh8LYegYTPqJQ0AfHHCCsLeWVvWTQK4/lEmuo0y7ZAyzAl9expYSldu1hHMteqIW7f3zOEvuLhWI2QWRxgmBfxReYO15OVk9/6zLSjMJasRXkisaK4WkImUGs0zlZ8OWMQjmV4FbBVzKwtD+YA1xnC0rI4567/jWpGxvhcoqQHPHiJUyijbwmQsuJh9MuaRh/Axl5UAXxunAomqbPKkUv31w91U/yL5CFmodNO9IiC3O2HGZxGlF2iWaVe90aCMs7Ou1gkMmdEHWHBCTfYbzfDPEnLzplpCvnYwQTx45JLNQ1eHELz5UiAQ49wGaqmIfBVcvft0hgHf+s/uOCX+Dxbz1e2J6zY5Po1taiFtAAY1IC/UoGw6o5AISFvTj3NTQDF7pNbt/F9bxag7B8J3gVg/Nie2wkXzX8U2Aj7X0WRT2u+V++mTiuJIJ5/p84v81bjBXvm7aboN/tZPsoP5QwvgET/iFcsXSRfgeDP+hNUOCChBpjLd2aTyrcysgVNn/t1qHvHEIbn7bv0m+7S6JyvGFCyA/PlSmt7njW+241ik2DBqzhGsiiqeIPnwXnLaVLXacT8SGC4W3SiJhOW3pIdfQBiwSKjL2vvRNOXEWfNLh2QI3uCykgLKb2tLo4WDFNOn7nDWXyhkd/ISTjQERqTYpqv2UGSGUwajPuPpw5A==
Content-Type: multipart/alternative; boundary="_000_4228D7347B554E5FA9C30862F822024Enpsedu_"
MIME-Version: 1.0
X-OriginatorOrg: nps.edu
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR13MB3348.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cc4b26fc-74d4-45ba-05dd-08dccca45cc7
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Sep 2024 05:42:28.2648 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6d936231-a517-40ea-9199-f7578963378e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QGxcOVjbsr7Oqn7jFDkpXYNok6uV13uauc3zDgigNUQbCugzWRyEN4Hmof+iD7vwSvPRWPAnj7Rn+QTrBqb5TA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR13MB6541
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 04
X-MS-Exchange-CrossPremises-AuthSource: BY5PR13MB3348.namprd13.prod.outlook.com
X-MS-Exchange-CrossPremises-TransportTrafficType: Email
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-originalclientipaddress: 2601:647:cb01:4ce0:153d:1c08:7d43:f282
X-MS-Exchange-CrossPremises-transporttraffictype: Email
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating;SFV:NSPM;SKIP:0;
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-OrganizationHeadersPreserved: SA1PR13MB6541.namprd13.prod.outlook.com
Message-ID-Hash: ICR2COJY2J5DMIPOAYX55YOFY4T7HGHL
X-Message-ID-Hash: ICR2COJY2J5DMIPOAYX55YOFY4T7HGHL
X-MailFrom: britta.hale@nps.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Ehlen, Stephan" <stephan.ehlen@bsi.bund.de>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] Re: call for adoption of draft-ehlen-openpgp-nist-bp-comp?
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/IUt_6xFw0DMMpPfGPkPsQguefBg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Falko et al.,

The response below does not change the original issues raised. Most notably, this is a quickly changing space and approaches and alignment throughout the IETF need to take that into account. As previously pointed out, there the early efforts in PQC are laudable, but obviously singular efforts in individual working groups will eventually backfire across standardization if not correlated. A lack of formality and clarity of security goals in earlier efforts is not a basis for continuance of such.

It is a good that you are taking the initiatives for coordination as described below, namely: “We recently agreed to check a possible alignment of our KEM-combiner construction…”. That is an excellent step towards better interoperability and consistency focus in standardization. However, I note that this is presented as a future effort and the call for adoption is now. That undermines its own goal. Moreover the agreement “… to present the similarities and differences we end up with to other IETF groups” does suggest mitigation of any differences, nor does presentation in PQUIP suggest such an effort since algorithms are not defined there. Algorithm coordination takes place in CFRG, if anywhere. It would be better to take stock in similarities and differences before divergence occurs and ensure consistency, as a precursor to adoption. Given that the goal of this draft is to “add parameter sets” only, it should not be onerous to achieve a more singular and coherent view in the IETF of such parameter sets. This allows for very short drafts on any WG-specific adjustments as has been done historically with other ciphers.

Britta


From: Falko Strenzke <falko.strenzke@mtg.de>
Organization: MTG AG
Date: Tuesday, September 3, 2024 at 9:37 PM
To: "Hale, Britta (CIV)" <britta.hale@nps.edu>, "openpgp@ietf.org" <openpgp@ietf.org>
Cc: "Ehlen, Stephan" <stephan.ehlen@bsi.bund.de>
Subject: Re: [openpgp] Re: call for adoption of draft-ehlen-openpgp-nist-bp-comp?


Hi Britta,

thanks a lot for your valuable input to our proposed draft. However, we think there might be a general misunderstanding about the nature of draft-ehlen-openpgp-nist-bp-comp. Namely, this draft only adds further parameter sets to draft-ietf-openpgp-pqc and borrows all cryptographic constructions from there. This is stated in Section 1.4<https://www.ietf.org/archive/id/draft-ehlen-openpgp-nist-bp-comp-00.html#name-applicable-specifications-f> and specifically for the KEM combiner in Section 5.2.2<https://www.ietf.org/archive/id/draft-ehlen-openpgp-nist-bp-comp-00.html#name-key-combiner>. Note that the main document draft-ietf-openpgp-pqc has already been adopted by the WG, although it is not finalized, yet.

Accordingly, the general design choices have to be discussed with respect to the main document draft-ietf-openpgp-pqc and the only issue that really concerns draft-ehlen-openpgp-nist-bp-comp by itself is the choice of parameter sets or, like Daniel argues, questioning the need for additional parameter sets in the first place.

Our suggestion is that you read draft-ietf-openpgp-pqc and check which of your critique you want to bring to the OpenPGP working group. This draft also has a Security Considerations section which hopefully contains the justifications you are looking for.

We want to proactively address some of the concerns you raised under the assumption that you direct it against draft-ietf-openpgp-pqc as well.

  1.  WG appropriateness.

We clearly think it is appropriate for the OpenPGP WG to work on the PQC integration into OpenPGP. This is conformance with the current charter. And we are not specifying new cryptographic algorithms, thus there is not per se a need to ask CFRG. Our composite constructions are straightforward and come with security considerations. That being said, of course we are open to concrete proposals for change — any input is welcome.

  1.  Goal ambiguity.

Specifying encryption and signature in draft-ietf-openpgp-pqc was agreed on by the working group. We don’t see how this is violating any established principle. In OpenPGP this was already practiced for ECC in RFC 6637. We believe that such decisions are within the freedom of the working group.

  1.  Overlap with other efforts.

We are aware that there is a design team in CFRG working on KEM combiners and one of the authors of draft-ietf-openpgp-pqc is involved in the team. However, so far no concrete constructions have been presented. Once that is the case early enough in the process of finalizing draft-ietf-openpgp-pqc, we are happy to check whether we can adopt such a construction. Currently, we are awaiting the publication of [1]. We will then check if we can adopt a construction from NIST. This would be indeed our preferred choice. But ultimately, such decisions are up to the OpenPGP working group.

Furthermore, we are regularly in dialogue with the authors of the corresponding LAMPS drafts. In particular the considerations for PQC integration into the CMS protocol within LAMPS share some similarities to considerations for OpenPGP. Our dialogue with LAMPS is mainly thanks to Mike Ounsworth’s continued efforts to align the different groups regarding matters of the PQC integration. This sometimes happens in the official meetings, sometimes in GitHub issues in our draft repo, and sometimes in off-list discussions. We recently agreed to check a possible alignment of our KEM-combiner construction with LAMPS after the publication of SP 800-227 and to present the similarities and differences we end up with to other IETF groups (most likely in a PQUIP session).

You mention that there are “efforts in […] PQUIP for KEM combiners, signature combiners”. This sounds as if PQUIP was working on cryptographic mechanisms, which is something that is explicitly precluded by their charter.

  1.  Lack of formalism and security goals clarity.

These issues probably mostly concern the main draft draft-ietf-openpgp-pqc, unless the “lack of formalism” really applies to aspects of this draft that are not present in the “main draft”. We think that some of the issues you might have identified could already turn out to be covered by the “Security considerations” section of draft-ietf-openpgp-pqc but we acknowledge that it could be a good idea to refer (in the main draft, however) to your (more recent) work “draft-ietf-pquip-hybrid-signature-spectrums” and the security notions mentioned in it.

Best regards,

Falko and Stephan (as authors of draft-ehlen-openpgp-nist-bp-comp and draft-ietf-openpgp-pqc)

[1] National Institute of Standards and Technology (2024) Recommendations for key- encapsulation mechanisms, (National Institute of Standards and Technology, Gaithers- burg, MD), NIST Special Publication (SP) 800-227. [Forthcoming; will be available at https://csrc.nist.gov/publications]
Am 28.08.24 um 19:07 schrieb Hale, Britta (CIV):
All,

I have several concerns about this draft:

1) WG appropriateness.
There is very little in this draft that is unique to OpenPGP. While I applaud the early leaders in pushing PQ standards in the IETF for their efforts, in whatever working group would take initiative, now that things have come to a more mature standing and the first NIST standards are out, being systematic would be wise, so that the right WGs are reviewing and correlating these. Otherwise we risk a mayhem of individual standards draft spread across the IETF all offering their own versions of ‘ML-KEM’ or ‘ML-KEM’ hybrid unique to the different WGs.

Traditionally, the CFRG is the WG to set the guidelines for algorithms (which algorithm combiners still are). In my opinion, PQUIP for general coordination and the CFRG for specific algorithm drafts are the right places for this. It is not reasonable to assume that everyone in OpenPGP is tracking PQUIP or the CFRG, which can also be seen in the dearth of comments on the OpenPGP mailinglists. As a consequence, few here may pick up on the fact that the terminology in this draft differs from several documents already tracked by PQUIP, and the overlap with existing KEM and signature combiners is not made clear here. Such clarity would be well handled in CFRG if we do not break from the norm of algorithms going to them. Other combiners presented in PQUIP have been similarly sent to CFRG, so it would be concerning if a given non-CFRG WG presses ahead on a solo versions.

Note that this is equally important on substantive cryptographic drafts and non-substantive (i.e., regardless of how cryptographically invasive a combiner is or is not, or even whether or not there is a combiner at all). We need clarity and consistency in IETF algorithms, vs. 20 different “ML-KEM combiner” standards for 20 different WGs, and it requires responsibility by all WGs to ensure that does not happen. After all, we do not currently have 20 different standards for AES, so it is best to avoid incurring the ensuant complexity when going into post-quantum efforts. If this draft is sufficiently different from others in CFRG, then the clarity of different security or use goals, etc. will be handled there with guidance on ensuring the right language in the draft to make that clear.

2) Goal ambiguity.
The goals of this draft mix of KEM combiners and signatures. These are very separate algorithm types. We (the IETF, NIST standards, ISO, etc.) do not historically mix those into a single draft. This is even more important as the relative security goals aimed for each combiner in the draft are different: the KEM aims to achieve strong non-separability, whereas the signature combiner does not even aim to achieve weak non-separability. It would seem appropriate to break these into distinct drafts.

3) Overlap with other efforts.
There are multiple efforts in the CFRG and PQUIP for KEM combiners, signature combiners, etc. This draft does not reference any of those and I note overlaps in the proposed efforts. If the draft was routed through the correct WGs (e.g., CRFG and PQUIP) it could likely achieve deduplication and also consistency in terminology and presentation. Only protocol-specific draft (i.e., protocol combiners, not algorithm combiners) seem appropriate for other WGs – this goes back to item (1).

3) Lack of formalism and security goals clarity.
There is also a lack of clarity in formalism in this draft:  the signature combiners listed are a ‘parallel’ approach but their security is not stated as such (esp. see PQUIP drafts on this). Also, the signatures are listed as “composite” but are not according to the PQUIP terminology draft (they are hybrid only). The goals for doing combiners are frequently security goals, so precision on those is very important in order to assess whether or not the draft is even achieving its own intent.


Given all of the above, I recommend that the draft be moved instead to CFRG. If the combiner is an approved algorithm, then OpenPGP will be able use the code points for that and there is the added bonus that if it has wider applicability other WGs can also use them. If further protocol customization for *how* OpenPGP applies an algorithm is needed, that can be achieved in a separate draft, and does not seem to be a goal of this draft anyway.


Britta



From: Falko Strenzke <falko.strenzke@mtg.de><mailto:falko.strenzke@mtg.de>
Organization: MTG AG
Date: Wednesday, August 28, 2024 at 5:55 AM
To: "openpgp@ietf.org"<mailto:openpgp@ietf.org> <openpgp@ietf.org><mailto:openpgp@ietf.org>
Subject: [openpgp] call for adoption of draft-ehlen-openpgp-nist-bp-comp?

NPS WARNING: *external sender* verify before acting.


Dear OpenPGP Chairs,

at IETF 120 we presented our draft introducing the PQ/T composites with NIST and Brainpool curves https://github.com/openpgp-pqc/draft-ehlen-openpgp-nist-bp-comp.

In the meeting Stephen said the working group would be given some time to read the draft and then a call for adoption would be issued. Given that the content of the draft is not substantially new but is more or less the content that was branched off from the already adopted draft-ietf-openpgp-pqc, it seems to me that the six weeks that have since passed should be enough time. Are the chairs ready to issue the call for adoption any time soon?

Best regards,
Falko
--



MTG AG
Dr. Falko Strenzke

Phone: +49 6151 8000 24
E-Mail: falko.strenzke@mtg.de<mailto:falko.strenzke@mtg.de>
Web: mtg.de<https://www.mtg.de/>

________________________________

MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
Commercial register: HRB 8901
Register Court: Amtsgericht Darmstadt
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
Chairman of the Supervisory Board: Dr. Thomas Milde

This email may contain confidential and/or privileged information. If you are not the correct recipient or have received this email in error,
please inform the sender immediately and delete this email.Unauthorised copying or distribution of this email is not permitted.

Data protection information: Privacy policy<https://www.mtg.de/en/privacy-policy>



_______________________________________________

openpgp mailing list -- openpgp@ietf.org<mailto:openpgp@ietf.org>

To unsubscribe send an email to openpgp-leave@ietf.org<mailto:openpgp-leave@ietf.org>
--


MTG AG
Dr. Falko Strenzke

Phone: +49 6151 8000 24
E-Mail: falko.strenzke@mtg.de<mailto:falko.strenzke@mtg.de>
Web: mtg.de<https://www.mtg.de>

________________________________

MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
Commercial register: HRB 8901
Register Court: Amtsgericht Darmstadt
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
Chairman of the Supervisory Board: Dr. Thomas Milde

This email may contain confidential and/or privileged information. If you are not the correct recipient or have received this email in error,
please inform the sender immediately and delete this email.Unauthorised copying or distribution of this email is not permitted.

Data protection information: Privacy policy<https://www.mtg.de/en/privacy-policy>