[openpgp] algorithm specification for PQC
Falko Strenzke <falko.strenzke@mtg.de> Thu, 21 July 2022 08:41 UTC
Return-Path: <falko.strenzke@mtg.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F462C157908 for <openpgp@ietfa.amsl.com>; Thu, 21 Jul 2022 01:41:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtg.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0NEwlTXqRhJz for <openpgp@ietfa.amsl.com>; Thu, 21 Jul 2022 01:41:03 -0700 (PDT)
Received: from www.mtg.de (www.mtg.de [IPv6:2a02:b98:8:2::2]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFB94C14CF06 for <openpgp@ietf.org>; Thu, 21 Jul 2022 01:41:01 -0700 (PDT)
Received: from minka.mtg.de (minka [IPv6:2a02:b98:8:1:0:0:0:9]) by www.mtg.de (8.17.1/8.17.1) with ESMTPS id 26L8evsW010827 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT) for <openpgp@ietf.org>; Thu, 21 Jul 2022 10:40:57 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mtg.de; s=mail201801; t=1658392857; bh=hbiSQ4DsL9/h7Uli5jqTbuoex7B1Z3/Js8MA3bAgK/M=; h=Date:To:From:Subject; b=FbzcxuyC6Vy07OgD7Zn7F/cw9cJb56pcxKwdDthctX4K+Et3dxD1qJfxUiX2y3KPX 1mck5ZXNYR5jKeoeoZXfvUEUT8w3YFJPVqvtsCY180aoeXszqQU/V7u6gqjLXRrAxI LEwKHu9+j8vLug3Yw1EQgX4WTVPKwmpskICAVZsL0aJGRcBw9SL0KR7wmmLGH0jCB8 fLqAaFxA/Uj/N7Tz5bfe7MxSE8aqTrOVJpM1nKaqzL7iL0jtfbWAuJRxpGOKKO5b0f /jxF0t29e7W7cy4VH9115LcMaF7TLgX7Sskr99QkLFVLgneer82t7TzYh60G4BW3Sj 49q0c8ePcvONg==
Received: from [10.8.0.100] (vpn-10-8-0-100 [10.8.0.100]) by minka.mtg.de (8.17.1/8.17.1) with ESMTPS id 26L8etfo028896 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT) for <openpgp@ietf.org>; Thu, 21 Jul 2022 10:40:56 +0200
Message-ID: <dab4c126-bc67-1166-d240-e52d6ea06f73@mtg.de>
Date: Thu, 21 Jul 2022 10:40:55 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-GB
To: openpgp@ietf.org
From: Falko Strenzke <falko.strenzke@mtg.de>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms050001090406030802010103"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Il4oss6CiOVuKwnVPJ7G-mf3CC8>
Subject: [openpgp] algorithm specification for PQC
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2022 08:41:07 -0000
Dear all, in the context of the joint efforts of Proton and BSI/MTG regarding the integration of PQC into OpenPGP we identified two design options that we would like to discuss with the community. For this purpose we currently assume that we introduce Kyber as a PQC-KEM in a composite algorithm combination with ECDH, and at least one PQC-SIG (Dilithium and potentially also SPHINCS+). For signatures, generally also composite combinations with ECDSA and EdDSA would be used, with the possible exception of SPHINCS+, which could in our view also be used as a standalone scheme. Regarding the security levels, for now we consider the concrete combinations resulting from combining NIST PQC-Security Levels 1,3,5 for Kyber and 2,3,5 for Dilithium with the corresponding classical security parameters. The two design options are: * Option A: Each newly introduced scheme (in most cases a composite combination of PQC scheme with a classical scheme, as explained above) receives a new algorithm ID. Thus the algorithm ID is the _same_ for different curves. * Option B: Each newly introduced scheme in combination with one curve level receives a new algorithm ID. This means that the algorithm ID is different for each curve. ***What we would like to learn from the community*** is whether there is a clear preference for one of the two choices. Knowing that there is such a clear opinion on this question at this early stage would help us insofar, as we would then potentially focus only on the preferred one and could discard the other. --- In the following, we give a some more detailed discussion of the two choices. # Option A: This option would mean to introduce new Algorithm IDs (Cf. §9.1 in draft-ietf-openpgp-crypto-refresh-06) for fixed algorithm combinations, while the concrete security parameter level would be specified in the public key object only (as it is the case currently for all public key algorithms in OpenPGP). This would mean that we would have the following 3 or 4 new algorithm IDs: 1. ECDH + Kyber 2. EdDSA + Dilithium 3. ECDSA + Dilithium 4. (SPHINCS+ standalone) For the concrete parameters we would follow the current crypto-refresh implementation requirements for ECDH (i.e. MUST ECDH with MUST Curve25519 and SHOULD X448) and likewise for EdDSA (i.e. MUST EdDSA with MUST Ed25519 and SHOULD Ed448), and thus prescribe: For encryption: * MUST: Curve25519 + Kyber-Level1 * SHOULD: X448 + Kyber-Level5 For signature: * MUST: Ed25519 + Dilithium-Level2 * SHOULD: Ed448 + Dilithium-Level5 Any other combination of Kyber/Dilithium with ECDH/ECDSA (with NIST/Brainpool curves) would be proposed as MAY, but including implementation guidance on the parameter combinations, e.g. saying that 256-bit curves SHOULD be matched with NIST Level 1/2, 384-bit curves with NIST Level 3 and 512/521-bit curves with NIST Level 5. To summarize: Option A would be normative on the algorithmic combinations through the Algorithm IDs and normative on the concrete parameter combinations through the implementation requirements via MUST, SHOULD, MAY. The advantages being: - minimal impact on the Algorithm ID space (i.e. essentially one Alg-ID per Kyber and 2 Alg-IDs per PQC-SIG) - apart from the mentioned implementation guidance there is no need for explicitly allowing other parametrizations via NIST- or Brainpool-curves explicitly - being immediately able to combine e.g. Curve25519 with Kyber-Level5 (if higher PQC security level is desired and ECC is considered to hedge against stronger future attacks) without the need to update. - partial reuse of the ECDH/EdDSA/ECDSA definition on the implementation side # Option B: Option B is normative through fixed Algorithm IDs for concrete algorithm combinations+parameters and would, under the above stated assumptions, result in the following set of 12 or 13 proposed new algorithm IDs: 1. X25519 + Kyber-Level1 2. X448 + Kyber-Level5 3. ECDH-brainpoolP384r1 + Kyber-Level3 4. ECDH-brainpoolP512r1 + Kyber-Level5 5. ECDH-NIST-P384 + Kyber-Level3 6. ECDH-NIST-P521 + Kyber-Level5 7. Ed25519 + Dilithium-Level2 8. Ed448 + Dilithium-Level5 9. ECDSA-brainpoolP384r1 + Dilithium-Level3 10. ECDSA-brainpoolP512r1 + Dilithium-Level5 11. ECDSA-NIST-P384 + Dilithium-Level3 12. ECDSA-NIST-P521 + Dilithium-Level5 13. (SPHINCS+ SHA-3) However, in the draft we would certainly describe each combination generically as ECDH+Kyber and EdDSA+Dilithium and ECDSA+Dilithium to have a uniform packet structure. Similarly to the other proposal we would keep 1 and 7 as MUST, 2 and 8 as SHOULD, the others as MAY. To summarize: Option B would be maximally normative through fixed Algorithm IDs for any algorithm+parameter-combination. The advantages being: - There is absolutely no misunderstanding what the global interoperability parameters are. - It would allow using the native format for X25519 and X448 specification for the specific combinations. On the other hand to introduce a new combination we'd have to follow the SPECIFICATION REQUIRED method (RFC8126) and update the clients. Best Aron, Falko, Stavros
- [openpgp] algorithm specification for PQC Falko Strenzke
- Re: [openpgp] algorithm specification for PQC brian m. carlson
- Re: [openpgp] algorithm specification for PQC Daniel Huigens