IETF Logo Mail Archive

Re: [openpgp] PQC encryption algorithm selection

Simon Josefsson <simon@josefsson.org> Wed, 07 February 2024 16:46 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83551C14F5F3; Wed, 7 Feb 2024 08:46:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b="ko0F7iiU"; dkim=pass (2736-bit key) header.d=josefsson.org header.b="oecPne+W"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kl7H5BGVz9eV; Wed, 7 Feb 2024 08:46:44 -0800 (PST)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B19AC14CEED; Wed, 7 Feb 2024 08:45:59 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2303; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description; bh=p+U1RUWEzFZKk7qRFrwaD1ZNMtpBPKGcum5xnXAd2oU=; t=1707324355; x=1708533955; b=ko0F7iiUmYcnSjXuNr5F1woqrY4QmwM/5E3kfDEEmth8e/jKTg+kLKbzdy5oMMLPZiFWODE8O+q DF55d/2JiAQ==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2303; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=p+U1RUWEzFZKk7qRFrwaD1ZNMtpBPKGcum5xnXAd2oU=; t=1707324355; x=1708533955; b=oecPne+WBdz77jneVrVX3e5e/ikNDx1UgV01fxIwiI46ipdUH5WQyJNEKQ8YZKemW7+B/ccz70A i4bOhmmb+JNSSaa5a+KONUlBho2SGno2v81ZghHe7B/pcToeQiMaaklJ71WHkkjbbg9mqS6PrHsop XiPT/93SXKGPQTu8ERldkaoCeMmSoTzPAelgjXEqCtj37ZzMNCXxhROTew7A9dVzGllQvXY0SI56P zNAwdcFyyVqVnQqKBVysTMwHCmKcc0MxHZPR+ufEa+fz+ULr9aWkmptPp7VJ7Q7UtEh0EF+WgvM3R Puu7JhV2/pJUetl+nsPx/tVcpUpSkEtt9X2yQU6omyAWE6p8tT89ic1r42ujBI5zQrzqqZKcMlGAS YAsZzjWImycUNY0Vm4WeFzQZNwtmnsP2B5E0aLyhXdvBofEbKGuVgz0U0nvZmQZkXgtUNNvWN;
Received: from [2001:9b1:41ac:ff00:823f:5dff:fe09:16ac] (port=32896 helo=kaka) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <simon@josefsson.org>) id 1rXl3X-00Cva9-K6; Wed, 07 Feb 2024 16:45:51 +0000
From: Simon Josefsson <simon@josefsson.org>
To: Bart Butler <bart=2Bietf=40pm.me@dmarc.ietf.org>
Cc: Simo Sorce <simo@redhat.com>, Aron Wussler <aron@wussler.it>, "openpgp@ietf.org" <openpgp@ietf.org>
References: <WlmG-t8W8gPB6BePADYNwa365fmk6DGf3GF8Q4XZ3Ho1X3h0W9wykE364A6KDLQvU2p-lUKsftm0rQEe8V5p2jTuQgUEOQWOnlnhQJzdsgs=@wussler.it> <1bbfbdbb7c927a0d5a3fc408ef2f1a02d3447a65.camel@redhat.com> <nIbLLK7cbTi8PL3_Tq4ppnh8hKDo9l7-xcpng3e4qr2xchofzqiJNlJ5N5YMkVonNpQ6p9Kyob0L3zY3w4VYdya_cBb2aZ6v7u9wKfeLLtw=@pm.me>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:23:240207:simo@redhat.com::vWQx2er8OmNi7SOl:1qqk
X-Hashcash: 1:23:240207:bart=2bietf=40pm.me@dmarc.ietf.org::8BXx2vHehHn+T/dn:U1PF
X-Hashcash: 1:23:240207:openpgp@ietf.org::AvT0ln2fOd41sHcw:ZV6j
X-Hashcash: 1:23:240207:aron@wussler.it::4IOvfL+OhqiQyNBg:mrVS
Date: Wed, 07 Feb 2024 17:46:03 +0100
In-Reply-To: <nIbLLK7cbTi8PL3_Tq4ppnh8hKDo9l7-xcpng3e4qr2xchofzqiJNlJ5N5YMkVonNpQ6p9Kyob0L3zY3w4VYdya_cBb2aZ6v7u9wKfeLLtw=@pm.me> (Bart Butler's message of "Wed, 07 Feb 2024 14:36:02 +0000")
Message-ID: <87cyt89q9g.fsf@kaka.sjd.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/PCEQKevvgixzdVbwX_VmJ92Erio>
Subject: Re: [openpgp] PQC encryption algorithm selection
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2024 16:46:49 -0000

+1 for reducing redundancy.

If brainpool/NIST P256/P384 is for NIST/BSI compliance, could thet be
moved to a separate document?

Based on earlier discussion, it was suggested that performance of
ML-KEM-1024+X448 was a challenge, suggesting ML-KEM-768+X25519 is
better.

Thus my suggestion is to keep MUST on ML-KEM-768+X25519 and, for
crypto-agility reasons, add MUST on sntrup761+x25519 together with
SHOULD on mceliece6688128f+x448, and to drop the NIST/BSI EC curves.

/Simon

Bart Butler <bart=2Bietf=40pm.me@dmarc.ietf.org> writes:

> I think everyone would love to just do 25519 and 448. The others (MAY)
> are there for compliance (NIST/BSI) if I'm not mistaken.
>
> On Wednesday, February 7th, 2024 at 3:03 PM, Simo Sorce <simo@redhat.com> wrote:
>
>> 
>
>> 
>
>> Hi Aron,
>> Why so much redundancy in EC curves?
>> 
>
>> This is basically the same thing 3 times over, wouldn't it be more
>> appropriate to just allow a singe EC curve family so there is no risk
>> of interoperability issues between implementations ?
>> 
>
>> Simo.
>> 
>
>> On Wed, 2024-02-07 at 11:39 +0000, Aron Wussler wrote:
>> 
>
>> > Hi everyone,
>> > 
>
>> > In the next weeks, before IETF 119, we'd like to collect feedback
>> > about the algorithm selection implemented in the draft [1]. We're
>> > interested in presenting some vectors for the next meeting. It
>> > would be great if you could provide feedback by March 1st.
>> > 
>
>> > To keep the discussion focused we're going to start from the
>> > encryption algorithm selection, KEM combiners will follow (since
>> > it may also depend on the algorithm selection). Digital signatures
>> > will also follow in another thread.
>> > 
>
>> > Right now, we have the following list of algorithms (in table 1)
>> > +====+===============================+=============+=============+
>> > | ID | Algorithm | Requirement | Definition |
>> > +====+===============================+=============+=============+
>> > | 29 | ML-KEM-768 + X25519 | MUST | Section 5.2 |
>> > +----+-------------------------------+-------------+-------------+
>> > | 30 | ML-KEM-1024 + X448 | SHOULD | Section 5.2 |
>> > +----+-------------------------------+-------------+-------------+
>> > | 31 | ML-KEM-768 + ECDH-NIST-P-256 | MAY | Section 5.2 |
>> > +----+-------------------------------+-------------+-------------+
>> > | 32 | ML-KEM-1024 + ECDH-NIST-P-384 | MAY | Section 5.2 |
>> > +----+-------------------------------+-------------+-------------+
>> > | 33 | ML-KEM-768 + ECDH- | MAY | Section 5.2 |
>> > | | brainpoolP256r1 | | |
>> > +----+-------------------------------+-------------+-------------+
>> > | 34 | ML-KEM-1024 + ECDH- | MAY | Section 5.2 |
>> > | | brainpoolP384r1 | | |
>> > +----+-------------------------------+-------------+-------------+
>> > 
>
>> > Please provide feedback on the algorithms, and if you think they
>> > should be "MUST", "SHOULD", or "MAY". The proposed list is derived
>> > from the results of the NIST standardization process, hybrid with
>> > the curves already supported from OpenPGP for compliance purposes.
>> > 
>
>> > Finally, please note that this is not the sole opportunity to
>> > standardize PQC algorithms: as of the crypto-refresh, new
>> > algorithms will need a specification and designated expert review,
>> > and not an RFC.
>> > 
>
>> > Cheers and thanks,
>> > Aron
>> > 
>
>> > [1] https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-00.html#name-algorithm-specifications
>> > 
>
>> > --
>> > Aron Wussler
>> > Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930
>> > _______________________________________________
>> > openpgp mailing list
>> > openpgp@ietf.org
>> > https://www.ietf.org/mailman/listinfo/openpgp
>> 
>
>> 
>
>> --
>> Simo Sorce
>> Distinguished Engineer
>> RHEL Crypto Team
>> Red Hat, Inc
>> 
>
>> 
>
>> 
>
>> 
>
>> 
>
>> 
>
>> 
>
>> 
>
>> _______________________________________________
>> openpgp mailing list
>> openpgp@ietf.org
>> https://www.ietf.org/mailman/listinfo/openpgp
>
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp
>

v2.23.0 | Report a Bug | By Email