Re: [openpgp] algorithm specification for PQC
Daniel Huigens <d.huigens@protonmail.com> Sat, 23 July 2022 15:39 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A6B7C159496 for <openpgp@ietfa.amsl.com>; Sat, 23 Jul 2022 08:39:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.085
X-Spam-Level:
X-Spam-Status: No, score=-1.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4HNmqmGBS2XU for <openpgp@ietfa.amsl.com>; Sat, 23 Jul 2022 08:39:53 -0700 (PDT)
Received: from mail-40131.protonmail.ch (mail-40131.protonmail.ch [185.70.40.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E576C14F74F for <openpgp@ietf.org>; Sat, 23 Jul 2022 08:39:53 -0700 (PDT)
Date: Sat, 23 Jul 2022 15:39:38 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1658590790; x=1658849990; bh=f7TFZA3gb9UWHJyql8TSzHNyPWE5Kd7Ibjc2tyGqa4I=; h=Date:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID; b=swryfn8gf6UJM05WAlgWNx170cL/erOSZrjbkktvoWWx20n86TeRsaES+K3Wf92Mu xN9uW1NO6ZPxO2m31VlSsdm7P5xHPOECaJStD/38yV1hgSMVf6P1/4EA8DxDMZxR+s yL7UfpI+fix/e5KZXxDM33SKuamwrah8OgfaFIS3+Mb+ts9izdIOl49h4yRIGJWSgk 9SGeoktm4sYuuXIlL7NIZeLaaGF6Mw58pBGMtVnGhWSgOaXCJnU4gHxKTfoSIJvynp oPVeI+QnDQqeVgG0xilQlImJaTtCKNT7CeDZlA7wfMH/7o4B7szTw6qlWF52soxwSn JC2K4lfnxC00w==
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: "brian m. carlson" <sandals@crustytoothpaste.net>, Falko Strenzke <falko.strenzke@mtg.de>, openpgp@ietf.org
Reply-To: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <NU9IJgUHjvKQ6HSJDDPvhkyt7eUhbynB6F9kO8XRwZxn28P_ee50b07vij2Uz9izHnW9EGfAg3AT0eDNHtK4nfm2kpdftAscvF7vV_2KSUo=@protonmail.com>
In-Reply-To: <YtsdPBqC61Fi1uk4@tapette.crustytoothpaste.net>
References: <dab4c126-bc67-1166-d240-e52d6ea06f73@mtg.de> <YtsdPBqC61Fi1uk4@tapette.crustytoothpaste.net>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/RJaVT-5p84wIJydn5I_9NQQolso>
Subject: Re: [openpgp] algorithm specification for PQC
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jul 2022 15:39:57 -0000
I prefer option B. (Though personally I would ideally only have algorithms 1, 2, 7, 8, and maybe 13, but even having all of them I prefer it to option A.) On Friday, July 22nd, 2022 at 23:57, brian m. carlson wrote: > I would strongly prefer [option A]. This is what we already do for > ECDH, ECDSA, and EdDSA and it avoids a giant multiplication in algorithm > IDs (which is a problem if we have only one octet). Not that I love the > proliferation of curves, but if, say, Germany wants to use Brainpool > curves in conjunction with Kyber or Dilithium, it allows that to happen > without us needing to issue more algorithm IDs. I know that option A is more consistent with the existing spec, but this is part of the advantage of option B that I see, that we can shed some of the weirdness of ECDH-over-Curve25519 in favor of standard X25519, for example. At some point in the future if all implementations support these new algorithms, then a greenfield implementation could shed this weirdness. If we bake the current ECDH into post-quantum algorithms, then we'll be stuck with it for far longer. I also don't think that algorithm IDs are likely to run out, and if they do we can switch to two-octet algorithm IDs in v6 keys, or something like that. Best, Daniel
- [openpgp] algorithm specification for PQC Falko Strenzke
- Re: [openpgp] algorithm specification for PQC brian m. carlson
- Re: [openpgp] algorithm specification for PQC Daniel Huigens