Re: [openpgp] algorithm specification for PQC
"brian m. carlson" <sandals@crustytoothpaste.net> Fri, 22 July 2022 21:57 UTC
Return-Path: <sandals@crustytoothpaste.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09695C14CF01 for <openpgp@ietfa.amsl.com>; Fri, 22 Jul 2022 14:57:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WoAqeUBeP9gs for <openpgp@ietfa.amsl.com>; Fri, 22 Jul 2022 14:57:23 -0700 (PDT)
Received: from ring.crustytoothpaste.net (ring.crustytoothpaste.net [IPv6:2600:3c04::f03c:92ff:fe9e:c6d8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 130BBC14F745 for <openpgp@ietf.org>; Fri, 22 Jul 2022 14:57:22 -0700 (PDT)
Received: from tapette.crustytoothpaste.net (unknown [IPv6:2001:470:b056:101:e59a:3ed0:5f5c:31f3]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ring.crustytoothpaste.net (Postfix) with ESMTPSA id D19D15A1AC; Fri, 22 Jul 2022 21:57:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crustytoothpaste.net; s=default; t=1658527040; bh=ewIcqe+VDVW/REXkyC3adZyc4jQaVgkAmvCOzO/LBoQ=; h=Date:From:To:Cc:Subject:References:Content-Type: Content-Disposition:In-Reply-To:From:Reply-To:Subject:Date:To:CC: Resent-Date:Resent-From:Resent-To:Resent-Cc:In-Reply-To:References: Content-Type:Content-Disposition; b=lwEHRSeu+y8M8FvRk1OoPr73v6ZE90rgBb5VQ2hAVvdtADFNWHfRF/LeVgQRoKePg NU5UBFXPTQCvB8A9jmGOoy1jFuW46nN5YpHYKWJvEy6Il8uHEHRXHXsie8CwsvPpdB p+iY1eoBFDKh7/GJnT3JCFfixRsIyVqrJJSTVHZDfM4gDfLhjpo2Rotwi0n3o6AQum v9U+RiFs9hf9wZfyy1AUt09r/gk4jqKOe6WEPncRFbLwh8pdpTug0iaNkpG0413w/L zlJKYFynmLqveTuJS/kxB3Lujh36At0fldYY2Bh3QW5DHmeh5iK3YQ4tTGdplP9qBJ nqXXNNEi1xZMqWC2cceqTyL3Cn5+45oYGKUtS2mQjqNbuDXHnhOABL9OY0zTPeX+Ir TsE5qBgWRpAk5H0VsgYp4a2/CTTJMcbgvz4/dHNZk939nIevl2u7j6avK+vpidqdDu /TRyCFD3MCUG6goSpaVvl9X8oUmfGp6cjmhxKCup7SfwEKRw5Y5
Date: Fri, 22 Jul 2022 21:57:16 +0000
From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: Falko Strenzke <falko.strenzke@mtg.de>
Cc: openpgp@ietf.org
Message-ID: <YtsdPBqC61Fi1uk4@tapette.crustytoothpaste.net>
References: <dab4c126-bc67-1166-d240-e52d6ea06f73@mtg.de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="OXFmQrpgZDyuuUuu"
Content-Disposition: inline
In-Reply-To: <dab4c126-bc67-1166-d240-e52d6ea06f73@mtg.de>
User-Agent: Mutt/2.2.6 (2022-06-05)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/TEUhNC0frSi2CYlXcjHW9iq6ubU>
Subject: Re: [openpgp] algorithm specification for PQC
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jul 2022 21:57:27 -0000
On 2022-07-21 at 08:40:55, Falko Strenzke wrote: > In the following, we give a some more detailed discussion of the two > choices. > > # Option A: > > This option would mean to introduce new Algorithm IDs (Cf. ยง9.1 in > draft-ietf-openpgp-crypto-refresh-06) for fixed algorithm combinations, > while the concrete security parameter level would be specified in the public > key object only (as it is the case currently for all public key algorithms > in OpenPGP). This would mean that we would have the following 3 or 4 new > algorithm IDs: > > 1. ECDH + Kyber > 2. EdDSA + Dilithium > 3. ECDSA + Dilithium > 4. (SPHINCS+ standalone) > > For the concrete parameters we would follow the current crypto-refresh > implementation requirements for ECDH (i.e. MUST ECDH with MUST Curve25519 > and SHOULD X448) and likewise for EdDSA (i.e. MUST EdDSA with MUST Ed25519 > and SHOULD Ed448), and thus prescribe: > > For encryption: > > * MUST: Curve25519 + Kyber-Level1 > * SHOULD: X448 + Kyber-Level5 > > For signature: > > * MUST: Ed25519 + Dilithium-Level2 > * SHOULD: Ed448 + Dilithium-Level5 > > Any other combination of Kyber/Dilithium with ECDH/ECDSA (with > NIST/Brainpool curves) would be proposed as MAY, but including > implementation guidance on the parameter combinations, e.g. saying that > 256-bit curves SHOULD be matched with NIST Level 1/2, 384-bit curves with > NIST Level 3 and 512/521-bit curves with NIST Level 5. > > To summarize: Option A would be normative on the algorithmic combinations > through the Algorithm IDs and normative on the concrete parameter > combinations through the implementation requirements via MUST, SHOULD, MAY. > The advantages being: > > - minimal impact on the Algorithm ID space (i.e. essentially one Alg-ID per > Kyber and 2 Alg-IDs per PQC-SIG) > - apart from the mentioned implementation guidance there is no need for > explicitly allowing other parametrizations via NIST- or Brainpool-curves > explicitly > - being immediately able to combine e.g. Curve25519 with Kyber-Level5 (if > higher PQC security level is desired and ECC is considered to hedge against > stronger future attacks) without the need to update. > - partial reuse of the ECDH/EdDSA/ECDSA definition on the implementation > side I would strongly prefer this option. This is what we already do for ECDH, ECDSA, and EdDSA and it avoids a giant multiplication in algorithm IDs (which is a problem if we have only one octet). Not that I love the proliferation of curves, but if, say, Germany wants to use Brainpool curves in conjunction with Kyber or Dilithium, it allows that to happen without us needing to issue more algorithm IDs. I'm fine with us giving suggestions or requirements about matching security strengths if we think that's appropriate. -- brian m. carlson (he/him or they/them) Toronto, Ontario, CA
- [openpgp] algorithm specification for PQC Falko Strenzke
- Re: [openpgp] algorithm specification for PQC brian m. carlson
- Re: [openpgp] algorithm specification for PQC Daniel Huigens