IETF Logo Mail Archive

Re: [openpgp] PQC encryption algorithm selection

Aron Wussler <aron@wussler.it> Wed, 07 February 2024 17:18 UTC

Return-Path: <aron@wussler.it>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB4BCC14F6A4 for <openpgp@ietfa.amsl.com>; Wed, 7 Feb 2024 09:18:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wussler.it
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rRr3FlguqiKT for <openpgp@ietfa.amsl.com>; Wed, 7 Feb 2024 09:18:22 -0800 (PST)
Received: from mail-40136.proton.ch (mail-40136.proton.ch [185.70.40.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87A80C14F683 for <openpgp@ietf.org>; Wed, 7 Feb 2024 09:18:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wussler.it; s=protonmail3; t=1707326300; x=1707585500; bh=ux5TbIwCb2OGMSnrDG2+MGvtjS3TI6Ugh2RyTUBlSeE=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=PCMHb9ovwGeYO8NfWKCPFYpjcOaYPjEorGlGFkFzYEScqGrghPSvhUlaUtQ2Pupn8 jXRFVZDcjF2R+0wkUwOJn563diWy+vrjIiTwKmjkjSk6UMMQHlZNJi8di9RIPlOwlA 8mj+8+z17ooEiE2lViYy5a3BkTl/Eq4FBxks0RXIJsANE8DiFDf2HB6lpjSyoFf70i irwMc+m6vyRILCNLD3EZ8/qBTCNMzbxJX7FYps1Qsw7WjU5GjOxdMYJNyPwCu4ToLX wSDXuZb7+wR4GNlPJejyxK7ttBxKKAmRIJdMiWOTcQTIDBlzFH7p+wTbG6ivIZBHCr sAwUpdRhkbdgA==
Date: Wed, 07 Feb 2024 17:18:02 +0000
To: Paul Wouters <paul@nohats.ca>
From: Aron Wussler <aron@wussler.it>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>
Message-ID: <1sV57FcGqi6ZWCeXdO2bRXrzkdjZbps86pTWRW47XTbodkQPEVmgYxRqzB_ZEwk0-Zjhe4PQJ7sJS9W41vwp4OPFURgGQ0C1coZxxFRMvdg=@wussler.it>
In-Reply-To: <cd68a5bb-7ed9-c1f9-ab4e-c1466d96ebae@nohats.ca>
References: <WlmG-t8W8gPB6BePADYNwa365fmk6DGf3GF8Q4XZ3Ho1X3h0W9wykE364A6KDLQvU2p-lUKsftm0rQEe8V5p2jTuQgUEOQWOnlnhQJzdsgs=@wussler.it> <cd68a5bb-7ed9-c1f9-ab4e-c1466d96ebae@nohats.ca>
Feedback-ID: 10883271:user:proton
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="------4588fb63e764bfa23c06bc3d09743f07b0ff37120ee1ea473e3a61b96876864f"; charset="utf-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/UEzxVhmGN7CBwPJimK9kG0gGP48>
Subject: Re: [openpgp] PQC encryption algorithm selection
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2024 17:18:27 -0000

Hi Paul,

Thanks for your feedback!

> If we pick 29, I think we should make 30 a MAY.
> We should pick at least one SHOULD/MUST that complies with FIPS
> We should pick at least one SHOULD/MUST that complies with BSI/Europe

The current logic we used to pick MAY / SHOULD / MUST is based off the crypto-refresh requirements.

Re. FIPS compliance, once FIPS 203 is a standard, all of the hybrids will be de facto FIPS compliant, as long as we use an SP800-56C compliant KDF (to my understanding).


> Right, but I think going that route would mean your algorithm really can
> only be a MAY. Standards track action should be needed for a SHOULD or
> MUST.

I sorta agree with you, even though in general an implementation can choose not to follow a standard :)

Cheers,
Aron

--
Aron Wussler
Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930



On Wednesday, 7 February 2024 at 17:45, Paul Wouters <paul@nohats.ca> wrote:

> On Wed, 7 Feb 2024, Aron Wussler wrote:
> 

> Speaking as an individual only.
> 

> > To keep the discussion focused we're going to start from the encryption algorithm selection, KEM combiners will follow (since it may also depend on the algorithm selection). Digital signatures will also follow in another thread.
> > 

> > Right now, we have the following list of algorithms (in table 1)
> > +====+===============================+=============+=============+
> > | ID | Algorithm | Requirement | Definition |
> > +====+===============================+=============+=============+
> > | 29 | ML-KEM-768 + X25519 | MUST | Section 5.2 |
> > +----+-------------------------------+-------------+-------------+
> > | 30 | ML-KEM-1024 + X448 | SHOULD | Section 5.2 |
> > +----+-------------------------------+-------------+-------------+
> > | 31 | ML-KEM-768 + ECDH-NIST-P-256 | MAY | Section 5.2 |
> > +----+-------------------------------+-------------+-------------+
> > | 32 | ML-KEM-1024 + ECDH-NIST-P-384 | MAY | Section 5.2 |
> > +----+-------------------------------+-------------+-------------+
> > | 33 | ML-KEM-768 + ECDH- | MAY | Section 5.2 |
> > | | brainpoolP256r1 | | |
> > +----+-------------------------------+-------------+-------------+
> > | 34 | ML-KEM-1024 + ECDH- | MAY | Section 5.2 |
> > | | brainpoolP384r1 | | |
> > +----+-------------------------------+-------------+-------------+
> 

> 

> If we pick 29, I think we should make 30 a MAY.
> We should pick at least one SHOULD/MUST that complies with FIPS
> We should pick at least one SHOULD/MUST that complies with BSI/Europe
> 

> I would argue that perhaps it is a bit too soon to make these decisions
> now, and that it would be good to look at other WGs such as TLS and
> IPsec before making a choice for OpenPGP.
> 

> > Finally, please note that this is not the sole opportunity to standardize PQC algorithms: as of the crypto-refresh, new algorithms will need a specification and designated expert review, and not an RFC.
> 

> 

> Right, but I think going that route would mean your algorithm really can
> only be a MAY. Standards track action should be needed for a SHOULD or
> MUST.
> 

> > [1] https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-00.html#name-algorithm-specifications
> 

> 

> Note this draft is using the "old" names for the registry that the
> crypto-refresh document updates (eg PGP -> OpenPGP).

v2.23.0 | Report a Bug | By Email