Re: [openpgp] PQC encryption algorithm selection
"Kousidis, Stavros" <stavros.kousidis@bsi.bund.de> Thu, 08 February 2024 07:23 UTC
Return-Path: <stavros.kousidis@bsi.bund.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E24BCC14F6B7 for <openpgp@ietfa.amsl.com>; Wed, 7 Feb 2024 23:23:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.004
X-Spam-Level:
X-Spam-Status: No, score=-2.004 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=bsi.bund.de header.b="UzjKw5vm"; dkim=pass (2048-bit key) header.d=bsi.bund.de header.b="KQE8cDvE"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N2dbqRIhbPIA for <openpgp@ietfa.amsl.com>; Wed, 7 Feb 2024 23:23:08 -0800 (PST)
Received: from m1-bn.bund.de (m1-bn.bund.de [77.87.228.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA983C14F6AA for <openpgp@ietf.org>; Wed, 7 Feb 2024 23:23:06 -0800 (PST)
Received: from m1-bn.bund.de (localhost [127.0.0.1]) by m1-bn.bund.de (Postfix) with ESMTP id 27F6828D730; Thu, 8 Feb 2024 08:23:04 +0100 (CET)
Received: (from localhost) by m1-bn.bund.de (MSCAN) id 4/m1-bn.bund.de/smtp-gw/mscan; Thu Feb 8 08:23:04 2024
X-NdB-Source: NdB
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=bsi.bund.de; s=211014-e768-ed25519; t=1707376975; bh=WdPczVxICPUoJQTVolzCfqsaEZ8iTebcGbgC436lHaI=; h=From:To:CC:Subject:Date:References:In-Reply-To:Content-Type: Content-Transfer-Encoding:MIME-Version:Autocrypt:Cc: Content-Transfer-Encoding:Content-Type:Date:From:In-Reply-To: Mime-Version:Openpgp:References:Reply-To:Resent-To:Sender:Subject: To; b=UzjKw5vmC4T6R82wLD4nm//JFNYJ0OLizQYaYg4acjZqlXiqylh+Dp7J1GI9X+xZQ k7wUCc1hSXX/6thFnWwAQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bsi.bund.de; s=211014-e768-rsa; t=1707376975; bh=WdPczVxICPUoJQTVolzCfqsaEZ8iTebcGbgC436lHaI=; h=From:To:CC:Subject:Date:References:In-Reply-To:Content-Type: Content-Transfer-Encoding:MIME-Version:Autocrypt:Cc: Content-Transfer-Encoding:Content-Type:Date:From:In-Reply-To: Mime-Version:Openpgp:References:Reply-To:Resent-To:Sender:Subject: To; b=KQE8cDvEac34pwT7tH3WEmQjmPYze/Xc167J3nGDu7t+MQhnII9/i7+xySESe6Hd0 M3ny1onS1l7TZOyPdS8ayK50QWSkOyUH5IUsRiqvr8zdI9xVHgxhPMwFTN9CEVLHbb aqDyuaQdOmqblTG8NbkkUUIZmntIY/vdARzyf+z3kSA2jGXV68zPgTEo353/NNqil3 0dOtCOOt+E2ySnsGLDqPYJse/jS9p9a2sEl1re4Qud3qR6xeYSmRRIgeO/KIekt2vi 1AruQIXp63GT5fF7Z3K4yvndfzCNKPTkCcM9lgmvvOiaFjr1UGGMwekndG2ad+HoMy jTmlSXggRSaXw==
X-P350-Id: 2e240a7a522f5546
X-Virus-Scanned: amavisd-new at bsi.bund.de
From: "Kousidis, Stavros" <stavros.kousidis@bsi.bund.de>
To: "openpgp@ietf.org" <openpgp@ietf.org>
CC: Aron Wussler <aron@wussler.it>, Paul Wouters <paul@nohats.ca>
Thread-Topic: [openpgp] PQC encryption algorithm selection
Thread-Index: AQHaWeqYrAxqw8Ix1kC+MccNOJS4vrEABHsQ
Date: Thu, 08 Feb 2024 07:22:43 +0000
Message-ID: <b59a3db5da2d481b93eb2bd17f306575@bsi.bund.de>
References: <WlmG-t8W8gPB6BePADYNwa365fmk6DGf3GF8Q4XZ3Ho1X3h0W9wykE364A6KDLQvU2p-lUKsftm0rQEe8V5p2jTuQgUEOQWOnlnhQJzdsgs=@wussler.it> <cd68a5bb-7ed9-c1f9-ab4e-c1466d96ebae@nohats.ca>
In-Reply-To: <cd68a5bb-7ed9-c1f9-ab4e-c1466d96ebae@nohats.ca>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Old-x-esetresult: clean, is OK
Old-x-esetid: 37303A292EA5625561716A
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EsetResult: clean, is OK
X-EsetId: 37303A29742D645561716A
X-Rusd: domwl, Pass through domain bsi.bund.de
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Xf4SVBWZ13Q2RrhaSyN5NSsQVuw>
Subject: Re: [openpgp] PQC encryption algorithm selection
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2024 07:23:13 -0000
Hi, during the crypto-refresh work I pointed out that the Brainpool curves are the inerop parameters of the German Administration (see https://mailarchive.ietf.org/arch/msg/openpgp/A5CnJONK5syoKdR0JXBAMUmFXGI/) and as such are needed in OpenPGP implementations that are deployed there. What we (Aron, Falko and I) did so far is to take the elliptic curve requirements from the crypto-refresh as granted and to combine them with ML-KEM, i.e. - Concerning X25519 and X448 see the crypto-refresh for "Implementations MUST implement Ed25519 (27) for signatures, and X25519 (25) for encryption. Implementations SHOULD implement Ed448 (28) and X448 (26).". I am not sure if we should break with the already exisiting MUST/SHOULD when it comes to X25519 and X448, respectively. Personally, I think we should have a SHOULD on at least one paranoia-friendly set. Put differently, emphasize (via SHOULD) a set with a higher security guarantee in case future cryptanalysis cuts off some bits there. - Concerning NIST and Brainpool curves: we opted for the 256 and 384 bit curves, dropping the 521 and 512 bit ones (to reduce the amount of the hybrid combinations), since the 384 bit curves are recommended for all classification levels (see e.g. CNSA 1.0) as well as listing them as MAY which I guess matches the approach of the crypto-refresh that does not state a requirement on these curves explicitely (if I'm not mistaken). Punchline: (At least) one ML-KEM + Brainpool item would ease adoption of PQC-enhanced OpenPGP in the German Administration considerably. Selecting also (at least) one ML-KEM + NIST would achieve balance between X-stuff / Germany-Europe / US. Best Stavros -----Ursprüngliche Nachricht----- Von: Paul Wouters <paul@nohats.ca> Gesendet: Mittwoch, 7. Februar 2024 17:45 An: Aron Wussler <aron@wussler.it> Cc: openpgp@ietf.org Betreff: Re: [openpgp] PQC encryption algorithm selection On Wed, 7 Feb 2024, Aron Wussler wrote: Speaking as an individual only. > To keep the discussion focused we're going to start from the encryption algorithm selection, KEM combiners will follow (since it may also depend on the algorithm selection). Digital signatures will also follow in another thread. > > Right now, we have the following list of algorithms (in table 1) > +====+===============================+=============+=============+ > | ID | Algorithm | Requirement | Definition | > +====+===============================+=============+=============+ > | 29 | ML-KEM-768 + X25519 | MUST | Section 5.2 | > +----+-------------------------------+-------------+-------------+ > | 30 | ML-KEM-1024 + X448 | SHOULD | Section 5.2 | > +----+-------------------------------+-------------+-------------+ > | 31 | ML-KEM-768 + ECDH-NIST-P-256 | MAY | Section 5.2 | > +----+-------------------------------+-------------+-------------+ > | 32 | ML-KEM-1024 + ECDH-NIST-P-384 | MAY | Section 5.2 | > +----+-------------------------------+-------------+-------------+ > | 33 | ML-KEM-768 + ECDH- | MAY | Section 5.2 | > | | brainpoolP256r1 | | | > +----+-------------------------------+-------------+-------------+ > | 34 | ML-KEM-1024 + ECDH- | MAY | Section 5.2 | > | | brainpoolP384r1 | | | > +----+-------------------------------+-------------+-------------+ If we pick 29, I think we should make 30 a MAY. We should pick at least one SHOULD/MUST that complies with FIPS We should pick at least one SHOULD/MUST that complies with BSI/Europe I would argue that perhaps it is a bit too soon to make these decisions now, and that it would be good to look at other WGs such as TLS and IPsec before making a choice for OpenPGP. > Finally, please note that this is not the sole opportunity to standardize PQC algorithms: as of the crypto-refresh, new algorithms will need a specification and designated expert review, and not an RFC. Right, but I think going that route would mean your algorithm really can only be a MAY. Standards track action should be needed for a SHOULD or MUST. > [1] https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-00.html#name-algorithm-specifications Note this draft is using the "old" names for the registry that the crypto-refresh document updates (eg PGP -> OpenPGP).
- [openpgp] PQC encryption algorithm selection Aron Wussler
- Re: [openpgp] PQC encryption algorithm selection Simo Sorce
- Re: [openpgp] PQC encryption algorithm selection Bart Butler
- Re: [openpgp] PQC encryption algorithm selection Simon Josefsson
- Re: [openpgp] PQC encryption algorithm selection Stephen Farrell
- Re: [openpgp] PQC encryption algorithm selection Paul Wouters
- [openpgp] Fw: Re: PQC encryption algorithm select… Aron Wussler
- Re: [openpgp] PQC encryption algorithm selection Daniel Kahn Gillmor
- Re: [openpgp] PQC encryption algorithm selection Aron Wussler
- Re: [openpgp] PQC encryption algorithm selection Daniel Huigens
- Re: [openpgp] PQC encryption algorithm selection Daniel Kahn Gillmor
- Re: [openpgp] PQC encryption algorithm selection Daniel Kahn Gillmor
- Re: [openpgp] PQC encryption algorithm selection Stephen Farrell
- Re: [openpgp] PQC encryption algorithm selection Falko Strenzke
- Re: [openpgp] PQC encryption algorithm selection iang
- Re: [openpgp] PQC encryption algorithm selection Daniel Kahn Gillmor
- Re: [openpgp] PQC encryption algorithm selection Kousidis, Stavros
- Re: [openpgp] PQC encryption algorithm selection Justus Winter
- Re: [openpgp] PQC encryption algorithm selection Daniel Kahn Gillmor
- Re: [openpgp] PQC encryption algorithm selection Johannes Roth
- Re: [openpgp] PQC encryption algorithm selection Daniel Kahn Gillmor