IETF Logo Mail Archive

Re: [openpgp] PQC encryption algorithm selection

"Kousidis, Stavros" <stavros.kousidis@bsi.bund.de> Thu, 08 February 2024 07:23 UTC

Return-Path: <stavros.kousidis@bsi.bund.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E24BCC14F6B7 for <openpgp@ietfa.amsl.com>; Wed, 7 Feb 2024 23:23:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.004
X-Spam-Level:
X-Spam-Status: No, score=-2.004 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=bsi.bund.de header.b="UzjKw5vm"; dkim=pass (2048-bit key) header.d=bsi.bund.de header.b="KQE8cDvE"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N2dbqRIhbPIA for <openpgp@ietfa.amsl.com>; Wed, 7 Feb 2024 23:23:08 -0800 (PST)
Received: from m1-bn.bund.de (m1-bn.bund.de [77.87.228.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA983C14F6AA for <openpgp@ietf.org>; Wed, 7 Feb 2024 23:23:06 -0800 (PST)
Received: from m1-bn.bund.de (localhost [127.0.0.1]) by m1-bn.bund.de (Postfix) with ESMTP id 27F6828D730; Thu, 8 Feb 2024 08:23:04 +0100 (CET)
Received: (from localhost) by m1-bn.bund.de (MSCAN) id 4/m1-bn.bund.de/smtp-gw/mscan; Thu Feb 8 08:23:04 2024
X-NdB-Source: NdB
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=bsi.bund.de; s=211014-e768-ed25519; t=1707376975; bh=WdPczVxICPUoJQTVolzCfqsaEZ8iTebcGbgC436lHaI=; h=From:To:CC:Subject:Date:References:In-Reply-To:Content-Type: Content-Transfer-Encoding:MIME-Version:Autocrypt:Cc: Content-Transfer-Encoding:Content-Type:Date:From:In-Reply-To: Mime-Version:Openpgp:References:Reply-To:Resent-To:Sender:Subject: To; b=UzjKw5vmC4T6R82wLD4nm//JFNYJ0OLizQYaYg4acjZqlXiqylh+Dp7J1GI9X+xZQ k7wUCc1hSXX/6thFnWwAQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bsi.bund.de; s=211014-e768-rsa; t=1707376975; bh=WdPczVxICPUoJQTVolzCfqsaEZ8iTebcGbgC436lHaI=; h=From:To:CC:Subject:Date:References:In-Reply-To:Content-Type: Content-Transfer-Encoding:MIME-Version:Autocrypt:Cc: Content-Transfer-Encoding:Content-Type:Date:From:In-Reply-To: Mime-Version:Openpgp:References:Reply-To:Resent-To:Sender:Subject: To; b=KQE8cDvEac34pwT7tH3WEmQjmPYze/Xc167J3nGDu7t+MQhnII9/i7+xySESe6Hd0 M3ny1onS1l7TZOyPdS8ayK50QWSkOyUH5IUsRiqvr8zdI9xVHgxhPMwFTN9CEVLHbb aqDyuaQdOmqblTG8NbkkUUIZmntIY/vdARzyf+z3kSA2jGXV68zPgTEo353/NNqil3 0dOtCOOt+E2ySnsGLDqPYJse/jS9p9a2sEl1re4Qud3qR6xeYSmRRIgeO/KIekt2vi 1AruQIXp63GT5fF7Z3K4yvndfzCNKPTkCcM9lgmvvOiaFjr1UGGMwekndG2ad+HoMy jTmlSXggRSaXw==
X-P350-Id: 2e240a7a522f5546
X-Virus-Scanned: amavisd-new at bsi.bund.de
From: "Kousidis, Stavros" <stavros.kousidis@bsi.bund.de>
To: "openpgp@ietf.org" <openpgp@ietf.org>
CC: Aron Wussler <aron@wussler.it>, Paul Wouters <paul@nohats.ca>
Thread-Topic: [openpgp] PQC encryption algorithm selection
Thread-Index: AQHaWeqYrAxqw8Ix1kC+MccNOJS4vrEABHsQ
Date: Thu, 08 Feb 2024 07:22:43 +0000
Message-ID: <b59a3db5da2d481b93eb2bd17f306575@bsi.bund.de>
References: <WlmG-t8W8gPB6BePADYNwa365fmk6DGf3GF8Q4XZ3Ho1X3h0W9wykE364A6KDLQvU2p-lUKsftm0rQEe8V5p2jTuQgUEOQWOnlnhQJzdsgs=@wussler.it> <cd68a5bb-7ed9-c1f9-ab4e-c1466d96ebae@nohats.ca>
In-Reply-To: <cd68a5bb-7ed9-c1f9-ab4e-c1466d96ebae@nohats.ca>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Old-x-esetresult: clean, is OK
Old-x-esetid: 37303A292EA5625561716A
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EsetResult: clean, is OK
X-EsetId: 37303A29742D645561716A
X-Rusd: domwl, Pass through domain bsi.bund.de
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Xf4SVBWZ13Q2RrhaSyN5NSsQVuw>
Subject: Re: [openpgp] PQC encryption algorithm selection
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2024 07:23:13 -0000

Hi,

during the crypto-refresh work I pointed out that the Brainpool curves are the inerop parameters of the German Administration (see https://mailarchive.ietf.org/arch/msg/openpgp/A5CnJONK5syoKdR0JXBAMUmFXGI/) and as such are needed in OpenPGP implementations that are deployed there.

What we (Aron, Falko and I) did so far is to take the elliptic curve requirements from the crypto-refresh as granted and to combine them with ML-KEM, i.e.

- Concerning X25519 and X448 see the crypto-refresh for "Implementations MUST implement Ed25519 (27) for signatures, and X25519 (25) for encryption. Implementations SHOULD implement Ed448 (28) and X448 (26).". I am not sure if we should break with the already exisiting MUST/SHOULD when it comes to X25519 and X448, respectively. Personally, I think we should have a SHOULD on at least one paranoia-friendly set. Put differently, emphasize (via SHOULD) a set with a higher security guarantee in case future cryptanalysis cuts off some bits there.

- Concerning NIST and Brainpool curves: we opted for the 256 and 384 bit curves, dropping the 521 and 512 bit ones (to reduce the amount of the hybrid combinations), since the 384 bit curves are recommended for all classification levels (see e.g. CNSA 1.0) as well as listing them as MAY which I guess matches the approach of the crypto-refresh that does not state a requirement on these curves explicitely (if I'm not mistaken).

Punchline: (At least) one ML-KEM + Brainpool item would ease adoption of PQC-enhanced OpenPGP in the German Administration considerably. Selecting also (at least) one ML-KEM + NIST would achieve balance between X-stuff / Germany-Europe / US.

Best
Stavros


-----Ursprüngliche Nachricht-----
Von: Paul Wouters <paul@nohats.ca> 
Gesendet: Mittwoch, 7. Februar 2024 17:45
An: Aron Wussler <aron@wussler.it>
Cc: openpgp@ietf.org
Betreff: Re: [openpgp] PQC encryption algorithm selection

On Wed, 7 Feb 2024, Aron Wussler wrote:

Speaking as an individual only.

> To keep the discussion focused we're going to start from the encryption algorithm selection, KEM combiners will follow (since it may also depend on the algorithm selection). Digital signatures will also follow in another thread.
>
> Right now, we have the following list of algorithms (in table 1)
>     +====+===============================+=============+=============+
>     | ID | Algorithm                     | Requirement | Definition  |
>     +====+===============================+=============+=============+
>     | 29 | ML-KEM-768 + X25519           | MUST        | Section 5.2 |
>     +----+-------------------------------+-------------+-------------+
>     | 30 | ML-KEM-1024 + X448            | SHOULD      | Section 5.2 |
>     +----+-------------------------------+-------------+-------------+
>     | 31 | ML-KEM-768 + ECDH-NIST-P-256  | MAY         | Section 5.2 |
>     +----+-------------------------------+-------------+-------------+
>     | 32 | ML-KEM-1024 + ECDH-NIST-P-384 | MAY         | Section 5.2 |
>     +----+-------------------------------+-------------+-------------+
>     | 33 | ML-KEM-768 + ECDH-            | MAY         | Section 5.2 |
>     |    | brainpoolP256r1               |             |             |
>     +----+-------------------------------+-------------+-------------+
>     | 34 | ML-KEM-1024 + ECDH-           | MAY         | Section 5.2 |
>     |    | brainpoolP384r1               |             |             |
>     +----+-------------------------------+-------------+-------------+

If we pick 29, I think we should make 30 a MAY.
We should pick at least one SHOULD/MUST that complies with FIPS
We should pick at least one SHOULD/MUST that complies with BSI/Europe

I would argue that perhaps it is a bit too soon to make these decisions
now, and that it would be good to look at other WGs such as TLS and
IPsec before making a choice for OpenPGP.

> Finally, please note that this is not the sole opportunity to standardize PQC algorithms: as of the crypto-refresh, new algorithms will need a specification and designated expert review, and not an RFC.

Right, but I think going that route would mean your algorithm really can
only be a MAY. Standards track action should be needed for a SHOULD or
MUST.

> [1] https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-00.html#name-algorithm-specifications

Note this draft is using the "old" names for the registry that the
crypto-refresh document updates (eg PGP -> OpenPGP).

v2.23.0 | Report a Bug | By Email