IETF Logo Mail Archive

[openpgp] PQC encryption algorithm selection

Aron Wussler <aron@wussler.it> Wed, 07 February 2024 11:40 UTC

Return-Path: <aron@wussler.it>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF7F9C14F610 for <openpgp@ietfa.amsl.com>; Wed, 7 Feb 2024 03:40:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wussler.it
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NNTCwQicDViy for <openpgp@ietfa.amsl.com>; Wed, 7 Feb 2024 03:40:02 -0800 (PST)
Received: from mail-4323.proton.ch (mail-4323.proton.ch [185.70.43.23]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C60FC14F5E6 for <openpgp@ietf.org>; Wed, 7 Feb 2024 03:40:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wussler.it; s=protonmail3; t=1707305998; x=1707565198; bh=TSW79AqHU1Qr8aK7kZLL76L3i8GatLdQqjjpacdTENs=; h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=qZE/vFkHirWfRlFmKSMsS65iw2xF9bcY7CTtm/THdytqvmp28NxXGdbCZUe2feN5H ZKRxVx5mm90ykdXyVgAZ+GsylDh6H20fs9IsAqUOLh0c+oEAKSM4YucMx6/hCj/Dnt Qd/xJGwkSo+aUbRDUg05e0BpjoiF1l5vyqpU3Ji0LqllxAI0dJozQiK+sqldfF2TGf Haba0iMCVdy9PugvagcoKSdh6qxS4Qz8HxojM1KKW/oOpOaAanTu7KsOMU1VS9O70b I8InmKKh3X/gkjy8yVJH1FsrJSEJ3GiA0cYZN7DAs1bV2EEWPq1nTCV6iX53/Nvs7H 3UY6gbEH8OPtg==
Date: Wed, 07 Feb 2024 11:39:50 +0000
To: "openpgp@ietf.org" <openpgp@ietf.org>
From: Aron Wussler <aron@wussler.it>
Message-ID: <WlmG-t8W8gPB6BePADYNwa365fmk6DGf3GF8Q4XZ3Ho1X3h0W9wykE364A6KDLQvU2p-lUKsftm0rQEe8V5p2jTuQgUEOQWOnlnhQJzdsgs=@wussler.it>
Feedback-ID: 10883271:user:proton
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="------2e0d8baa922ceb4ddcc37e9eaae653a2ea5f04d404bbf0597e8e1a620e9d598a"; charset="utf-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Z-6ex95ol2YcXnyADW-qvQTdVLg>
Subject: [openpgp] PQC encryption algorithm selection
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2024 11:40:07 -0000

Hi everyone,

In the next weeks, before IETF 119, we'd like to collect feedback about the algorithm selection implemented in the draft [1]. We're interested in presenting some vectors for the next meeting. It would be great if you could provide feedback by March 1st.

To keep the discussion focused we're going to start from the encryption algorithm selection, KEM combiners will follow (since it may also depend on the algorithm selection). Digital signatures will also follow in another thread.

Right now, we have the following list of algorithms (in table 1)
    +====+===============================+=============+=============+
    | ID | Algorithm                     | Requirement | Definition  |
    +====+===============================+=============+=============+
    | 29 | ML-KEM-768 + X25519           | MUST        | Section 5.2 |
    +----+-------------------------------+-------------+-------------+
    | 30 | ML-KEM-1024 + X448            | SHOULD      | Section 5.2 |
    +----+-------------------------------+-------------+-------------+
    | 31 | ML-KEM-768 + ECDH-NIST-P-256  | MAY         | Section 5.2 |
    +----+-------------------------------+-------------+-------------+
    | 32 | ML-KEM-1024 + ECDH-NIST-P-384 | MAY         | Section 5.2 |
    +----+-------------------------------+-------------+-------------+
    | 33 | ML-KEM-768 + ECDH-            | MAY         | Section 5.2 |
    |    | brainpoolP256r1               |             |             |
    +----+-------------------------------+-------------+-------------+
    | 34 | ML-KEM-1024 + ECDH-           | MAY         | Section 5.2 |
    |    | brainpoolP384r1               |             |             |
    +----+-------------------------------+-------------+-------------+

Please provide feedback on the algorithms, and if you think they should be "MUST", "SHOULD", or "MAY". The proposed list is derived from the results of the NIST standardization process, hybrid with the curves already supported from OpenPGP for compliance purposes.

Finally, please note that this is not the sole opportunity to standardize PQC algorithms: as of the crypto-refresh, new algorithms will need a specification and designated expert review, and not an RFC.

Cheers and thanks,
Aron


[1] https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-00.html#name-algorithm-specifications

--
Aron Wussler
Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930

v2.23.0 | Report a Bug | By Email