[openpgp] Re: Storing post-quantum keys for use in openpgp

Phillip Hallam-Baker <phill@hallambaker.com> Thu, 29 August 2024 20:29 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B9B8C15154D for <openpgp@ietfa.amsl.com>; Thu, 29 Aug 2024 13:29:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.652
X-Spam-Level:
X-Spam-Status: No, score=-1.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zhq29ceGSRQg for <openpgp@ietfa.amsl.com>; Thu, 29 Aug 2024 13:29:33 -0700 (PDT)
Received: from mail-pg1-f170.google.com (mail-pg1-f170.google.com [209.85.215.170]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FA2FC14EB17 for <openpgp@ietf.org>; Thu, 29 Aug 2024 13:29:33 -0700 (PDT)
Received: by mail-pg1-f170.google.com with SMTP id 41be03b00d2f7-7cda2695893so454453a12.1 for <openpgp@ietf.org>; Thu, 29 Aug 2024 13:29:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724963373; x=1725568173; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=eK1GhrLMOJ4hbOUGFDlEo02h0DOEP9AXNS5b0PrEeCc=; b=K19dhxJmx39gYc0Fc0vUZdu2QO5LYssDUqrEEKz61ByMlg1VXpJnr8Wbmrt8LBnyDO uaOrQAR5hBjXgJ0hrc9+qZd/Z4OA53LXoqcQZGabBUU50aD4Zj+aSaLzSl/zsTDQ5p4o iAmY0p9BnPsSweRfQzBnaojTbcv1jrUCoBMQ92l/929CMGmMyuuue9Ky4l8ezzkaaj1z 8iHP8Kmb5QD0YTV5MvgYRZFAYdPC2EJxpSl9rQE4pfI+cfyG+qaWXy1+sjQ9dZHIeQ+C cRZoQbX6j0BjpZYxZI+j47JvCB7PMHBzbC82IpYhO0Sd1io6SUO7jZ/zNTPaUd1Xmvzg h/Kw==
X-Gm-Message-State: AOJu0YyNLER4lqTU3qmmdMWlkWo9Ba307lv6sELQMeQ4MeL3LfEHMOHg A8w+6miaFkd4xiMp/WVZA/bVII9Aug2FRY7tEWs3x8lO/UxWikKhvnpeE/arvvqZvjkeZj3n7yn /cVbgwRycni/Gv0gcEnNzghGSUaw=
X-Google-Smtp-Source: AGHT+IHkSrWmaQrQYVxOuCgM9g8BMl2mYKfHtZb1IWFDvORXQsedDCsI5EANbzRNq8BKq77lwOLos9yActBx7r0QhTk=
X-Received: by 2002:a17:90b:4ac4:b0:2cd:1e60:9c31 with SMTP id 98e67ed59e1d1-2d85638d472mr4063439a91.30.1724963372414; Thu, 29 Aug 2024 13:29:32 -0700 (PDT)
MIME-Version: 1.0
References: <Z6en3yocy_HaqI3Rl2AUeIQLDOREbMIsegFXTES9HllQTam58UHMW9a21aGnSMcLj7VKpFlqX-QErWI8C98EgkjfkZ0-wRB-H0UQjuPy4N4=@proton.ch>
In-Reply-To: <Z6en3yocy_HaqI3Rl2AUeIQLDOREbMIsegFXTES9HllQTam58UHMW9a21aGnSMcLj7VKpFlqX-QErWI8C98EgkjfkZ0-wRB-H0UQjuPy4N4=@proton.ch>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 29 Aug 2024 16:29:19 -0400
Message-ID: <CAMm+Lwixe_0FT5R_U7xi6J_H7com+-+sOt6Q7zQ06o=TNW9F7g@mail.gmail.com>
To: Robert Lee <robert.lee=40proton.ch@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="00000000000010427d0620d8556b"
Message-ID-Hash: 7RVLVRVRKAZSIO2LPXJ7PRUAL3OQRMXE
X-Message-ID-Hash: 7RVLVRVRKAZSIO2LPXJ7PRUAL3OQRMXE
X-MailFrom: hallam@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: openpgp@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] Re: Storing post-quantum keys for use in openpgp
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/eECvewcsGB_2sJbugRXKZB5t4Ew>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

I would say definitely do seeds, not the expanded private. You can easily
go from seed to private but not vice versa.

A device can easily support really strong storage for 128 32 bit seeds, it
is only 4K or so.

Storing just one KEM key is 1632 to 3168 bytes and that is going to matter.

I expect such devices to become ubiquitous over the lifetime of this
version of the spec.



On Thu, Aug 22, 2024 at 12:30 PM Robert Lee <robert.lee=
40proton.ch@dmarc.ietf.org> wrote:

> Hello all,
>
>
> In amongst the efforts for standardising post-quantum cryptography in
> openPGP we'll need to also consider how to store the new post-quantum
> secure keys in PGP private key blocks.
>
>
> In the latest Crypto Dispatch by Filippo Valsorda [1], he proposes
> implementors of post-quantum crypto ignore the existence of the proposed
> serialisation format for decapsulation keys in favour of only using seeds
> as the storage format for ML-KEM keys.
>
>
> Is this something that could/should be adopted in openpgp or not?  I
> found the arguments in favour of only using seeds convincing, I also like
> anything that can remove complexity where possible.  However, I accept that
> there may be reasons why this is not practical in openpgp?  I look
> forward to hearing what others think.
>
>
> Best Regards,
>
> Rob Lee
>
>
> [1] https://words.filippo.io/dispatches/ml-kem-seeds/
> _______________________________________________
> openpgp mailing list -- openpgp@ietf.org
> To unsubscribe send an email to openpgp-leave@ietf.org
>