[openpgp] Re: WG: BSI view on KEM combiners
Daniel Huigens <d.huigens@protonmail.com> Wed, 04 September 2024 12:35 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 575BDC169418 for <openpgp@ietfa.amsl.com>; Wed, 4 Sep 2024 05:35:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2XaeoG_-_nJb for <openpgp@ietfa.amsl.com>; Wed, 4 Sep 2024 05:35:54 -0700 (PDT)
Received: from mail-40131.protonmail.ch (mail-40131.protonmail.ch [185.70.40.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1DC5C15198D for <openpgp@ietf.org>; Wed, 4 Sep 2024 05:35:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1725453351; x=1725712551; bh=YEsB7qiImU9HIqFmryg1g4oCovKycnfaW5Q5ytbFuyk=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=Ptk40/VGA68/qvccYnfMjP4yDEtPoXT3TEx0D0Mz70ulN0AO+hfG8dzWjW+Li4T3B l2ysDqdAPxlkjIVDloAmHexYyOVLRNm3ddFivhNuNoXkpvXWxmLOyxMlc7YEk37ryu qN3wRxozXz08Cy45I5M15fi0MssDKimRpo8pULBAyh2VO2EcxTWj1/9NRGnqyBAE5U T20ja+iRznCrrkVoBB+YjQoAqivIIIBjc7KBCW5B09xMsqJjeJxeb81JrEXGn7cEoh eIw8oax3FGtne4a1oXdf54SdPevHkyMnA/gbSsQj/jfi5A9tqJZ23GJ8DaS2XKHnaF ebf6XiJqK1/1A==
Date: Wed, 04 Sep 2024 12:35:48 +0000
To: Falko Strenzke <falko.strenzke@mtg.de>
From: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <qf59Mns2ph8fZZWLL-6f3vVKeCYShEhU3RuUh1_Unp7PLw25wRDu2Mkm3s_TU8O0gT2NxarTzN8QJi7_orgVSw8IqOSeIUC2Xz5GLG-AFJM=@protonmail.com>
In-Reply-To: <8abbc4c2-3285-4a12-8ea9-b081cebb1e54@mtg.de>
References: <5681EF18-EB2C-49FD-A3B0-735C6542725D@amongbytes.com> <334c62d3389847e0b345269b54af639c@bsi.bund.de> <vD0ZBoCGhXaNfOahJkzFeuXbrf9UMnGrJ9SvapIzYNjqIRtNBkAJK-Mj0UWqsMj5gfuIxwtitmIOKJYpQx8lnAAlbYerdG_ZxxS0OAlBVhE=@protonmail.com> <845c1aeb783048a6a25329f3fe55f708@bsi.bund.de> <bW9aKCOk9HHb5xrHdoUlRC2aCpmZ6ZeReYYFFtf4P7TrbqN_q4Pnn-ibbWs9uehRzm6i_tverpxR0yxd3gxWhK8_w-s8lOx1I4B6Gf64Qyg=@protonmail.com> <df35291f726b48c8b37bec61bcdeb16a@bsi.bund.de> <uSMSFmH_6jyl4mrcWthHS1_eJjjo0FaROQU4BDyy3oRlH-l8qtjgoOO3KdbkvU4K0O7fdNaxAMuth8sAPtN2aOpi-bK_eVijo56xnPnnvcQ=@protonmail.com> <2940b781-52de-42c8-aef9-78d6cb970b08@mtg.de> <4LUdegqW5U4r-Y2qEU9l9ns8HQrhT-IM8F04GHYiiEdvaJlg_8YZwcdMZCN3IorYyAWUrKFJwEJR5BHVxdBe0mRC4BvWYop5yN3utWevzF8=@protonmail.com> <8abbc4c2-3285-4a12-8ea9-b081cebb1e54@mtg.de>
Feedback-ID: 2934448:user:proton
X-Pm-Message-ID: 604105776689a2402286cdebac6e182939523f13
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="b1_JKsP2zOrSOkCR6dYzZLPSaFCAqRNVpMfnz1WqI4fs"
Message-ID-Hash: K55CSQXUCLS6XIGE2BXECR6KQKDMYALX
X-Message-ID-Hash: K55CSQXUCLS6XIGE2BXECR6KQKDMYALX
X-MailFrom: d.huigens@protonmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Ehlen, Stephan" <stephan.ehlen=40bsi.bund.de@dmarc.ietf.org>, "openpgp@ietf.org" <openpgp@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] Re: WG: BSI view on KEM combiners
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/p5UNN5rmAzLPyUx3Lo1N77zmak4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
Hi Falko, On Wednesday, September 4th, 2024 at 12:09, Falko Strenzke wrote: > What I don't see is what is specific to Brainpool parameters here. I didn't say it's specific to Brainpool, that's just the topic of this thread. > Everything you suggest regarding CFRG defining a combination of two KEMs that we adopt equally applies to the combination of ML-KEM+X25519 (and also ML-KEM+NIST-P-...). Yes, I think that's a reasonable discussion to have as well. Though, there is one difference which is that proposals for specifying ML-KEM+X25519 in the CFRG already exist, and thus it's probably likely to happen regardless of whether we propose it or not. > So how should we understand your standpoint – do you also suggest to first ask CFRG to standardize ML-KEM+X25519 (and +X448) before we can finalize it in draft-ietf-openpgp-pqc, at the risk of delaying the – in my view overdue – introduction of PQ/T encryption in OpenPGP? There is a possible middle ground, if we think rolling out PQC in OpenPGP is urgent and don't want to wait for CFRG, but still want to limit the extent of the possibility for inconsistency across IETF protocols in the future, and that would be to specify as few algorithms as reasonably possible that are necessary to achieve that goal. And that's consistent with what I've been arguing for in the context of draft-ietf-openpgp-pqc, I think :) > By the way, check out the [current specification of composite KEM in LAMPS](https://www.ietf.org/archive/id/draft-ietf-lamps-pq-composite-kem-04.html). They currently define [their own combiner](https://www.ietf.org/archive/id/draft-ietf-lamps-pq-composite-kem-04.html#section-2.3.4) and a pretty rich [set of PQ/T combinations](https://www.ietf.org/archive/id/draft-ietf-lamps-pq-composite-kem-04.html#section-5-4) (compared to OpenPGP): (...) > > This shows that what we are doing in draft-ietf-openpgp-pqc or proposing in draft-ehlen-openpgp-nist-bp-comp is not an outlier, it is how other working groups (at least LAMPS) also proceed. Well, I can't speak for LAMPS, but I think a similar discussion could be had there. > They propose even one more code point than we have in our proposal. If anything, this shows that they are already taking the requirement to account for NIST and BSI compliance seriously. The same applies to their choice of [composite signature combinations](https://www.ietf.org/archive/id/draft-ietf-lamps-pq-composite-sigs-02.html). To me this clearly points us to also consider at least a similar set of code points in OpenPGP. As NIST confirmed, the use of NIST curves in a KEM combiner with ML-KEM is not required for FIPS compliance. Combined with the fact that Ed25519 and Ed448 have been FIPS-approved, this make 6 out of 10 of the algorithms proposed in draft-ehlen-openpgp-nist-bp-comp unnecessary (in my view). The remaining 4 (using Brainpool curves) are only necessary if you simultaneously want to use PQC and need BSI compliance. But perhaps, for the use cases that require BSI compliance, one can continue to use plain ECDH-Brainpool for a while, and waiting a bit for CFRG might be more feasible? At least, I'm assuming that the BSI isn't planning to consider plain ECDH as noncompliant in the near future, or is it? If it is, I would also ask, is there any chance we could propose the BSI to evaluate and potentially approve the use of Ed25519 and Ed448 (as NIST has done) and X25519 and X448 (as NIST is planning to do)? Best, Daniel
- [openpgp] WG: BSI view on KEM combiners Ehlen, Stephan
- [openpgp] BSI view on KEM combiners Kris Kwiatkowski
- [openpgp] Re: WG: BSI view on KEM combiners D. J. Bernstein
- [openpgp] Re: WG: BSI view on KEM combiners D. J. Bernstein
- [openpgp] Re: WG: BSI view on KEM combiners D. J. Bernstein
- [openpgp] Re: WG: BSI view on KEM combiners Daniel Huigens
- [openpgp] Re: WG: BSI view on KEM combiners Ehlen, Stephan
- [openpgp] Re: WG: BSI view on KEM combiners Daniel Huigens
- [openpgp] Re: WG: BSI view on KEM combiners Ehlen, Stephan
- [openpgp] Re: WG: BSI view on KEM combiners Daniel Huigens
- [openpgp] Re: WG: BSI view on KEM combiners Falko Strenzke
- [openpgp] Re: WG: BSI view on KEM combiners Daniel Huigens
- [openpgp] Re: WG: BSI view on KEM combiners Falko Strenzke
- [openpgp] Re: WG: BSI view on KEM combiners Daniel Huigens
- [openpgp] Re: WG: BSI view on KEM combiners Paul Wouters
- [openpgp] Re: WG: BSI view on KEM combiners Paul Wouters
- [openpgp] Re: WG: BSI view on KEM combiners Paul Wouters
- [openpgp] Re: WG: BSI view on KEM combiners Falko Strenzke
- [openpgp] Re: WG: BSI view on KEM combiners Paul Wouters
- [openpgp] Re: WG: BSI view on KEM combiners Phillip Hallam-Baker
- [openpgp] Re: WG: BSI view on KEM combiners Phillip Hallam-Baker
- [openpgp] Re: WG: BSI view on KEM combiners Phillip Hallam-Baker