IETF Logo Mail Archive

[openpgp] Fw: Re: PQC encryption algorithm selection

Aron Wussler <aron@wussler.it> Wed, 07 February 2024 17:24 UTC

Return-Path: <aron@wussler.it>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60E2BC14F68C for <openpgp@ietfa.amsl.com>; Wed, 7 Feb 2024 09:24:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wussler.it
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GrVsexXOpg9j for <openpgp@ietfa.amsl.com>; Wed, 7 Feb 2024 09:24:21 -0800 (PST)
Received: from mail-4323.proton.ch (mail-4323.proton.ch [185.70.43.23]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4A60C14F699 for <openpgp@ietf.org>; Wed, 7 Feb 2024 09:24:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wussler.it; s=protonmail3; t=1707326659; x=1707585859; bh=iZGbI16Di0MSNo4bzMSERRXRwEyIvvYbn3QisRY8HaM=; h=Date:To:From:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=aO6pvvsgwx7n3JjkMmzsELecl9X674nRxzvb5wvy8HsS+vDVMA+mrSf98lg9FkljW V0yE/o9ybl+xijNhK4FN+/Bg6VRXpWwaUrv4ptc7wZ7qQRlFT+oaABX3cSmOXlINsI fabW+H5mzoeO/iuuRwiD7mhC9ClOqHCGicVTukrHcu381h5rwQ6ebNYysuQnsMSyGH ybfol9nixpdqIoMTnnNNk+k3EMTCTmPbx0gNKvdMn/KomfHWp85ldkM+fmS/ZJmZsK dNq2EM6jtK9cfJJabgDO1nLZFJNVcRFKyDkhO3Vmwe/Ob/NjdpwkEzkpaN4A9So/Lc VV7Od06kjTa5g==
Date: Wed, 07 Feb 2024 17:24:00 +0000
To: "openpgp@ietf.org" <openpgp@ietf.org>
From: Aron Wussler <aron@wussler.it>
Message-ID: <ySdeH8xzO5B6g9_jefPyhGvh2epiMsoSszPun_7CeQ14DqF5RjXx_MYrcumieEhzwEPyJxXuveS0_DDqmfDQVMbqoxTwBh2_JBUoJMTctw8=@wussler.it>
In-Reply-To: <uX8K6Qq_ipZOWW8SZPZPitxBigJ9UXmktrzXMGkhSlckD5zcL6S_lgWNlvKXcP3UyHpl-4cTDzqreKEqHTJV0n2R_x5p3IIgWWZpfVODqTM=@wussler.it>
References: <WlmG-t8W8gPB6BePADYNwa365fmk6DGf3GF8Q4XZ3Ho1X3h0W9wykE364A6KDLQvU2p-lUKsftm0rQEe8V5p2jTuQgUEOQWOnlnhQJzdsgs=@wussler.it> <1bbfbdbb7c927a0d5a3fc408ef2f1a02d3447a65.camel@redhat.com> <nIbLLK7cbTi8PL3_Tq4ppnh8hKDo9l7-xcpng3e4qr2xchofzqiJNlJ5N5YMkVonNpQ6p9Kyob0L3zY3w4VYdya_cBb2aZ6v7u9wKfeLLtw=@pm.me> <87cyt89q9g.fsf@kaka.sjd.se> <uX8K6Qq_ipZOWW8SZPZPitxBigJ9UXmktrzXMGkhSlckD5zcL6S_lgWNlvKXcP3UyHpl-4cTDzqreKEqHTJV0n2R_x5p3IIgWWZpfVODqTM=@wussler.it>
Feedback-ID: 10883271:user:proton
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="------47dad127183e7e77b2a3c38d592dc5e5587db270276e3663ce5ffb0858302a76"; charset="utf-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/yCq8cLYjnOw3_uUYi6h1uJb6lrg>
Subject: [openpgp] Fw: Re: PQC encryption algorithm selection
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2024 17:24:26 -0000

Hi Simon,

> +1 for reducing redundancy.


Understandable

> Based on earlier discussion, it was suggested that performance of
> ML-KEM-1024+X448 was a challenge, suggesting ML-KEM-768+X25519 is
> better.


I'd like to see some pointers to this discussion: in the previous thread I didn't really see such a consensus.
On the other hand, I've done research on this, and presented the results at both IETF 118 and the OpenPGP Summit, and it seems pretty clear that ML-KEM-1024+X448 is not problematic in terms of speed or artifact size [1].

> Thus my suggestion is to keep MUST on ML-KEM-768+X25519 and, for
> crypto-agility reasons, add MUST on sntrup761+x25519 together with
> SHOULD on mceliece6688128f+x448, and to drop the NIST/BSI EC curves.


While mirroring curves does not require redundant code (as they are already in the OpenPGP suite) these other algorithms you mentioned are not standardized, and will require additional dependencies for implementations (that won't be easy to find in standard libraries).
Furthermore, as an individual and implementer, I also see no point in having 2 lattice-based algorithms as MUST.


Cheers,
Aron


[1] https://www.wussler.it/NIST5thPQC.pdf


--
Aron Wussler
Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930



On Wednesday, 7 February 2024 at 17:46, Simon Josefsson simon=40josefsson.org@dmarc.ietf.org wrote:

> +1 for reducing redundancy.
> 

> If brainpool/NIST P256/P384 is for NIST/BSI compliance, could thet be
> moved to a separate document?
> 

> Based on earlier discussion, it was suggested that performance of
> ML-KEM-1024+X448 was a challenge, suggesting ML-KEM-768+X25519 is
> better.
> 

> Thus my suggestion is to keep MUST on ML-KEM-768+X25519 and, for
> crypto-agility reasons, add MUST on sntrup761+x25519 together with
> SHOULD on mceliece6688128f+x448, and to drop the NIST/BSI EC curves.
> 

> /Simon
> 

> Bart Butler bart=2Bietf=40pm.me@dmarc.ietf.org writes:
> 

> > I think everyone would love to just do 25519 and 448. The others (MAY)
> > are there for compliance (NIST/BSI) if I'm not mistaken.
> > 

> > On Wednesday, February 7th, 2024 at 3:03 PM, Simo Sorce simo@redhat.com wrote:
> > 

> > > Hi Aron,
> > > Why so much redundancy in EC curves?
> > 

> > > This is basically the same thing 3 times over, wouldn't it be more
> > > appropriate to just allow a singe EC curve family so there is no risk
> > > of interoperability issues between implementations ?
> > 

> > > Simo.
> > 

> > > On Wed, 2024-02-07 at 11:39 +0000, Aron Wussler wrote:
> > 

> > > > Hi everyone,
> > 

> > > > In the next weeks, before IETF 119, we'd like to collect feedback
> > > > about the algorithm selection implemented in the draft [1]. We're
> > > > interested in presenting some vectors for the next meeting. It
> > > > would be great if you could provide feedback by March 1st.
> > 

> > > > To keep the discussion focused we're going to start from the
> > > > encryption algorithm selection, KEM combiners will follow (since
> > > > it may also depend on the algorithm selection). Digital signatures
> > > > will also follow in another thread.
> > 

> > > > Right now, we have the following list of algorithms (in table 1)
> > > > +====+===============================+=============+=============+
> > > > | ID | Algorithm | Requirement | Definition |
> > > > +====+===============================+=============+=============+
> > > > | 29 | ML-KEM-768 + X25519 | MUST | Section 5.2 |
> > > > +----+-------------------------------+-------------+-------------+
> > > > | 30 | ML-KEM-1024 + X448 | SHOULD | Section 5.2 |
> > > > +----+-------------------------------+-------------+-------------+
> > > > | 31 | ML-KEM-768 + ECDH-NIST-P-256 | MAY | Section 5.2 |
> > > > +----+-------------------------------+-------------+-------------+
> > > > | 32 | ML-KEM-1024 + ECDH-NIST-P-384 | MAY | Section 5.2 |
> > > > +----+-------------------------------+-------------+-------------+
> > > > | 33 | ML-KEM-768 + ECDH- | MAY | Section 5.2 |
> > > > | | brainpoolP256r1 | | |
> > > > +----+-------------------------------+-------------+-------------+
> > > > | 34 | ML-KEM-1024 + ECDH- | MAY | Section 5.2 |
> > > > | | brainpoolP384r1 | | |
> > > > +----+-------------------------------+-------------+-------------+
> > 

> > > > Please provide feedback on the algorithms, and if you think they
> > > > should be "MUST", "SHOULD", or "MAY". The proposed list is derived
> > > > from the results of the NIST standardization process, hybrid with
> > > > the curves already supported from OpenPGP for compliance purposes.
> > 

> > > > Finally, please note that this is not the sole opportunity to
> > > > standardize PQC algorithms: as of the crypto-refresh, new
> > > > algorithms will need a specification and designated expert review,
> > > > and not an RFC.
> > 

> > > > Cheers and thanks,
> > > > Aron
> > 

> > > > [1] https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-00.html#name-algorithm-specifications
> > 

> > > > --
> > > > Aron Wussler
> > > > Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930
> > > > _______________________________________________
> > > > openpgp mailing list
> > > > openpgp@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/openpgp
> > 

> > > --
> > > Simo Sorce
> > > Distinguished Engineer
> > > RHEL Crypto Team
> > > Red Hat, Inc
> > 

> > > _______________________________________________
> > > openpgp mailing list
> > > openpgp@ietf.org
> > > https://www.ietf.org/mailman/listinfo/openpgp
> > 

> > _______________________________________________
> > openpgp mailing list
> > openpgp@ietf.org
> > https://www.ietf.org/mailman/listinfo/openpgp
> 

> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp

v2.23.0 | Report a Bug | By Email