Re: [Pqc] [WG last call] IETF WG state changed for draft-ietf-pquip-pqt-hybrid-terminology
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 05 March 2024 21:55 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66F3FC14F708 for <pqc@ietfa.amsl.com>; Tue, 5 Mar 2024 13:55:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.009
X-Spam-Level:
X-Spam-Status: No, score=-7.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZG-pFVy-zozX for <pqc@ietfa.amsl.com>; Tue, 5 Mar 2024 13:55:22 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2132.outbound.protection.outlook.com [40.107.20.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A448C14F6BD for <pqc@ietf.org>; Tue, 5 Mar 2024 13:55:21 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bUIRDGaq73kiKvDL+j62UEXprCjmg5TVdvFd6extkZiw79fkbx+7aPa/6us9+jByEFHwrhRXlqLeXLA6eEZErNPgt7tRABc/6YfffPZthN74o2zsQWyGJDkpDadjhEG7R0TGP8L4Pr7Nx/8yz9wHc3PBTt63gheeim8OXmDI7INEu5tJPMxfQt4ebw+VQEnmAB6xwFYtKIL6t7YyJL8pIyTtO0OKcg52PREt2EDjzg7J2NEvw2mdWlKYZLX0tSlsbF+kxkG1vdoJ1bI7QyO9+k5yb2Mxu5Nhi5Dph/8sOlrdNxyTB+RtRlI8T59pYIAmL1THcxnDXYwp//gbYmeEXg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=B7FQhCHeSJI4SBNa0wGILs3onNnUnW2WVxPzj58VbtA=; b=Np+obhU9xXLX6QFCJsOeBvd5I8FlctXKW4GPp2tdqdeCDeHap5CQxJw533e8uRZSwmlhKUGhN+kPWapDEEe/JGA+tdlLJpWBIaztN3P1KLreLGSQoTY7TrP1X/J9Z07d8p/9eMLHkXSOoMuT9MhZx+LE+Vw+5nq+kfZ+Lfpa0b+83X/rswOj/uJ49tLR7UGOXBeHbIXHvOxBZy1ubTrKrd7vbz5+zh8XmFYY9LF9WOm09bgh5JBrKwitX8OADzVz1fqappB4Sx4OdINdFsphVm0/UmwNSkLISG+FrqOc5FzjxY7YJvPGl2jE+S9ieCCfLuEMo0cPOFrAMAjMLHIcJw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=B7FQhCHeSJI4SBNa0wGILs3onNnUnW2WVxPzj58VbtA=; b=CMrb31BdaKSL1N95p+L+DyHh9DZ3+IfksXcugh8SL9p2iq0omOxCad6IC6YqU1Br/1jtKC8ub0vcramYhP3Nm3c9xgYw1JCvswzx+qBXDxYM/gjQZ38lYl2IVEb22hcgw0jmlHSFUVByFqaR+rA24pk+a0HngbO15VAQwrMMPD7HkI2D3GKTJm4Z3aUT8f+TrVFycz1UMMbQ0xLkt6OtQBFuMlrfJ4V3Uq8+d/i+mW4wtLrgERl848tkDCmCvQVkQniXmTPSAGgZoKhgHDS6KsL2zQ/2599RmWjexn4/TuoTFfuyG4DRQ42WeN4gR+D8pY2Y4hfAhSOtUOR8Z5OBRA==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from AM6PR02MB5112.eurprd02.prod.outlook.com (2603:10a6:20b:90::21) by VI1PR02MB10266.eurprd02.prod.outlook.com (2603:10a6:800:1c8::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7339.38; Tue, 5 Mar 2024 21:55:18 +0000
Received: from AM6PR02MB5112.eurprd02.prod.outlook.com ([fe80::b95f:2e63:65e2:c45b]) by AM6PR02MB5112.eurprd02.prod.outlook.com ([fe80::b95f:2e63:65e2:c45b%2]) with mapi id 15.20.7339.031; Tue, 5 Mar 2024 21:55:18 +0000
Message-ID: <fa13cd34-7116-4039-9110-a87b720dea9e@cs.tcd.ie>
Date: Tue, 05 Mar 2024 21:55:16 +0000
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Sofía Celi <cherenkov@riseup.net>, "pqc@ietf.org" <pqc@ietf.org>
References: <3407a98c-e683-44c3-aa66-9043bb186359@riseup.net>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <3407a98c-e683-44c3-aa66-9043bb186359@riseup.net>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------wfIE9Yc5jrzI0u006y2UKgpq"
X-ClientProxiedBy: DUZP191CA0020.EURP191.PROD.OUTLOOK.COM (2603:10a6:10:4f9::7) To AM6PR02MB5112.eurprd02.prod.outlook.com (2603:10a6:20b:90::21)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: AM6PR02MB5112:EE_|VI1PR02MB10266:EE_
X-MS-Office365-Filtering-Correlation-Id: 4a898de2-2936-4dbd-e0b7-08dc3d5ef295
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: zyHUKmoD/pcWdEJVhez6HRGuri7X1p5jFZITb/kIf5QtqZBazd6IdxN0lLn8yg1/AomvZqq5zteaGfIuIkpnOASpvfK90MpMFKlOvVqaLcKp5d4YIyXHYxSD/b7JDHb4kHPmMAEq23dYu6D1Vx/ChFJwkwXQ5w5aKf3rsVSsEThAkNIzGZCuhvv/5PT2P3aklIXcuAcg3qe1yErgaLaLe+jv/UQiwG2QkoFu2ebuNBbUn6AuPueqsUsci1gwtjtKgr3Yl6RztNq3ed2U/0J2rER/yW1dpbiP1fa5KUMTQOWnDOiHPxTGJ4b6R5FM4RVBMkC0vdm57zXqrbUZT3sx6RlvA6gOfTiRoJIvLCCJy+wurpLptQj6LmuWUWg2lRje0gk0jbhSt5OzShXJU6qm+L2M/RD0TVjGvyIsE2dOKLGl3tg/IKt7KNi+K9qGcjjWq2OcOqzuh6keJhjhBNxbg+rT6C634Xe58FcsJY3GcXMxeLvG/pila7P8ml3ozb07dKljLbPEWUDdgn6JMJMlJqaC//hs//5CLNDjf72w9HpMinz8A9JYQRlS9vwVzgVSLMKVgJPnL6wpIYS8OEi2UUc5B0W5q2U41ynqBBGJZ5y30K5dkgbVuHtXKZMc+WvnTKK9VBrl5iLPljag318eufmDbGU1YzyVY7rsHICN97A=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR02MB5112.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 1hyC6DAu542ckPO/boSJR9N8WBtAfA2W3E+Wi6YOlWZxmeBxrUXtzmaw0Kamy9/9mJRrmP4MZqDhviyz6kKOJPz6ESxVScNJ6sD7QHsiUdC/m5jbzcVwccLtjhouSMLWyfibCiZx22esG2RIoEUUmItn9SSh6bDr/PjZxPX135LT6DbzeY232M8RSkIGfUQqPr2cKOwt3wVgVIUINptMM59ndBe4hks0vaumPk6pJo71+08UtiUgqtOAWLV7u541CcyR2Y5dAv1i/aMhHpk9wGaQ2NX0hQP+F16lsQotIPndVd0PaB3uxK/QDm6vpCa7uRwaeQ7GxyoYi8nTkUnHT/3mw2qlNdH2X4WL5tt3poRs6F2+Luvg4J1Gz0vK2yhjGX3xbSXeq29uJrYsjELYfX19U95tN4TFwHYZYsIeXp5lbcGU+HYCVC7LTtq5ZXt5ukHh1kine5YIelnKD5yLwiFKOsDayzQSBVbWsnxdA3GaGD6gNKHL4ZtRxeDw7l8OAj6+fISxV0ABro+JfEi6Zm6JHK2nRRUk4VWDnp8/+IuPyeiOIo3WC9tb16RuGT5a+JEN+bG1fMXI2njhX11T5PKfqF9rEy8i+BstWygCtCOnUNuYwkU7SYIsT7eM3kTBA8vetUjQs2BWoAlm6RQXkUDPCAZg1vZihLIgaRhE370r6r4H0C0SDCAKLtVor1PF8T7Y74+PnUbXqdIQ6PXk2CqA8GLrND0xm9tNEgzn4owtAc1lY4t1qRdt9bpGU7BnPF1yRIPb03g2XTXWYOpfGUsi9IclLTSYthfxDXev8L2cvkyw6TJOAEw8OsHZEZBPl13U98XMo9lDIxJuLg8nOkQZcdNISLfDIaWvo2cZdAPWb3UQNc6wiXODw2I2aoY57KijPcqqUYZc/WOm/I7qD6LR9eoonPHP/RIU3Rjq/URi9g64J9glLac+6iHF6ikGia3in35Toh+Skr0YAiKIJGZJMHR9gyNbCpXv0sgzU08IGYmh8j/MFCxHFERieRjxLiKsAmnTgR0x95nEuI+gWbkISTGHvo8r5IZ9HGNcX/RiQaEkZRq0mRmSiDhPoQLbKcoHhya7cfvqOVp70aJIIwScUiaEU1+xoS8hF5HinYeyxRg4YRtw1N83H0itktlpeXWha1Tqla+6XNj3L1+5mquC6d94H2GJbSm+jgODQT4S+2oqaFHrbr1t9YG+grkYDNsL/47OUQKDijI5clPzZVey0k6epGco4Cr82mKWXXuIeA3R274xcAgUyxGk2ZYX+seR4V2MGfbuOvUPJlmx9w7ApO0owPTQSIoOaVSEl5JxfqO7drO5s6GzPyYPMnHP5pDfdLiwuZ+A9wdM5hTrP3iSU4OJ1rsKJ9ysrZSUGQ1dFTBZupdpeOfBN7MGHW0VHfdD5cGP05Q56gxl5NcjJNIuQaG4HVr+ew3h5Lgp84H2eofMjWzxuLUHVTumYUpsFlDgo+2QEZ69uzCqE2aNcqhqloJAQioY/wF9gBG+drAkWQm+Q7jUVHS/5Y94tQ/5IqEImbhzus6n+7P/HJzcL7kVstwgPER5dO8ZyIUzrBaT3I5usmYouN3IcK7hDSDKYHsJ/xDAeEEuZ4jGK3PVn7UMkjkxJ6e3c2mE7YZYk0lWfy7l5qHs7YmJNFIK4i7H
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 4a898de2-2936-4dbd-e0b7-08dc3d5ef295
X-MS-Exchange-CrossTenant-AuthSource: AM6PR02MB5112.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Mar 2024 21:55:18.7282 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: S2xT5G7SbwlhO2Hbk+NGa83AswFscl1hYAz68Lt1zeN5aCShWcIoa0ZFXaDEpq5O
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR02MB10266
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/-loTULt-BbqREzC-57QCqXk03PI>
Subject: Re: [Pqc] [WG last call] IETF WG state changed for draft-ietf-pquip-pqt-hybrid-terminology
X-BeenThere: pqc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pqc>, <mailto:pqc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc/>
List-Post: <mailto:pqc@ietf.org>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pqc>, <mailto:pqc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 21:55:27 -0000
Hiya,
I had a read of this. I don't think it's ready. Some of
the text is IMO wrong, (not much, but some), some of the
definitions aren't that good or a little inconsistent,
there are some things included that don't seem useful and
there's a couple of terms I think may be missing.
I'd say all the above is fixable, but might take another
iteration or two. Detailed comments below.
Cheers,
S.
- I think this is missing some terms for an anti-pattern
that defining hybrids enables, that is re-use of private key
material for both a classic and hybrid asymmetric operation.
This has been specifically called out as something that
some people "might want" on the openpgp list, where e.g. a
classic signing private key is on a smartcard/hsm and they
want to both use that independently and to combine it with
a (presumably s/w stored) ml-dsa private value to make an
ml-dsa+ed25519 composite sig. (And have the signer emit
both.) That seems like such an awful practice it deserves
a name. Doing similarly with KEMs is also I guess possible
and probably even worse. How about calling that "PQ/T private
key abuse"? Not sure if different terms for KEMs/sigs are
needed for this anti-pattern. If an even more negative
sounding term could be found for that, that'd be better IMO:-)
- "Signing algorithms in products that are
expected to be in use for many years are also at risk if a CRQC is
developed during the operational lifetime of that product."
The above omits important caveats - for example if a system
supports s/w update then the above should not apply in almost
all cases. (And if a system does not support s/w update then
it has, IMO, far harder problems to deal with than a CRQC.)
- "During the transition from traditional to post-quantum algorithms,
there may be a desire or a requirement"
Why would a "desire" be relevant? I really wish we could stick
to using hybrids when they are required and not when they are
only desired (an error commonly seen, IMO).
- "They may also choose to implement a post-
quantum algorithm alongside a traditional algorithm for ease of
migration from an ecosystem where only traditional algorithms are
implemented and used, to one that only uses post-quantum algorithms."
This is more than a choice - in cases where backwards compatibility
is needed, then emitting a classic signature is needed as well as a
PQ signature that might or might not need to be hybrid/composite.
The point here is that backwards compat is a requirement, we're not
dealing with a fashion choice:-)
- "[RFC4949]"
I say referring to HPKE/RFC9180 would make it clear this usage is
not ancient lore, but is still-current.
- "Traditional Cryptographic Algorithm*: An asymmetric cryptographic"
Is AES traditional/or PQ according to these definitions? If you qualify
to asymmetric on the RHS, you need it on the left too, if you want
to be precise, which'd seem good in a terminology doc like this.
(Same thing applies elsewhere.)
Also, if you define a scheme to be a set of algs, and a combiner
involves a KDF, then this definition probably also needs to work
for KDFs. That implies "component alg" needs to cover KDFs, and
hence so also does "traditional alg"?
- "*PQ/T Hybrid Public Key Encryption (PKE)*:"
Why is it useful to define this? If the reason is just to say:
"don't do that" (which'd be ok) then be good to say it here.
- Section 3...
I'm not sure this is needed at all. WHen has terminology around
this been confusing? Who else is using these terms? Separately,
I don't think the choice of term is that good here, but I don't
recall if that's been discussed or not.
- " *PQ/T Hybrid Protocol with Composite Authentication*: A PQ/T
hybrid
protocol that incorporates a PQ/T hybrid scheme to achieve
authentication, in such a way that the protocol fields and message
flow are the same as those in a version of the protocol that uses
a single-algorithm scheme."
That's not a good definition as it doesn't provide a distinguisher
for any protocol that already supports >1 signature, e.g. s/mime or
pgpmime between the case where two independent sigs are carried or
where a composite sig alg is imeplemented below e.g. a crypto API.
- "In a PQ/T hybrid protocol with a composite construction, changes are
primarily made to the formats of the cryptographic elements, while
the protocol fields and message flow remain largely unchanged. In
implementations, most changes are likely to be made to the
cryptographic libraries, with minimal changes to the protocol
libraries."
That is a topic of significant debate and the above only states one
position. Either much more text is needed there or the above should
be deleted. (Probably better to do the latter.)
- "*PQ/T Hybrid Backwards Compatibility*: The property that a PQ/T
hybrid scheme or PQ/T hybrid protocol can be completed
successfully provided that both parties support the traditional
component algorithm."
The above seems to be missing something - don't you need to say that
if both peers do support classic and PQ, the this protocol gets the
benefit of both? (Likely similar changes needed elsewhere.)
- Section 7...
Not sure that's needed - who else wants to use that term?
- [Pqc] [WG last call] IETF WG state changed for dr… Sofía Celi
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Paul Hoffman
- Re: [Pqc] [EXTERNAL] Re: [Ext] [WG last call] IET… Mike Ounsworth
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Flo D
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Wang Guilin
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Peter C
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Rebecca Guthrie
- Re: [Pqc] [WG last call] IETF WG state changed fo… Hale, Britta (CIV)
- Re: [Pqc] [WG last call] IETF WG state changed fo… Stephen Farrell
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Wang Guilin
- Re: [Pqc] [WG last call] IETF WG state changed fo… Sofía Celi
- Re: [Pqc] [WG last call] IETF WG state changed fo… Flo D
- Re: [Pqc] [WG last call] IETF WG state changed fo… D. J. Bernstein