Re: [Pqc] [WG last call] IETF WG state changed for draft-ietf-pquip-pqt-hybrid-terminology
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 05 March 2024 21:55 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66F3FC14F708 for <pqc@ietfa.amsl.com>; Tue, 5 Mar 2024 13:55:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.009
X-Spam-Level:
X-Spam-Status: No, score=-7.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZG-pFVy-zozX for <pqc@ietfa.amsl.com>; Tue, 5 Mar 2024 13:55:22 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2132.outbound.protection.outlook.com [40.107.20.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A448C14F6BD for <pqc@ietf.org>; Tue, 5 Mar 2024 13:55:21 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bUIRDGaq73kiKvDL+j62UEXprCjmg5TVdvFd6extkZiw79fkbx+7aPa/6us9+jByEFHwrhRXlqLeXLA6eEZErNPgt7tRABc/6YfffPZthN74o2zsQWyGJDkpDadjhEG7R0TGP8L4Pr7Nx/8yz9wHc3PBTt63gheeim8OXmDI7INEu5tJPMxfQt4ebw+VQEnmAB6xwFYtKIL6t7YyJL8pIyTtO0OKcg52PREt2EDjzg7J2NEvw2mdWlKYZLX0tSlsbF+kxkG1vdoJ1bI7QyO9+k5yb2Mxu5Nhi5Dph/8sOlrdNxyTB+RtRlI8T59pYIAmL1THcxnDXYwp//gbYmeEXg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=B7FQhCHeSJI4SBNa0wGILs3onNnUnW2WVxPzj58VbtA=; b=Np+obhU9xXLX6QFCJsOeBvd5I8FlctXKW4GPp2tdqdeCDeHap5CQxJw533e8uRZSwmlhKUGhN+kPWapDEEe/JGA+tdlLJpWBIaztN3P1KLreLGSQoTY7TrP1X/J9Z07d8p/9eMLHkXSOoMuT9MhZx+LE+Vw+5nq+kfZ+Lfpa0b+83X/rswOj/uJ49tLR7UGOXBeHbIXHvOxBZy1ubTrKrd7vbz5+zh8XmFYY9LF9WOm09bgh5JBrKwitX8OADzVz1fqappB4Sx4OdINdFsphVm0/UmwNSkLISG+FrqOc5FzjxY7YJvPGl2jE+S9ieCCfLuEMo0cPOFrAMAjMLHIcJw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=B7FQhCHeSJI4SBNa0wGILs3onNnUnW2WVxPzj58VbtA=; b=CMrb31BdaKSL1N95p+L+DyHh9DZ3+IfksXcugh8SL9p2iq0omOxCad6IC6YqU1Br/1jtKC8ub0vcramYhP3Nm3c9xgYw1JCvswzx+qBXDxYM/gjQZ38lYl2IVEb22hcgw0jmlHSFUVByFqaR+rA24pk+a0HngbO15VAQwrMMPD7HkI2D3GKTJm4Z3aUT8f+TrVFycz1UMMbQ0xLkt6OtQBFuMlrfJ4V3Uq8+d/i+mW4wtLrgERl848tkDCmCvQVkQniXmTPSAGgZoKhgHDS6KsL2zQ/2599RmWjexn4/TuoTFfuyG4DRQ42WeN4gR+D8pY2Y4hfAhSOtUOR8Z5OBRA==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from AM6PR02MB5112.eurprd02.prod.outlook.com (2603:10a6:20b:90::21) by VI1PR02MB10266.eurprd02.prod.outlook.com (2603:10a6:800:1c8::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7339.38; Tue, 5 Mar 2024 21:55:18 +0000
Received: from AM6PR02MB5112.eurprd02.prod.outlook.com ([fe80::b95f:2e63:65e2:c45b]) by AM6PR02MB5112.eurprd02.prod.outlook.com ([fe80::b95f:2e63:65e2:c45b%2]) with mapi id 15.20.7339.031; Tue, 5 Mar 2024 21:55:18 +0000
Message-ID: <fa13cd34-7116-4039-9110-a87b720dea9e@cs.tcd.ie>
Date: Tue, 05 Mar 2024 21:55:16 +0000
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Sofía Celi <cherenkov@riseup.net>, "pqc@ietf.org" <pqc@ietf.org>
References: <3407a98c-e683-44c3-aa66-9043bb186359@riseup.net>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <3407a98c-e683-44c3-aa66-9043bb186359@riseup.net>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------wfIE9Yc5jrzI0u006y2UKgpq"
X-ClientProxiedBy: DUZP191CA0020.EURP191.PROD.OUTLOOK.COM (2603:10a6:10:4f9::7) To AM6PR02MB5112.eurprd02.prod.outlook.com (2603:10a6:20b:90::21)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: AM6PR02MB5112:EE_|VI1PR02MB10266:EE_
X-MS-Office365-Filtering-Correlation-Id: 4a898de2-2936-4dbd-e0b7-08dc3d5ef295
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: zyHUKmoD/pcWdEJVhez6HRGuri7X1p5jFZITb/kIf5QtqZBazd6IdxN0lLn8yg1/AomvZqq5zteaGfIuIkpnOASpvfK90MpMFKlOvVqaLcKp5d4YIyXHYxSD/b7JDHb4kHPmMAEq23dYu6D1Vx/ChFJwkwXQ5w5aKf3rsVSsEThAkNIzGZCuhvv/5PT2P3aklIXcuAcg3qe1yErgaLaLe+jv/UQiwG2QkoFu2ebuNBbUn6AuPueqsUsci1gwtjtKgr3Yl6RztNq3ed2U/0J2rER/yW1dpbiP1fa5KUMTQOWnDOiHPxTGJ4b6R5FM4RVBMkC0vdm57zXqrbUZT3sx6RlvA6gOfTiRoJIvLCCJy+wurpLptQj6LmuWUWg2lRje0gk0jbhSt5OzShXJU6qm+L2M/RD0TVjGvyIsE2dOKLGl3tg/IKt7KNi+K9qGcjjWq2OcOqzuh6keJhjhBNxbg+rT6C634Xe58FcsJY3GcXMxeLvG/pila7P8ml3ozb07dKljLbPEWUDdgn6JMJMlJqaC//hs//5CLNDjf72w9HpMinz8A9JYQRlS9vwVzgVSLMKVgJPnL6wpIYS8OEi2UUc5B0W5q2U41ynqBBGJZ5y30K5dkgbVuHtXKZMc+WvnTKK9VBrl5iLPljag318eufmDbGU1YzyVY7rsHICN97A=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR02MB5112.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 1hyC6DAu542ckPO/boSJR9N8WBtAfA2W3E+Wi6YOlWZxmeBxrUXtzmaw0Kamy9/9mJRrmP4MZqDhviyz6kKOJPz6ESxVScNJ6sD7QHsiUdC/m5jbzcVwccLtjhouSMLWyfibCiZx22esG2RIoEUUmItn9SSh6bDr/PjZxPX135LT6DbzeY232M8RSkIGfUQqPr2cKOwt3wVgVIUINptMM59ndBe4hks0vaumPk6pJo71+08UtiUgqtOAWLV7u541CcyR2Y5dAv1i/aMhHpk9wGaQ2NX0hQP+F16lsQotIPndVd0PaB3uxK/QDm6vpCa7uRwaeQ7GxyoYi8nTkUnHT/3mw2qlNdH2X4WL5tt3poRs6F2+Luvg4J1Gz0vK2yhjGX3xbSXeq29uJrYsjELYfX19U95tN4TFwHYZYsIeXp5lbcGU+HYCVC7LTtq5ZXt5ukHh1kine5YIelnKD5yLwiFKOsDayzQSBVbWsnxdA3GaGD6gNKHL4ZtRxeDw7l8OAj6+fISxV0ABro+JfEi6Zm6JHK2nRRUk4VWDnp8/+IuPyeiOIo3WC9tb16RuGT5a+JEN+bG1fMXI2njhX11T5PKfqF9rEy8i+BstWygCtCOnUNuYwkU7SYIsT7eM3kTBA8vetUjQs2BWoAlm6RQXkUDPCAZg1vZihLIgaRhE370r6r4H0C0SDCAKLtVor1PF8T7Y74+PnUbXqdIQ6PXk2CqA8GLrND0xm9tNEgzn4owtAc1lY4t1qRdt9bpGU7BnPF1yRIPb03g2XTXWYOpfGUsi9IclLTSYthfxDXev8L2cvkyw6TJOAEw8OsHZEZBPl13U98XMo9lDIxJuLg8nOkQZcdNISLfDIaWvo2cZdAPWb3UQNc6wiXODw2I2aoY57KijPcqqUYZc/WOm/I7qD6LR9eoonPHP/RIU3Rjq/URi9g64J9glLac+6iHF6ikGia3in35Toh+Skr0YAiKIJGZJMHR9gyNbCpXv0sgzU08IGYmh8j/MFCxHFERieRjxLiKsAmnTgR0x95nEuI+gWbkISTGHvo8r5IZ9HGNcX/RiQaEkZRq0mRmSiDhPoQLbKcoHhya7cfvqOVp70aJIIwScUiaEU1+xoS8hF5HinYeyxRg4YRtw1N83H0itktlpeXWha1Tqla+6XNj3L1+5mquC6d94H2GJbSm+jgODQT4S+2oqaFHrbr1t9YG+grkYDNsL/47OUQKDijI5clPzZVey0k6epGco4Cr82mKWXXuIeA3R274xcAgUyxGk2ZYX+seR4V2MGfbuOvUPJlmx9w7ApO0owPTQSIoOaVSEl5JxfqO7drO5s6GzPyYPMnHP5pDfdLiwuZ+A9wdM5hTrP3iSU4OJ1rsKJ9ysrZSUGQ1dFTBZupdpeOfBN7MGHW0VHfdD5cGP05Q56gxl5NcjJNIuQaG4HVr+ew3h5Lgp84H2eofMjWzxuLUHVTumYUpsFlDgo+2QEZ69uzCqE2aNcqhqloJAQioY/wF9gBG+drAkWQm+Q7jUVHS/5Y94tQ/5IqEImbhzus6n+7P/HJzcL7kVstwgPER5dO8ZyIUzrBaT3I5usmYouN3IcK7hDSDKYHsJ/xDAeEEuZ4jGK3PVn7UMkjkxJ6e3c2mE7YZYk0lWfy7l5qHs7YmJNFIK4i7H
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 4a898de2-2936-4dbd-e0b7-08dc3d5ef295
X-MS-Exchange-CrossTenant-AuthSource: AM6PR02MB5112.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Mar 2024 21:55:18.7282 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: S2xT5G7SbwlhO2Hbk+NGa83AswFscl1hYAz68Lt1zeN5aCShWcIoa0ZFXaDEpq5O
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR02MB10266
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/-loTULt-BbqREzC-57QCqXk03PI>
Subject: Re: [Pqc] [WG last call] IETF WG state changed for draft-ietf-pquip-pqt-hybrid-terminology
X-BeenThere: pqc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pqc>, <mailto:pqc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc/>
List-Post: <mailto:pqc@ietf.org>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pqc>, <mailto:pqc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 21:55:27 -0000
Hiya, I had a read of this. I don't think it's ready. Some of the text is IMO wrong, (not much, but some), some of the definitions aren't that good or a little inconsistent, there are some things included that don't seem useful and there's a couple of terms I think may be missing. I'd say all the above is fixable, but might take another iteration or two. Detailed comments below. Cheers, S. - I think this is missing some terms for an anti-pattern that defining hybrids enables, that is re-use of private key material for both a classic and hybrid asymmetric operation. This has been specifically called out as something that some people "might want" on the openpgp list, where e.g. a classic signing private key is on a smartcard/hsm and they want to both use that independently and to combine it with a (presumably s/w stored) ml-dsa private value to make an ml-dsa+ed25519 composite sig. (And have the signer emit both.) That seems like such an awful practice it deserves a name. Doing similarly with KEMs is also I guess possible and probably even worse. How about calling that "PQ/T private key abuse"? Not sure if different terms for KEMs/sigs are needed for this anti-pattern. If an even more negative sounding term could be found for that, that'd be better IMO:-) - "Signing algorithms in products that are expected to be in use for many years are also at risk if a CRQC is developed during the operational lifetime of that product." The above omits important caveats - for example if a system supports s/w update then the above should not apply in almost all cases. (And if a system does not support s/w update then it has, IMO, far harder problems to deal with than a CRQC.) - "During the transition from traditional to post-quantum algorithms, there may be a desire or a requirement" Why would a "desire" be relevant? I really wish we could stick to using hybrids when they are required and not when they are only desired (an error commonly seen, IMO). - "They may also choose to implement a post- quantum algorithm alongside a traditional algorithm for ease of migration from an ecosystem where only traditional algorithms are implemented and used, to one that only uses post-quantum algorithms." This is more than a choice - in cases where backwards compatibility is needed, then emitting a classic signature is needed as well as a PQ signature that might or might not need to be hybrid/composite. The point here is that backwards compat is a requirement, we're not dealing with a fashion choice:-) - "[RFC4949]" I say referring to HPKE/RFC9180 would make it clear this usage is not ancient lore, but is still-current. - "Traditional Cryptographic Algorithm*: An asymmetric cryptographic" Is AES traditional/or PQ according to these definitions? If you qualify to asymmetric on the RHS, you need it on the left too, if you want to be precise, which'd seem good in a terminology doc like this. (Same thing applies elsewhere.) Also, if you define a scheme to be a set of algs, and a combiner involves a KDF, then this definition probably also needs to work for KDFs. That implies "component alg" needs to cover KDFs, and hence so also does "traditional alg"? - "*PQ/T Hybrid Public Key Encryption (PKE)*:" Why is it useful to define this? If the reason is just to say: "don't do that" (which'd be ok) then be good to say it here. - Section 3... I'm not sure this is needed at all. WHen has terminology around this been confusing? Who else is using these terms? Separately, I don't think the choice of term is that good here, but I don't recall if that's been discussed or not. - " *PQ/T Hybrid Protocol with Composite Authentication*: A PQ/T hybrid protocol that incorporates a PQ/T hybrid scheme to achieve authentication, in such a way that the protocol fields and message flow are the same as those in a version of the protocol that uses a single-algorithm scheme." That's not a good definition as it doesn't provide a distinguisher for any protocol that already supports >1 signature, e.g. s/mime or pgpmime between the case where two independent sigs are carried or where a composite sig alg is imeplemented below e.g. a crypto API. - "In a PQ/T hybrid protocol with a composite construction, changes are primarily made to the formats of the cryptographic elements, while the protocol fields and message flow remain largely unchanged. In implementations, most changes are likely to be made to the cryptographic libraries, with minimal changes to the protocol libraries." That is a topic of significant debate and the above only states one position. Either much more text is needed there or the above should be deleted. (Probably better to do the latter.) - "*PQ/T Hybrid Backwards Compatibility*: The property that a PQ/T hybrid scheme or PQ/T hybrid protocol can be completed successfully provided that both parties support the traditional component algorithm." The above seems to be missing something - don't you need to say that if both peers do support classic and PQ, the this protocol gets the benefit of both? (Likely similar changes needed elsewhere.) - Section 7... Not sure that's needed - who else wants to use that term?
- [Pqc] [WG last call] IETF WG state changed for dr… Sofía Celi
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Paul Hoffman
- Re: [Pqc] [EXTERNAL] Re: [Ext] [WG last call] IET… Mike Ounsworth
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Flo D
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Wang Guilin
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Peter C
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Rebecca Guthrie
- Re: [Pqc] [WG last call] IETF WG state changed fo… Hale, Britta (CIV)
- Re: [Pqc] [WG last call] IETF WG state changed fo… Stephen Farrell
- Re: [Pqc] [Ext] [WG last call] IETF WG state chan… Wang Guilin
- Re: [Pqc] [WG last call] IETF WG state changed fo… Sofía Celi
- Re: [Pqc] [WG last call] IETF WG state changed fo… Flo D
- Re: [Pqc] [WG last call] IETF WG state changed fo… D. J. Bernstein