Re: [Pqc] [Ext] Listing pointers to not-yet-standardized PQC algorithms
"D. J. Bernstein" <djb@cr.yp.to> Tue, 16 May 2023 19:12 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05157C14CE3B for <pqc@ietfa.amsl.com>; Tue, 16 May 2023 12:12:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G5nOlEwU8SFP for <pqc@ietfa.amsl.com>; Tue, 16 May 2023 12:12:16 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id 4CB40C13AE34 for <pqc@ietf.org>; Tue, 16 May 2023 12:12:11 -0700 (PDT)
Received: (qmail 2269 invoked by uid 1010); 16 May 2023 19:12:09 -0000
Received: from unknown (unknown) by unknown with QMTP; 16 May 2023 19:12:09 -0000
Received: (qmail 350731 invoked by uid 1000); 16 May 2023 19:11:40 -0000
Date: Tue, 16 May 2023 19:11:40 -0000
Message-ID: <20230516191140.350729.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: pqc@ietf.org
Mail-Followup-To: pqc@ietf.org
In-Reply-To: <8789D47C-5F53-4022-B8B4-94B40BCDA34A@vigilsec.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/EWP9yr1E7tzr4S7LoZuVjpr41Ic>
Subject: Re: [Pqc] [Ext] Listing pointers to not-yet-standardized PQC algorithms
X-BeenThere: pqc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pqc>, <mailto:pqc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc/>
List-Post: <mailto:pqc@ietf.org>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pqc>, <mailto:pqc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2023 19:12:21 -0000
Russ Housley writes: > The LAMPS WG charter sets the scope of PQ algorithms that can be > considered. They need to be NIST-approved or GFRG-approved. I hope we > can have the same criteria across the IETF. >From a security perspective, those limitations are problematic: * NIST's selections so far have, to the extent that people are following NIST, created years of patent-related delays in deployment of post-quantum encryption. This is a security problem right now, under the reasonable assumption that future attackers will have large quantum computers. * NIST's selections don't include any conservative encryption options. (This, like NIST not requiring hybrids, is most easily explained as overconfidence.) Obviously various non-NIST organizations (e.g., BSI) are taking a very different path here. The CFRG add-on doesn't help---CFRG was very fast in vetting stateful hash-based signature schemes but is far behind other organizations in handling post-quantum encryption. As a procedural matter, the LAMPS charter was last modified in May 2021, which is before NIST issued its selections (July 2022). It would be good for LAMPS to recognize the security problems at hand and expand its charter accordingly. (As a side note, I think that the opposite extreme, with all IETF WGs requiring CFRG algorithm vetting, could work well if CFRG takes this job seriously. But this would be a much larger change from the current situation, and I think it would need an IESG policy decision.) As another procedural matter, the PQUIP charter does not have the same limitations as the LAMPS charter. Why is a LAMPS co-chair showing up on the PQUIP mailing list and pointing to a current LAMPS restriction as an argument for limiting PQUIP's activities, rather than acknowledging that the PQUIP charter is different? If there's a problem caused by the differences between the charters, then surely the decision on the way forward should start by looking at the relevant goals for IETF (such as BCP 188) and figuring out how to organize the work into WGs, rather than by one current charter being allowed to override another. Right now there's a mess of different WGs looking at post-quantum updates to specific protocols _and_ looking at protocol-independent questions. Surely it would be better to have protocol-independent discussions (example: should IETF let NIST slow down IETF's response to the quantum threat?) centralized in PQUIP---meaning, e.g., that LAMPS should focus on issues specific to updating PKIX and SMIME, and should avoid being in the position of making IETF-wide post-quantum decisions. ---D. J. Bernstein
- [Pqc] Listing pointers to not-yet-standardized PQ… Paul Hoffman
- Re: [Pqc] Listing pointers to not-yet-standardize… Kampanakis, Panos
- Re: [Pqc] Listing pointers to not-yet-standardize… Blumenthal, Uri - 0553 - MITLL
- Re: [Pqc] Listing pointers to not-yet-standardize… Mike Ounsworth
- Re: [Pqc] Listing pointers to not-yet-standardize… Florence D
- Re: [Pqc] Listing pointers to not-yet-standardize… Kris Kwiatkowski
- Re: [Pqc] Listing pointers to not-yet-standardize… D. J. Bernstein
- Re: [Pqc] Listing pointers to not-yet-standardize… Paul Wouters
- Re: [Pqc] Listing pointers to not-yet-standardize… D. J. Bernstein
- Re: [Pqc] Listing pointers to not-yet-standardize… Paul Wouters
- Re: [Pqc] Listing pointers to not-yet-standardize… D. J. Bernstein
- Re: [Pqc] [Ext] Listing pointers to not-yet-stand… Paul Hoffman
- Re: [Pqc] [EXTERNAL] Re: Listing pointers to not-… Mike Ounsworth
- Re: [Pqc] Listing pointers to not-yet-standardize… Roman Danyliw
- Re: [Pqc] Listing pointers to not-yet-standardize… Christopher Wood
- Re: [Pqc] [Ext] Listing pointers to not-yet-stand… D. J. Bernstein
- Re: [Pqc] [EXTERNAL] Re: Listing pointers to not-… D. J. Bernstein
- Re: [Pqc] [Ext] Listing pointers to not-yet-stand… Russ Housley
- Re: [Pqc] [Ext] Listing pointers to not-yet-stand… Daniel Christopher Apon
- Re: [Pqc] [Ext] Listing pointers to not-yet-stand… Mike Prorock
- Re: [Pqc] [Ext] Listing pointers to not-yet-stand… D. J. Bernstein
- Re: [Pqc] [Ext] Listing pointers to not-yet-stand… Roman Danyliw
- Re: [Pqc] Listing pointers to not-yet-standardize… Alexandre Petrescu