IETF Logo Mail Archive

Re: [Pqc] [Ext] Listing pointers to not-yet-standardized PQC algorithms

"D. J. Bernstein" <djb@cr.yp.to> Tue, 16 May 2023 19:12 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05157C14CE3B for <pqc@ietfa.amsl.com>; Tue, 16 May 2023 12:12:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G5nOlEwU8SFP for <pqc@ietfa.amsl.com>; Tue, 16 May 2023 12:12:16 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id 4CB40C13AE34 for <pqc@ietf.org>; Tue, 16 May 2023 12:12:11 -0700 (PDT)
Received: (qmail 2269 invoked by uid 1010); 16 May 2023 19:12:09 -0000
Received: from unknown (unknown) by unknown with QMTP; 16 May 2023 19:12:09 -0000
Received: (qmail 350731 invoked by uid 1000); 16 May 2023 19:11:40 -0000
Date: Tue, 16 May 2023 19:11:40 -0000
Message-ID: <20230516191140.350729.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: pqc@ietf.org
Mail-Followup-To: pqc@ietf.org
In-Reply-To: <8789D47C-5F53-4022-B8B4-94B40BCDA34A@vigilsec.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/EWP9yr1E7tzr4S7LoZuVjpr41Ic>
Subject: Re: [Pqc] [Ext] Listing pointers to not-yet-standardized PQC algorithms
X-BeenThere: pqc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pqc>, <mailto:pqc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc/>
List-Post: <mailto:pqc@ietf.org>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pqc>, <mailto:pqc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2023 19:12:21 -0000

Russ Housley writes:
> The LAMPS WG charter sets the scope of PQ algorithms that can be
> considered.  They need to be NIST-approved or GFRG-approved. I hope we
> can have the same criteria across the IETF.

>From a security perspective, those limitations are problematic:

   * NIST's selections so far have, to the extent that people are
     following NIST, created years of patent-related delays in
     deployment of post-quantum encryption. This is a security problem
     right now, under the reasonable assumption that future attackers
     will have large quantum computers.

   * NIST's selections don't include any conservative encryption
     options. (This, like NIST not requiring hybrids, is most easily
     explained as overconfidence.) Obviously various non-NIST
     organizations (e.g., BSI) are taking a very different path here.

The CFRG add-on doesn't help---CFRG was very fast in vetting stateful
hash-based signature schemes but is far behind other organizations in
handling post-quantum encryption.

As a procedural matter, the LAMPS charter was last modified in May 2021,
which is before NIST issued its selections (July 2022). It would be good
for LAMPS to recognize the security problems at hand and expand its
charter accordingly.

(As a side note, I think that the opposite extreme, with all IETF WGs
requiring CFRG algorithm vetting, could work well if CFRG takes this
job seriously. But this would be a much larger change from the current
situation, and I think it would need an IESG policy decision.)

As another procedural matter, the PQUIP charter does not have the same
limitations as the LAMPS charter. Why is a LAMPS co-chair showing up on
the PQUIP mailing list and pointing to a current LAMPS restriction as an
argument for limiting PQUIP's activities, rather than acknowledging that
the PQUIP charter is different?

If there's a problem caused by the differences between the charters,
then surely the decision on the way forward should start by looking at
the relevant goals for IETF (such as BCP 188) and figuring out how to
organize the work into WGs, rather than by one current charter being
allowed to override another.

Right now there's a mess of different WGs looking at post-quantum
updates to specific protocols _and_ looking at protocol-independent
questions. Surely it would be better to have protocol-independent
discussions (example: should IETF let NIST slow down IETF's response to
the quantum threat?) centralized in PQUIP---meaning, e.g., that LAMPS
should focus on issues specific to updating PKIX and SMIME, and should
avoid being in the position of making IETF-wide post-quantum decisions.

---D. J. Bernstein

v2.23.0 | Report a Bug | By Email