Re: [Pqc] Listing pointers to not-yet-standardized PQC algorithms

Florence D <Florence.D@ncsc.gov.uk> Fri, 05 May 2023 08:10 UTC

Return-Path: <Florence.D@ncsc.gov.uk>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 527C1C151B39 for <pqc@ietfa.amsl.com>; Fri, 5 May 2023 01:10:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lXdWfUakfxbv for <pqc@ietfa.amsl.com>; Fri, 5 May 2023 01:10:26 -0700 (PDT)
Received: from GBR01-LO2-obe.outbound.protection.outlook.com (mail-lo2gbr01on0724.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe15::724]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A7A4C15154E for <pqc@ietf.org>; Fri, 5 May 2023 01:10:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LbyMe8vC27g7gvG6D1HjFcsGWUbmJn8I0tTJVSDGZHrtGaI+XQ+y72+UvaJBkuNZBLfXoLP6NgvrS1d8WaGmWMf40wOt9EwpPh5LSPGte067DvcACBQ3mGij/QdIbXrojMj5Gl6C4MjWjPKwqgE2MaTcdnG8zngSGYrQl9ngvGXTRpCriZeUm2N3SlRBkDjAW2cXuOIjahB1L/IDxDAK0IS1Cj/zdCdrQ+m9IuPKecYRSeBR+Sa4UGC7NqLiQ2PtUxN8nuhcxY+hgD36tYQ3UZCR88DZKy8rRKV+R8SDXprnaAdalSz48w7Nz2QfI1Ob1Cao4/icNk99HrkyP5CFyg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0b+rgibN1wcyvk72AdpjgEXHOD6IGLZ0i5gCL3cJzdc=; b=ockPn65lX4FtM6iX2lVIYBmGGi2VGc664iRydpAOJLkh8iyVFiUFdA2j4qnknkqFowK0a3cT5O91dlSgNQxG4N+/imUS9wRr3I5g1Ebv1VPuAYQq2Y6z1lGIMCpldLCG/IY7TxpBuEhZnVDLJmTrsA83UvBeCeKGtIkMzVAP45NlUMSGPjD1Aqf37ComNwL9MOKYqmvd4Go83chooPCIrNPa8A1rTBViA3McdvDveM2m7lePNdG+4dDxS6QPzbDKCJmLtRRrFpTeE6Tbsv0ugzNgx4ySICDwBudpRwWRLUtX0EPKC9cUfgqeaSRCfGuxm+QPq7vsRwh+MfDKGMYzag==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0b+rgibN1wcyvk72AdpjgEXHOD6IGLZ0i5gCL3cJzdc=; b=wDKGGCrZdZPfJF+jUOuS7rLuuyDKLHfEvQO6L3eqp09Lhgbt853id5YrHI82I8Ra+lx9HF72XzPUQtRolEAJB94ycFDKxFSfKeRnxBjnbHNgShGBJFF0mw0dBc/k/mtgweziXZ3J8lTYb9Hb6AUGabtN+QKSbJh3rfC3UFNMqtQlQUuJj+tpXMm5c+Na6BicCnev5mjlrtEzSNuViQ/5DbJt2jaceJK0ZoVPWI2Rr4ixCGCW67brI+bngl3acxD+vAxTuZzOAA/BCyKGJ2dLtm1IgwybcZdKf7pTo8jjiHAacjLszsF/yR7c/q+Fr4MkaV7r/0K9a8xFaSWk4OackA==
Received: from LO0P123MB4041.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:181::5) by LO4P123MB6678.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:2e1::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6363.27; Fri, 5 May 2023 08:10:21 +0000
Received: from LO0P123MB4041.GBRP123.PROD.OUTLOOK.COM ([fe80::a01d:2d3d:e1f9:422d]) by LO0P123MB4041.GBRP123.PROD.OUTLOOK.COM ([fe80::a01d:2d3d:e1f9:422d%4]) with mapi id 15.20.6363.027; Fri, 5 May 2023 08:10:21 +0000
From: Florence D <Florence.D@ncsc.gov.uk>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, "Kampanakis, Panos" <kpanos=40amazon.com@dmarc.ietf.org>, Paul Hoffman <paul.hoffman@icann.org>, "pqc@ietf.org" <pqc@ietf.org>
Thread-Topic: [Pqc] Listing pointers to not-yet-standardized PQC algorithms
Thread-Index: AQHZfhKPxSjIgBgV/EqK7LaUAq4eS69JWElAgAESr8CAAOcH0A==
Date: Fri, 05 May 2023 08:10:21 +0000
Message-ID: <LO0P123MB404175D0F1F581D7A3540FD8D7729@LO0P123MB4041.GBRP123.PROD.OUTLOOK.COM>
References: <075469F4-5DC7-4EFC-ADD2-0BC22BA35BE9@icann.org> <84757b5a49094a08839ef8106b29d36b@amazon.com> <CH0PR11MB57399E0D4B51F064CE1FDCB79F6D9@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB57399E0D4B51F064CE1FDCB79F6D9@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ncsc.gov.uk;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LO0P123MB4041:EE_|LO4P123MB6678:EE_
x-ms-office365-filtering-correlation-id: 719d181c-b5f4-4232-2ad5-08db4d402bfb
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: pBWHRs7yFsOVC1ObErcVBriVLhCoaj2SddrCT7V5X787R9FJJ0AeevfHBQ/rGMyexdtq/PPwtiBETvN3qdvhAz0qomkmpMRJ7X6DPhw2F8T2ZYI9a61PurvIqigNMxHPKmDhAYhat48Dl/fB1qLkO++FKJJNQZSSZj2egMQWSSHINPvNgn56tJe6belr3XemFTYTr0n+aZFA/+TW8ibntXh4GZRXPe30UdEj3x5Q61yNduYSICLtkjTfRYnInrU+pU8L4yg88E1nOvIVvnuiWUg1LCFyvinXkC2PB8exwNHnWzfp2pytO5KMDRXzBOihcSmtMbElqxURzkdP8sudJYOeMOY2fUUoYi+TWQ/Rze8XVmPIbdF8BjibjZKvM7HihV1r109ojjfWnLmFR3Obxgrc5Ut4gAPkf+c7thuYviAreN5BZBFeO647S6bx7G+WmD/KAJLfvv/v0S9bbHKCZs7jYRrvcoSPfkaT/vWubeKzs/N15pwcGm2E+M3TBXyaIuqU1KIw1w6rojQTobGP6o8r/puuebpIh41HUsmrk9ky503GnWBfk4LqJlMAUxOo2qU/IJCl+3rW6ODII8gRELNNzVUJDFnhwXf1s8OWDmE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LO0P123MB4041.GBRP123.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230028)(4636009)(366004)(376002)(346002)(136003)(396003)(39860400002)(451199021)(53546011)(6506007)(9686003)(66899021)(26005)(186003)(83380400001)(82960400001)(33656002)(38100700002)(86362001)(38070700005)(122000001)(2906002)(55016003)(66574015)(76116006)(66946007)(66556008)(66476007)(66446008)(64756008)(316002)(966005)(7696005)(71200400001)(41300700001)(45080400002)(110136005)(478600001)(5660300002)(8936002)(8676002)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: eWcTY/fDx5oGQXapRNyANaAgj32YW7/qOTnBG2RMq7aGcbmYS5+A1hhVbhktFpDIPnoGX9JVtajCysxM9/koLIRdkCw4A+u9NELiDvAWz12bhjohi2KAIrtGiQJ6BnrBclq+I+MlwDR7ZU7SR9PeqxoYDQXVYonlMha1bo43MXD2u8WaNxnzbT7c8knn2UjpASBslXxrfBIkda04HSdI51gaViXwSOR2VSprob3C6UCvMr0ufWFZjhwP6xrXWWFxEgggaCO/txaTIQVbeeRhNulpW3yBO/gwC3P9doQKT8RajGy1YbWlGDYjrKH7YgcpGKoyl/6qoJP5kkGe/A9y59lN9xtKTSdpKOIeag3kM8SDNPUU6I8Rkbsb5CRZFLLkxeh+7g18Ng4F5Q76J8bfkrKQnZGcz/y+6PzDv3W06ylT7L0JJp5YY3Yf7pwgyVLuX5JldVwNmLAC4WSnkPxIzYmpjoDrsh5rrTCsrjE1MStaj1wujOJp1aLBHeNXb3JZrn802VrbWgIrHZIAT1uj1JmYssSDycJjTjZaYz0yldjo5KCzAEdRhwpfWBzPl9RqJDGEcyFVvxTren8QMRjAF62xofvPWyGypHRg0AZs7ydPV1mU/3aaBbndDZmDTgapDPaFNeSIDis+jrmPKr5QWW+IP4FfxLZqbW5Imat/j+jydlZ9bNstrfcCoyv8y1zcYtFGG5UTyH4FHRpT3WfQ/wPW2BLHHVkhsSO79xsIIMFYY4oyh0zgjHXkWsNM9YxMvZf7SpaM4ko1tlLB1M/dSbriX1S1kQR2TeBKl9D/uO77sn/vsJBvgIdSIVFLDIfNRM2TdCXxGnRkMV2ISs+jNZty/4chyRoUs2PfScCrcl0D3K8hztDstIBlizfBWUD9Di8khiMZTFRQI78ooQ43mwElUguy2Q0U9dCAbdNmZMFB+dnUpGocK+TV555UTjlz8nj5CtoLXgmQXLHaTfMyX/VN4dpJ7qLFJaBvHFJYj8HhC0kLQEiAmJsa+PlIkD6gLFGgi+5569zezXcV2jXETnEVQ2EFrzb/Jli6IRvJlPhnUfOz5aEkNsqstQIZtF3/JkeWal5/UYBdt4rx7BNLqD2pAqiypGWEbrjvvq9L5pnrTQC5o+Pc3vKNfe1F2K6yIbovHWmdndqBeV1UEM7enVESKio4rqnR4suGmjLhRx7w8DIwF5LecD4nA5gz1R0+O4kC5WALli869pV11w+O7TBVTUVAoxEbgMe18nPBC5178YQtrhc9/eFFvUBT9hBgVh066zF7gIA1ECL34P1MyBqu18qheUpvbZNJ2+wk4YApuSJhUZsqHWiyyD0jWLOcEUJmuG4zqWUlKlMn+uaogJYePZmoyWlR1enIbI1GSTFCDWFbHS4G9X9aLas3YiC0czm/pZmIhDFu4c4ZkmVtQdauQ4ds5WBFgMi9WkrZo3hng9Iif4Yr4rk4EvzGQgaJFLoACfDsLKWWYngqX6tQCof+iCThKZR8Fag8oYdIZ00smJGPJl2tZ8pcyVsEH5suy6RnxiCbKRft0F2zfIWt+3MBhEu28kvyhEnJ9vNpz+cntropgO1pD5Yufa5A9GyJ
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO0P123MB4041.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 719d181c-b5f4-4232-2ad5-08db4d402bfb
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 May 2023 08:10:21.3771 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TDaGeW40IYZCORZuPxR+pNuLF8BtuyU1JBd6YgnQWvM6vr1yefU2Bw5scvOdT68Hy5hMj/C62GgZFwhSTzVk3pkbV5Fw/DAwun55TKA/gp8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO4P123MB6678
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/HPQS8SxhFTXguoad9HlLRbjW1s4>
Subject: Re: [Pqc] Listing pointers to not-yet-standardized PQC algorithms
X-BeenThere: pqc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pqc>, <mailto:pqc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc/>
List-Post: <mailto:pqc@ietf.org>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pqc>, <mailto:pqc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 May 2023 08:10:30 -0000

Hi,

I vote yes to 1. (pointing towards NIST standards and standards in development) and no to 2. (pointing towards other algorithms).

1. While I agree with Panos that cryptographers are tracking NIST, part of the justification for doing the "PQ for engineers" work in this group is that we don't expect all engineers designing security protocols to be following NIST closely.  I think including a brief description of the current state of play for NIST algorithms (e.g. in the process of being standardised, still being assessed etc.) would be useful, as well as pointers to the latest versions.  The pointers could be to other IETF/IRTF drafts where they exist.  I think this should be short, but something would be better than nothing.

2. I think we should focus on the NIST algorithms. These have been selected due to their security and usability and these are the features that IETF should be looking for when incorporating algorithms into our protocols.  If we start pointing to other algorithms then this group would need to start weighing up their security and relative merits outside of NIST's process, which is not in our remit.

Also, at Real World PQC Dustin Moody suggested that NIST would be standardising one of BIKE or HQC, but not both.  That might have changed, but we should check before writing anything.

Flo

Florence D
UK National Cyber Security Centre

-----Original Message-----
From: Pqc <pqc-bounces@ietf.org> On Behalf Of Mike Ounsworth
Sent: 04 May 2023 19:12
To: Kampanakis, Panos <kpanos=40amazon.com@dmarc.ietf.org>; Paul Hoffman <paul.hoffman@icann.org>; pqc@ietf.org
Subject: Re: [Pqc] Listing pointers to not-yet-standardized PQC algorithms

I vote no also.

I see this list / github page as an index of *IETF* PQC work. Trying to document the PQC work in general beyond the IETF seems it is both not the IETF's responsibility, as well as a never-ending task.

---
Mike Ounsworth

-----Original Message-----
From: Pqc <pqc-bounces@ietf.org> On Behalf Of Kampanakis, Panos
Sent: Wednesday, May 3, 2023 8:58 PM
To: Paul Hoffman <paul.hoffman@icann.org>; pqc@ietf.org
Subject: [EXTERNAL] Re: [Pqc] Listing pointers to not-yet-standardized PQC algorithms

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________
I would vote no to both.

1. Crypto developers are following NIST's work and there are plenty of resources that explain what these algorithms are. I don't see a benefit in encyclopedically documenting something that have been documented many times before.

2. Frodo is in the LWE family. It is not RLWE or MLWE, so as a primitive it has less structure and could be assumed to be more conservatively secure, but it is in the lattice family like Kyber. The Frodo public key and ciphertext are pretty big. NIST's schemes offer better size-performance balance and math primitive family diversity. IETF should only go with primitives that make sense for use in its WGs. I am not sure I would pick Frodo over Kyber or BIKE in any use-cases. Personally, I expect and hope that European regulatory bodies will endorse NIST's primitives in the long run as well.



-----Original Message-----
From: Pqc <pqc-bounces@ietf.org> On Behalf Of Paul Hoffman
Sent: Wednesday, May 3, 2023 6:57 PM
To: pqc@ietf.org
Subject: [EXTERNAL] [Pqc] Listing pointers to not-yet-standardized PQC algorithms

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



Greetings again. The grand list of pointers at <https://urldefense.com/v3/__https://github.com/ietf-wg-pquip/state-of-protocols-and-pqc__;!!FJ-Y8qCqXTj2!ZIRdEHgW2t4iPCMG1WwqGfi7XfFSSJA-XHtPiDAvekvmrUjKPca5jNo7729Pg7MdVdjIAsnpOsrJV60gByKQ6FAyyqPXQlbvY916$ > primarily lists Internet Drafts and RFCs.

We know that the protocols themselves are being developed elsewhere, primarily (but not exclusively) at NIST. NIST has said that it will publish standards for CRYSTALS-Kyber, CRYSTALs-Dilithium, Falcon, and SPHINX+ next year, and has more informally said that it will publish standards for other KEM finalists (Classic McEliece, BIKE, and HQC). Should this WG help let IETF developers know about these algorithms and their status at NIST; if so, how?

Those of us following the European PQC world know that there is still a lot of interest in some non-NIST algorithms, particularly FrodoKEM. FrodoKEM is being standardized in ISO. Should this WG let IETF developers know about these algorithms? If so, how do we bound this list to prevent us from promoting MyMostlyUnreviewedKEM without enough context?

--Paul Hoffman

--
Pqc mailing list
Pqc@ietf.org
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/pqc__;!!FJ-Y8qCqXTj2!ZIRdEHgW2t4iPCMG1WwqGfi7XfFSSJA-XHtPiDAvekvmrUjKPca5jNo7729Pg7MdVdjIAsnpOsrJV60gByKQ6FAyyqPXQj4jUzt_$

--
Pqc mailing list
Pqc@ietf.org
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/pqc__;!!FJ-Y8qCqXTj2!ZIRdEHgW2t4iPCMG1WwqGfi7XfFSSJA-XHtPiDAvekvmrUjKPca5jNo7729Pg7MdVdjIAsnpOsrJV60gByKQ6FAyyqPXQj4jUzt_$
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

--
Pqc mailing list
Pqc@ietf.org
https://www.ietf.org/mailman/listinfo/pqc