IETF Logo Mail Archive

Re: [Pqc] [WG last call] IETF WG state changed for draft-ietf-pquip-pqt-hybrid-terminology

Flo D <Flo.D@ncsc.gov.uk> Thu, 07 March 2024 08:50 UTC

Return-Path: <Flo.D@ncsc.gov.uk>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DDEFC151070 for <pqc@ietfa.amsl.com>; Thu, 7 Mar 2024 00:50:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.108
X-Spam-Level:
X-Spam-Status: No, score=-8.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.999, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CHdTObKTcaGC for <pqc@ietfa.amsl.com>; Thu, 7 Mar 2024 00:50:36 -0800 (PST)
Received: from GBR01-CWX-obe.outbound.protection.outlook.com (mail-cwxgbr01on2074.outbound.protection.outlook.com [40.107.121.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56EECC14F6F2 for <pqc@ietf.org>; Thu, 7 Mar 2024 00:50:35 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BV3TCeWW75L2ROGMKNRqCjcws/tH/4nATwFoyQTl8zBapHNtIk7YLSG5/ifivfhnPOC0emnmQtlUfybImHSIJyq+/Sv9kRRgyedwdv7D5Atr6eoBYzdKCyr6zXqPCZp7FcC/KYHj7gkQUpqICWIUI8n/SkVfhDS+NgKzI4UyFt/hsMklm1zz1lr/Oefk9zr0Fp1tA7J4TFtdQClI2o4Htwb8rc34t53oR3x4Yaf55YezYQ8HFdXwui4M6Z7p7jr0I5AxV/u3s1Em399+8iVhuN/Gylwuo7S1olGU8Y4Mq6hU4cu1ypNADojz7RGQBDV7mjxnb29pmgI5bl9RFZyPSg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Fu1R/Sr9u20oVTYwFNkt/t4Tg3htSJIiqu/ThTm/vaA=; b=Q9uf+hFdosIPJz5Cto0l7EztL/WOdq3FzyFeMjPZpNL+awSTpnJ0gyhSILCh3WWXUyXAH0F7rFIITfsUgXDXrdR8AmAkVVo4Ov+VGqwhs148Goby4IcAupCDeHhQYDodUJe4jmfc7fZz7PNjLE01Mxzej3fHwPELfkVjZ6O/J3QS3mkEkf4aG5ufns57ruhIP+tRHLUB3JHMrerV82yg8Dp7f1gtikOwzhd8lu/7ieAHKTzlxwsLEEzcEg8cW/bfBCSc1A/svj3xM9kovlxXiT4QJ706VUqfJetMoC9XkfoJWxcZi45Hqk1UtXxHrkXvHtuaN0ahjTfznZQrprLoOg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Fu1R/Sr9u20oVTYwFNkt/t4Tg3htSJIiqu/ThTm/vaA=; b=DIaNxYrULrP1OJBcErCCp8G5uMV2VNcWjLJOUChMyJHqB2u6PGYi5Hcur3ZtniUdqb7l8SUv+WTu6ceRvIGVt7XslhgSTvo2VS3HNgwpkh8Iq4Nme5+5t3EK2PhQ5k65c3kcYYiNL2hPPN7eF1vk8EKSOLXe3BUz7h7m58Y8Oc+Dh+hH7hNfTja2tMz5Bl/IZg7zXQhvCl5S58oK7R2PgsPkNGxnwv/gxtkG3ttIO7k91eCbfSH4nmJvM/iVoaMgp9d7xrIhA2S+mYJSZu/Ymf0FYYBy9dIuf5qgNmYbMxmudpK7FkRdILrbwn5DEyI9n67D2CczNnIwGN6xY+pu6Q==
Received: from LO0P123MB6702.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:2d1::14) by CWLP123MB2915.GBRP123.PROD.OUTLOOK.COM (2603:10a6:400:49::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7362.27; Thu, 7 Mar 2024 08:50:32 +0000
Received: from LO0P123MB6702.GBRP123.PROD.OUTLOOK.COM ([fe80::9f4f:574:4aa2:36b0]) by LO0P123MB6702.GBRP123.PROD.OUTLOOK.COM ([fe80::9f4f:574:4aa2:36b0%6]) with mapi id 15.20.7362.019; Thu, 7 Mar 2024 08:50:31 +0000
From: Flo D <Flo.D@ncsc.gov.uk>
To: "pqc@ietf.org" <pqc@ietf.org>
CC: Sofía Celi <cherenkov@riseup.net>
Thread-Topic: [Pqc] [WG last call] IETF WG state changed for draft-ietf-pquip-pqt-hybrid-terminology
Thread-Index: AQHaZNsgALZB159wnkCX0MaD2iUwtLEpxeYAgAGuuYCAAJncIA==
Date: Thu, 07 Mar 2024 08:50:31 +0000
Message-ID: <LO0P123MB6702BFDC406A1D4436A50F80A8202@LO0P123MB6702.GBRP123.PROD.OUTLOOK.COM>
References: <3407a98c-e683-44c3-aa66-9043bb186359@riseup.net> <fa13cd34-7116-4039-9110-a87b720dea9e@cs.tcd.ie> <860f710e-f36e-4e8e-a3e1-6446628634e5@riseup.net>
In-Reply-To: <860f710e-f36e-4e8e-a3e1-6446628634e5@riseup.net>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ncsc.gov.uk;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LO0P123MB6702:EE_|CWLP123MB2915:EE_
x-ms-office365-filtering-correlation-id: 8df258d3-40d8-4722-3ee2-08dc3e83a585
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: H6dtrlGgnhMti7NJI8VRvLIvAUH5Nd9gHa089UKRQhHdZ3kcslJ8y796tmyp/o6jNrO3j06yn1/mKEaAS0gugh71UKWHTii5Li+y6fJyrv/CQuVj7/IeVPTMRXv1MWGKK9mL5yVHCrJI0KzIGPuMQ0cta2l3OLPjneP2h4ow3OJPTle9lQ0vGCCkdYsPsICbE7bRreeiC4dDkeuf2734i1OqDZmUtwekCs/yLsozVcS8xA7Db3+pGOZxGzDyNNOE1B3NTKnrIUjwT/VLIANXwJxPF0g0oBr325i2LJAr4wQEjEdaiSW8L35Z/ImJBwnVE+oDF0Ysnso+kpy5RXDWR7mLO5sFULszV9grv6x1zzGhZZOiXxqWfoIADISCMXI1pZCTqekhP2vUJT+ELb0zY/rMxk3TAnUrf1EQGUbnLTNG0nhpBzj+uOrS2YdCCLw/5pw5834AxKSNXpmGiHMbLMkaFFGy1J1SomxesydbcOaReAJUuLYkUZaUDIXtQIqLzDlNzIA3ekzseVPor4vNwPg8mDzA6arBNa8bJoZ9eUwxJNhrh2aFXOrQbkjilNq6hOrJsnGzYI1U9wGw0CNpABDynID7uZ23KJk8oOlS/GnhAIq2Th/v8Uf2MZLZP67olZOow9M733a0ahkdIgID7LYcsTfyMGA5gfryTz7WeDY=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LO0P123MB6702.GBRP123.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(376005)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: CpJigXhqb8BkSfLOTF6k/toAmpbogfddwre1d+rrLySX6JqNlhz5s5Rmeit0xjLGl9s8zf1gYPSOFniNgaSJOr/DGmlqlv9wX0tQ53YDflUCNGHmnTYGMCnRtQ8wEWxMytOvHYWnR1o6onfE4tcezU42BSVZhTSbZlD0WLHUOdj0bwHxBpRT7o4I9Zz3wpurONtd+hgqL/miLxsebXjYzHXVJPgXHFDlhoflSoOzxEOFt0ZEXc+2mO8pRSqgmwLrnz6hWdiapdS7I74NnM1gd4o+HdZMwAN/QquFsQ93Vs2UDhiJZLou7F3jqBxKuTsBhtt3JWKPCvOhiYrHhXJyR15gDJyb1yVnFnqUglbayuRCYQrZMM1pwWDMNxIiN0mj0WgEa77TqzjprpK0/7IuhB74WRKOYItiRZQOCodtl9PcLlCGrMlohxPfL00kt0yD6epMKDZjSx+PjfY+MrIx0UEurHLYyMNrC8O9ygU345U8w7rYu+RJVxgIn9TZAO7NB1+u0MseJGiro0i9asxy1TuxNjwEYMAsvnhJ6dgO9Uj5aHgtd8yl7CVTiaKBmvpfNLJs0xltsOsGnnFo/dcB46JZB2m1xWMPO+DZJQakbnz6GCNV/WTf0SGbvPQO8kpc2TZ7kNe5tokQaMoSiwwXKnvAlufMrE2QysjwfY2wcfeoysPFqGymX/lWC5hJMCryTgrUkDt1WRwwMoFvhTGlO871qXvMvoAInGJkSwXV2NEpKtfH1WC8wIqTXvAK5ZwOCQNLKEznLcH4k3g+NbmP/pUHde4l/PZa5QnKfg29DYbDcMF0pQAxk7nq2WkVs9X0kylZS5IJeiGCWvAR4bGkjtQyG0pSeLgVc6gNsOgKkQB8btccjJlBRRizfBVTNqXdmIe81ZMKXpHyl+iku2IlsgG5f7RjOIjG2otyNH7XXr+qUkUTzTtkAi9Ejm7NmbfODUWdAtahsM/bMbY3BRGNeZzkTOHqS7ss6q/ZBi8QQwnN65PeFp6RupvM9iDlbTxDmoLKLD/J85ABDPRdRkgtMgniJkeTuVAmJxkD3qtrd7jrH8tI2XmoWYdMz5xWnElMhxnrw6LSHJHzRNgG6QvMWM454WTyfqpnO0z6NqnEQirD3PrNrxPZQH7HCan1cTrtYSrkCUEManZGP2N0j91/MqF4y/hFhfGxwaaPPuK31kXrMNwHSEhqwo+8go/Nb3W9Aax8F+tLWMRWr7X0RcrPmqNa26pKE3AeHOnI7ykMSTKGdLg0htc0naajEE4qgTCVfUbtRj4z7KojFe5EqUTCflFbSq+syK6yQx7HhFU8ztZFS2/2h3xz10g6kqKcWcndqnWeI9iJ7DKW59YBCUIRbzHFAIM+t587Tby50suOLZKpvb0OfIPX/kh3wEBuxrg9ZxRDGYNVz4fPFq8TcruFHND1AhL6n7Ey85g1DZbvmiqlqKKNfp2cwgeiNRDa+HPeX3o8/lN0Mpv+wmpPx/6bAG2ii+BmowGA5SSOtJNSy7bG+r8ITU410CJ1R1KSmSGZFH938MuypTNxf1igjsylDxf2OKqDdfz1OqlVyva1md1dND5ABWl7WIprmxLOOa5Y
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO0P123MB6702.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 8df258d3-40d8-4722-3ee2-08dc3e83a585
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Mar 2024 08:50:31.8098 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MFFThayt8742vpdlUlMEvb/zVzki0mL51w1eBJVR1nUd+dY4LwqgBGdYaNnLGtUjKTQy1slySDnRi/IZDc0YeZy5rEGYoLghdZxLJehTEMI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CWLP123MB2915
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/LZN_5h_dNs--vpRHMFhybIp4n6E>
Subject: Re: [Pqc] [WG last call] IETF WG state changed for draft-ietf-pquip-pqt-hybrid-terminology
X-BeenThere: pqc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pqc>, <mailto:pqc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc/>
List-Post: <mailto:pqc@ietf.org>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pqc>, <mailto:pqc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Mar 2024 08:50:40 -0000

Thanks to everyone who reviewed the draft, and particular to Sofía and Paul for managing the last call.  I really appreciate the contributions to improve this document.

I'll take away the comments and incorporate them in slower time, aiming for a new version of the draft for the interims between 119 and 120.  If anyone else on the list has any more feedback or suggestions, please do get in touch.

Flo
UK NCSC

-----Original Message-----
From: Pqc <pqc-bounces@ietf.org> On Behalf Of Sofía Celi
Sent: Wednesday, March 6, 2024 11:37 PM
To: pqc@ietf.org
Subject: Re: [Pqc] [WG last call] IETF WG state changed for draft-ietf-pquip-pqt-hybrid-terminology

Dear, everyone,

Given the reviews that came as part of the procedure, it doesn't seem like the document is ready for the publication process. Hence, we will hold off, and continue with it as a WG document in a couple of iterations.

Thank you,

On 05/03/2024 21:55, Stephen Farrell wrote:
>
> Hiya,
>
> I had a read of this. I don't think it's ready. Some of the text is
> IMO wrong, (not much, but some), some of the definitions aren't that
> good or a little inconsistent, there are some things included that
> don't seem useful and there's a couple of terms I think may be
> missing.
>
> I'd say all the above is fixable, but might take another iteration or
> two. Detailed comments below.
>
> Cheers,
> S.
>
> - I think this is missing some terms for an anti-pattern that defining
> hybrids enables, that is re-use of private key material for both a
> classic and hybrid asymmetric operation.
> This has been specifically called out as something that some people
> "might want" on the openpgp list, where e.g. a classic signing private
> key is on a smartcard/hsm and they want to both use that independently
> and to combine it with a (presumably s/w stored) ml-dsa private value
> to make an
> ml-dsa+ed25519 composite sig. (And have the signer emit
> both.) That seems like such an awful practice it deserves a name.
> Doing similarly with KEMs is also I guess possible and probably even
> worse. How about calling that "PQ/T private key abuse"? Not sure if
> different terms for KEMs/sigs are needed for this anti-pattern. If an
> even more negative sounding term could be found for that, that'd be
> better IMO:-)
>
> - "Signing algorithms in products that are
>     expected to be in use for many years are also at risk if a CRQC is
>     developed during the operational lifetime of that product."
>
> The above omits important caveats - for example if a system supports
> s/w update then the above should not apply in almost all cases. (And
> if a system does not support s/w update then it has, IMO, far harder
> problems to deal with than a CRQC.)
>
> - "During the transition from traditional to post-quantum algorithms,
>     there may be a desire or a requirement"
>
> Why would a "desire" be relevant? I really wish we could stick to
> using hybrids when they are required and not when they are only
> desired (an error commonly seen, IMO).
>
> - "They may also choose to implement a post-
>     quantum algorithm alongside a traditional algorithm for ease of
>     migration from an ecosystem where only traditional algorithms are
>     implemented and used, to one that only uses post-quantum algorithms."
>
> This is more than a choice - in cases where backwards compatibility is
> needed, then emitting a classic signature is needed as well as a PQ
> signature that might or might not need to be hybrid/composite.
> The point here is that backwards compat is a requirement, we're not
> dealing with a fashion choice:-)
>
> - "[RFC4949]"
>
> I say referring to HPKE/RFC9180 would make it clear this usage is not
> ancient lore, but is still-current.
>
> - "Traditional Cryptographic Algorithm*:  An asymmetric cryptographic"
>
> Is AES traditional/or PQ according to these definitions? If you
> qualify to asymmetric on the RHS, you need it on the left too, if you
> want to be precise, which'd seem good in a terminology doc like this.
> (Same thing applies elsewhere.)
>
> Also, if you define a scheme to be a set of algs, and a combiner
> involves a KDF, then this definition probably also needs to work for
> KDFs. That implies "component alg" needs to cover KDFs, and hence so
> also does "traditional alg"?
>
> - "*PQ/T Hybrid Public Key Encryption (PKE)*:"
>
> Why is it useful to define this? If the reason is just to say:
> "don't do that" (which'd be ok) then be good to say it here.
>
> - Section 3...
>
> I'm not sure this is needed at all. WHen has terminology around this
> been confusing? Who else is using these terms? Separately, I don't
> think the choice of term is that good here, but I don't recall if
> that's been discussed or not.
>
> - "   *PQ/T Hybrid Protocol with Composite Authentication*:  A PQ/T
>        hybrid
>        protocol that incorporates a PQ/T hybrid scheme to achieve
>        authentication, in such a way that the protocol fields and
> message
>        flow are the same as those in a version of the protocol that
> uses
>        a single-algorithm scheme."
>
> That's not a good definition as it doesn't provide a distinguisher for
> any protocol that already supports >1 signature, e.g. s/mime or
> pgpmime between the case where two independent sigs are carried or
> where a composite sig alg is imeplemented below e.g. a crypto API.
>
> - "In a PQ/T hybrid protocol with a composite construction, changes
> are
>     primarily made to the formats of the cryptographic elements, while
>     the protocol fields and message flow remain largely unchanged.  In
>     implementations, most changes are likely to be made to the
>     cryptographic libraries, with minimal changes to the protocol
>     libraries."
>
> That is a topic of significant debate and the above only states one
> position. Either much more text is needed there or the above should be
> deleted. (Probably better to do the latter.)
>
> - "*PQ/T Hybrid Backwards Compatibility*:  The property that a PQ/T
>        hybrid scheme or PQ/T hybrid protocol can be completed
>        successfully provided that both parties support the traditional
>        component algorithm."
>
> The above seems to be missing something - don't you need to say that
> if both peers do support classic and PQ, the this protocol gets the
> benefit of both? (Likely similar changes needed elsewhere.)
>
> - Section 7...
>
> Not sure that's needed - who else wants to use that term?
>
>
>
>
>
>

--
Sofía Celi
@claucece
Cryptographic research and implementation at many places, specially Brave.
she/her, they/them.
Chair of hprc at IRTF, pquip at IETF, and anti-fraud at W3C.
Reach me out at: cherenkov@riseup.net
Website: https://sofiaceli.com/

--
Pqc mailing list
Pqc@ietf.org
https://www.ietf.org/mailman/listinfo/pqc

v2.23.0 | Report a Bug | By Email