IETF Logo Mail Archive

Re: [Pqc] Mapping the state of PQC and IETF - ssh

Alexandre Petrescu <alexandre.petrescu@gmail.com> Thu, 02 March 2023 13:03 UTC

Return-Path: <alexandre.petrescu@gmail.com>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51AD2C1524D3 for <pqc@ietfa.amsl.com>; Thu, 2 Mar 2023 05:03:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.672
X-Spam-Level:
X-Spam-Status: No, score=0.672 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mURmuaEsVWFB for <pqc@ietfa.amsl.com>; Thu, 2 Mar 2023 05:03:42 -0800 (PST)
Received: from sainfoin-smtp-out.extra.cea.fr (sainfoin-smtp-out.extra.cea.fr [132.167.192.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B52DC14F72F for <pqc@ietf.org>; Thu, 2 Mar 2023 05:03:42 -0800 (PST)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by sainfoin-sys.extra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id 322D3dai021254 for <pqc@ietf.org>; Thu, 2 Mar 2023 14:03:39 +0100
Received: from pisaure.intra.cea.fr (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 1BB05207C9B for <pqc@ietf.org>; Thu, 2 Mar 2023 14:03:39 +0100 (CET)
Received: from muguet2-smtp-out.intra.cea.fr (muguet2-smtp-out.intra.cea.fr [132.166.192.13]) by pisaure.intra.cea.fr (Postfix) with ESMTP id 12B712010AE for <pqc@ietf.org>; Thu, 2 Mar 2023 14:03:39 +0100 (CET)
Received: from [10.11.241.182] ([10.11.241.182]) by muguet2-sys.intra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id 322D3cZV023546 for <pqc@ietf.org>; Thu, 2 Mar 2023 14:03:39 +0100
Message-ID: <092a4783-e9e9-f9f2-93d8-41e33800d14b@gmail.com>
Date: Thu, 02 Mar 2023 14:03:38 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0
Content-Language: fr
To: pqc@ietf.org
References: <20230302083203.1037229.qmail@cr.yp.to>
From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
In-Reply-To: <20230302083203.1037229.qmail@cr.yp.to>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/S6NDvqdjFWvrpohAHWHHzY3RGzM>
Subject: Re: [Pqc] Mapping the state of PQC and IETF - ssh
X-BeenThere: pqc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pqc>, <mailto:pqc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc/>
List-Post: <mailto:pqc@ietf.org>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pqc>, <mailto:pqc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2023 13:03:47 -0000

Thank you authors of this topic, and the subject line update.

If I may further bring a typical question about this, that of export
controls:

Le 02/03/2023 à 09:32, D. J. Bernstein a écrit :
> Kampanakis, Panos writes:

[...]
> The available evidence (see 
> https://nist.pqcrypto.org/foia/index.html) suggests that NIST 
> actually selected Kyber in 2021.12, but then delayed the
> announcement for several months trying to deal with patents.

Obviously an ssh end user would not like to be charged lots of money for
just being secure.  In the automotive industry the stance is that there
are some fundamental safety features necessarily present in even the
cheapest automobiles - not only for the obvious ethical reason but also
to avoid further safety risks to those with more expensive automobiles
too - security is a whole and expensive cars must exist.

That said, the IPR discussion might be valid at NIST but it is also at IETF.

> I'm saying "trying" here because the patent situation is still a 
> mess:
> 
> * NIST's patent buyouts don't activate until after NIST issues its 
> Kyber standard (currently predicted to be 2024---probably there will 
> be a draft standard early summer 2023);
> 
> * NIST's buyouts are only for _exactly the version of Kyber in that 
> standard_ (patching security problems would require new buyouts); 
> and
> 
> * NIST doesn't appear to have analyzed whether Kyber is safe from the
> other five patent families that were already identified on GAM/LPR
> systems. (See https://ntruprime.cr.yp.to/faq.html.)
> 
> NIST's 2022.07 report said that NIST could still select NTRU as the 
> patent-free option if something went wrong with patents. NIST 
> retracted this after the buyout agreements were signed. (This could 
> be undertsood as saying the other patent families aren't an issue, 
> but by default I'd chalk this up to NIST not realizing how courts 
> stretch patents.)
> 
> NIST could instead have issued a 2021 announcement encouraging 
> immediate deployment of NTRU. NIST's report said that "the overall 
> performance of any of these KEMs would be acceptable for general-use 
> applications" and that NIST finds Kyber's security "marginally" more 
> convincing than NTRU's security. "Marginally" is an awfully thin 
> rationale for diving into a patent minefield and delaying 
> post-quantum deployment until 2024.
> 
> It's important to remember that attackers systematically collect user
> data and keep it in the hopes of decrypting it later:
> 
> https://www.forbes.com/sites/andygreenberg/2013/06/20/leaked-nsa-doc-says-it-can-collect-and-keep-your-encrypted-data-as-long-as-it-takes-to-crack-it/
>
>
> 
Delaying post-quantum deployment means security damage.
> 
>> There was nothing wrong with it, it just didn't move forward, so 
>> there will be no final spec for it.
> 
> NTRU Prime already has a complete specification and a Sage reference
>  implementation (see https://ntruprime.cr.yp.to) along with the 
> deployed software. Every detail of the internal PKE stabilized five 
> years ago, and every remaining KEM detail stabilized four years ago.
> 
> Obviously _NIST_ isn't about to issue an NTRU Prime specification, 
> but IETF and IRTF aren't bound by what NIST does. When NIST's 
> standards aren't in line with IETF priorities, IETF sets its own 
> standards, as illustrated by the usage of Curve25519 in IETF 
> standards for several years (starting with an IRTF informational 
> spec, preceded by a detailed CFRG investigation of options) before 
> NIST finally managed to issue a Curve25519 standard in 2023.
> 
> For post-quantum cryptography, there's a security problem _right 
> now_, and IETF should endorse taking action _right now_ in response. 
> Given the patent situation, this isn't compatible with following 
> NIST.
> 
>> Also, OpenSSH currently does not support ECDH+PQ for "quantum-safe
>>  FIPS" compliance.
> 
> I'm not sure exactly which distinction you're drawing here, but I'd 
> suggest that the top priority should be protecting users, even if 
> this is negatively correlated with FIPS compliance.
> 
>> Although it is a great that OpenSSH was an early adopter, in the 
>> long run it makes sense to standardize on a consensus-based, 
>> peer-reviewed spec
> 
> The Kyber and NTRU Prime specs have both undergone peer review. This 
> is more meaningful for NTRU Prime than for Kyber, for two basic 
> reasons: (1) Kyber has a larger attack surface; (2) the Kyber design 
> is a moving target, for example with discoveries of flaws in the 
> security analysis leading to cryptosystem modifications 4 years ago 
> and 2.5 years ago.
> 
> As for "consensus-based", the process of reaching consensus in IETF 
> starts with IETF investigation of the merits of the options at hand.
>  Seeing deployment of various options can provide indirect 
> information but shouldn't substitute for an IETF investigation.

In that consensus search, and in the end user protection direction, one
would also consider the export controls.  This is new and stronger crypto.

Is this crypto subject to export controls and does it concern me in my
country or not?

Or is it also in a birth phase, a fluid law setting, where it is not
known precisely, and hence the usage can be dubious at the time.

This is also make or break in the usage, with potential effects on
standards.

The export control concept applies to ssh but also to other protocols
protected by this stronger and newer crypto.

Alex

> 
>> instead of complying with the choices one widely-used 
>> implementation made.
> 
> OpenSSH's deployment of post-quantum cryptography began with TinySSH
>  from Jan Mojzis. Two implementations of a protocol are sufficient 
> for IETF standardization.
> 
> There's security value in focusing cryptographic review on a limited
>  number of options, but, given the GAM/LPR patent minefield, IETF and
>  IRTF shouldn't restrict attention purely to GAM/LPR cryptosystems 
> such as Kyber.
> 
>> Currently SSH is an orphan protocol; there is no IETF WG to work
>> on it and PQUIP will not do any standardizations.
> 
> I would like to see the X25519+PQ hybrids specified centrally so that
> they don't require protocol-specific work.
> 
> ---D. J. Bernstein
>

v2.23.0 | Report a Bug | By Email