IETF Logo Mail Archive

Re: [Pqc] [Ext] NIST requests comments on the initial public drafts of three PQC algorithm standards

Phillip Hallam-Baker <phill@hallambaker.com> Thu, 24 August 2023 16:46 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28D68C15C520 for <pqc@ietfa.amsl.com>; Thu, 24 Aug 2023 09:46:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.404
X-Spam-Level:
X-Spam-Status: No, score=-1.404 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uw0XmZ520dLe for <pqc@ietfa.amsl.com>; Thu, 24 Aug 2023 09:46:08 -0700 (PDT)
Received: from mail-oo1-f52.google.com (mail-oo1-f52.google.com [209.85.161.52]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E095FC151098 for <pqc@ietf.org>; Thu, 24 Aug 2023 09:46:08 -0700 (PDT)
Received: by mail-oo1-f52.google.com with SMTP id 006d021491bc7-5720f3ce5afso74079eaf.0 for <pqc@ietf.org>; Thu, 24 Aug 2023 09:46:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692895568; x=1693500368; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=S9ojU4OxZWFYEdzsDIZQHR0TuwkiCDv7gNAjfcZBzgE=; b=jBFYo0wY4jYB6KvbKJSeLkKhe8UaBq2s+HqaXkdNI2wBVUzqsLqS1MuHxNPCOZP+aL fdaflDnAmVHcfIEiGUkAliJGrcLHGWt3YI9loJ+l/gFwVw1beTO2CQhR9VNOq4GgSJuq hQAlos9eUe0TrhjjJ5FJ9hDwJqzVQ1X2m6j1GdoRDj0PSiF9UdzNT40fWUP+0Zyhyz+9 wq0zqsP5pCPZkD9skZeKzIdaD6quTdo91RzQ7Gr5tZNDD52HlxWYb3nxmU5u+9nFursh ITtK/lR5ffidksq2K/E/XKfHWmLH2EsHtlrF5MpLzkazxnBlctUUSlw1MxiJD/5AGmH8 f2bg==
X-Gm-Message-State: AOJu0Yz6gybqaCrLgcIWjgyZr9YhoemA2AIVG5MWeBkI4KSrZVPtzTaI mUVsH0T61U9tf0/GecJLDX25/9giWACavR5jipewah8GcRc=
X-Google-Smtp-Source: AGHT+IFKS37Ekr73rbt0yVYFzL3We52pH43OVY1qFgmYix7Wzn3Xp3mUNHjcq7y3C83qGLkZJdVEodJm4xxP/1n+vi0=
X-Received: by 2002:a05:6870:b30e:b0:1c8:b870:4e62 with SMTP id a14-20020a056870b30e00b001c8b8704e62mr254603oao.52.1692895567939; Thu, 24 Aug 2023 09:46:07 -0700 (PDT)
MIME-Version: 1.0
References: <1FC3801D-7320-4C53-B332-8DF87E9CD426@vigilsec.com> <946C8779-72A9-46CC-8C8A-C6E93540D19F@icann.org>
In-Reply-To: <946C8779-72A9-46CC-8C8A-C6E93540D19F@icann.org>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 24 Aug 2023 12:45:56 -0400
Message-ID: <CAMm+LwgQfgBqGWnJJa0TUJzikXQY3wi4XadmGET_uJsrn_8-Cg@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: "pqc@ietf.org" <pqc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f811f00603adf641"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/SiFsYyc6Ys2DrB7IJLoCr6njKKw>
Subject: Re: [Pqc] [Ext] NIST requests comments on the initial public drafts of three PQC algorithm standards
X-BeenThere: pqc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pqc>, <mailto:pqc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc/>
List-Post: <mailto:pqc@ietf.org>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pqc>, <mailto:pqc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Aug 2023 16:46:11 -0000

On Thu, Aug 24, 2023 at 12:15 PM Paul Hoffman <paul.hoffman@icann.org>
wrote:

> A few significant notes for the WG (and the IETF in general):
>


> - These are proposals for standardization, not the standards. NIST will
> likely get a lot of responses to the call for comments, and may change the
> technical parts of the algorithms based on those comments. We'll know more
> by mid-2024 when NIST issues the final standards.
>

The private key format in particular might be changed.

Public key sizes are constrained by the need to communicate information and
Kyber is having to communicate quite a bit.

Private key information is different, there is never a need to specify more
than an n bit seed and a deterministic generation mechanism. While
generating RSA keys is tedious and time consuming, generating these keys
does not require the same degree of trial and error.

For example, the following UDF specifies an RSA-2048 keypair:

ZAAA-RJ5I-OSMI-X2KH-MBHX-KUPB-OC54-NQI


Details of the derivation process are at:

https://datatracker.ietf.org/doc/draft-hallambaker-mesh-udf/

Of course, for most processes, you would want a much bigger seed. I will
add ML-KEM and ML-DSA once there is a final spec.


Another area where there is a lot of scope for kibitzing is the mechanism
used to populate the matrix which doesn't actually change the security of
the algorithm but when I was testing my code out on my own test vectors, I
was finding I was not always exercising all of my code paths. Which is not
ideal.

So I would hope and expect there to be changes which may (or may not) be
breaking changes.

v2.23.0 | Report a Bug | By Email