IETF Logo Mail Archive

Re: [Pqc] PQ/T Hybrid Terminology - Basic Definitions

Wang Guilin <Wang.Guilin@huawei.com> Sun, 30 April 2023 15:29 UTC

Return-Path: <Wang.Guilin@huawei.com>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 353AAC15153E for <pqc@ietfa.amsl.com>; Sun, 30 Apr 2023 08:29:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.327
X-Spam-Level:
X-Spam-Status: No, score=-1.327 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, INVALID_MSGID=0.568, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qlbqjsl_jg6S for <pqc@ietfa.amsl.com>; Sun, 30 Apr 2023 08:29:43 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8281C15152D for <pqc@ietf.org>; Sun, 30 Apr 2023 08:29:42 -0700 (PDT)
Received: from lhrpeml500002.china.huawei.com (unknown [172.18.147.201]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Q8Vbg18T6z67M1M for <pqc@ietf.org>; Sun, 30 Apr 2023 23:28:15 +0800 (CST)
Received: from sinpeml500005.china.huawei.com (7.188.193.102) by lhrpeml500002.china.huawei.com (7.191.160.78) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Sun, 30 Apr 2023 16:29:38 +0100
Received: from sinpeml500005.china.huawei.com (7.188.193.102) by sinpeml500005.china.huawei.com (7.188.193.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Sun, 30 Apr 2023 23:29:36 +0800
Received: from sinpeml500005.china.huawei.com ([7.188.193.102]) by sinpeml500005.china.huawei.com ([7.188.193.102]) with mapi id 15.01.2507.023; Sun, 30 Apr 2023 23:29:36 +0800
From: Wang Guilin <Wang.Guilin@huawei.com>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, Florence D <Florence.D=40ncsc.gov.uk@dmarc.ietf.org>, pqc <pqc@ietf.org>
CC: Wang Guilin <Wang.Guilin@huawei.com>
Thread-Topic: [Pqc] PQ/T Hybrid Terminology - Basic Definitions
Thread-Index: Adl4PwXolbEl8tk7T0mNbkMAAgMnTwBkX5+gAGoDgao=
Date: Sun, 30 Apr 2023 15:29:36 +0000
Message-ID: 19929C03-3913-466B-9A09-DB5590552482
References: <LO0P123MB40417B033A85D751F708A9DED7659@LO0P123MB4041.GBRP123.PROD.OUTLOOK.COM>, <CH0PR11MB573955F4F825A9EBE47715A29F6B9@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB573955F4F825A9EBE47715A29F6B9@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US, zh-CN
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_19929C033913466B9A09DB5590552482_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/Upr3hk669_KlZfhkyuD_JS3vnBA>
Subject: Re: [Pqc] PQ/T Hybrid Terminology - Basic Definitions
X-BeenThere: pqc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pqc>, <mailto:pqc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc/>
List-Post: <mailto:pqc@ietf.org>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pqc>, <mailto:pqc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Apr 2023 15:29:47 -0000

Hi, Florence,

Basically, I supports your choices for the 3 terms listed and the reasons why to select them.

However, here are some comments on the first term, i.e., Traditional Algorithm.

1a) For a proper definition, Traditional Algorithm looks too general. In my opinion, it is better to define "Traditional Cryptographic Algorithm" rather than "Traditional Algorithm", though a note can be given to say that for short, "Traditional Cryptographic Algorithm" is also called "Traditional Algorithm".

1b) It is better to define "Traditional Cryptographic Algorithm/Traditional Algorithm" in a general way, similar as what has been done to the definition for "Post-Quantum Algorithm", rather than giving a list of limited algorithms.

1c) It seems not a good idea to (implicitly) say that RSA, DLP, EC-DLP based algoritms are the only traditional algorithms. In academic research, there are huge of cryptographic algorithms which were designed not to resist PQ attacks. So, these algorithms should also be classified as Traditional (Cryptographic) Algorithms, but they may be or may be not related to the above hard problems.

In a summary, in my opinion, a better definition for 1 could be something like the following:

========
1. Traditional (Cryotographic) Algorithm: An asymmetric cryptographic algorithm that is believed to be secure against classic computers and not secure against quantum computers. For short, we call a traditional cryotographic algorithm as a taditional algorithm.

Examples of traditional algorithms inlcude the cryptographic algorithms based on integer factorisation, finite field discrete logarithms or elliptic curve discrete logarithms. These are also the representatives of current standardized asymmetric algorithms (say, ...). However, due to the discovery of Shor algorithmb in 1994, all of these algorithms are potentially broken under quantum attacks. ...
========

Cheers,

Guilin

________________________________

Wang Guilin
Mobile: +65-86920345
Email: Wang.Guilin@huawei.com

From:Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>
To:Florence D <Florence.D=40ncsc.gov.uk@dmarc.ietf.org>;pqc <pqc@ietf.org>
Date:2023-04-28 21:02:00
Subject:Re: [Pqc] PQ/T Hybrid Terminology - Basic Definitions

Thanks Flo!

I'll add a meta-point about 3: I like "thing1 / thing2 hybrid" because it extends nicely to other things: I can talk about a "PQ/PQ hybrid", or a "PSK/Traditional hybrid", or a "PQ/QKD hybrid" and the meaning is clear. It's a nice qualification and disambiguation of the word "hybrid" which by itself can mean many different things within cryptography.

---
Mike Ounsworth

-----Original Message-----
From: Pqc <pqc-bounces@ietf.org<mailto:pqc-bounces@ietf.org>> On Behalf Of Florence D
Sent: Wednesday, April 26, 2023 9:14 AM
To: pqc@ietf.org<mailto:pqc@ietf.org>
Subject: [EXTERNAL] [Pqc] PQ/T Hybrid Terminology - Basic Definitions

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________
Hi PQUIP and friends,

At the PQUIP meeting at IETF 116 I committed to summarising the discussion on algorithm type naming that happened on the mailing list back in March [1]. The email aims to do that, as well as to provide some justification for the choices made in the draft at the moment. The aim here is to come to some consensus on the base level definitions/names in this draft, allowing us to use this terminology to build from there.

I'll focus on the following definitions:
1. Traditional Algorithm: An asymmetric cryptographic algorithm based on integer factorisation, finite field discrete logarithms or elliptic curve discrete logarithms 2. Post-Quantum Algorithm: An asymmetric cryptographic algorithm that is believed to be secure against quantum computers as well as classical computers.
3. Post-Quantum/Traditional (PQ/T) Hybrid Scheme: A cryptographic scheme made up of two or more component algorithms where at least one is a post-quantum algorithm and at least one is a traditional algorithm.

Taking these one at a time:
1. Traditional Algorithm
        - Alternative words that have been suggested are classical, conventional, pre-quantum, vintage, quantum-vulnerable. Others have suggested alternatives that describe the mathematical problems that these algorithms are based on e.g., discrete-log or integer-factorisation based.
        - The current version uses "traditional", rather than another word, for these reasons:
                a. It doesn't begin with "C" or "PQ" so can form a helpful and non-confusing acronym. Conventional/classical seem non-ideal because PQC is already taken as an acronym.
                b. Classical describes a type of computer, and PQ algorithms are run on classical computers.
                c. It is a single word and is not too long or technical. I think this is important if we want the terminology to be used.
                d. It doesn't suggest that these types of algorithms are already insecure before the existence of a CRQC (as e.g., vintage might).
        - Arguments against "traditional" include:
                a. In the long term we might expect PQ algorithms to become "traditional", so this may not age well.
                b. Traditional is one of the words highlighted as potentially biased in NIST's inclusive language guidance [2]. I believe that the usage in this document is sufficiently different to the example in the NIST guidance that it is reasonable to use the word here, but it is worth taking into consideration.

2. Post-Quantum Algorithm
        - Alternative words: quantum-safe, quantum-resistant.
        - The current version uses "post-quantum" for these reasons:
                a. It is currently the most widely used term for this algorithm type.
                b. Quantum-safe and quantum-resistant suggest properties of the security achieved by the algorithms, rather than the security goals of the algorithm. For example, SIKE is a post-quantum algorithm, but calling it a quantum-safe algorithm is (at best) highly misleading.
                c. Quantum-safe has previously been used to include both PQC and QKD (e.g. by ETSI).

3. PQ/T Hybrid Scheme
        - Obviously this decision depends on 1. and 2. above.
        - I am currently using PQ/T hybrid scheme for this concept because I believe it does a good job of describing the components, giving a technical reader who hasn't read this document has a good chance of understanding the meaning.
        - There was previously discussion on this thread about including a forward slash in the name [3], which suggested that the group preferred some separation between the two algorithm types. This does raise a question about if you pronounce the slash (I think no...).

If you have alternative suggestions for 1,2 and 3 which have fewer compromises than what we've got so far then I'd be very keen to hear them, please do post to the list or email me directly if you'd prefer. Also, if you'd like to add any more pros/cons to this discussion please do reply.

Flo

[1] https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/msg/pqc/3hKDhB8r8wnbG5M_iTb8JIrIaGc/__;!!FJ-Y8qCqXTj2!baNqQZnmNBjxnnW3uDtQCda9RKDmFgsd8b62BMF8-61eA1Rc3kyJClXvl1d1SbBpoMeTaEGDuqON3dHufyU6r8APdGcmnV6Ho8kb$
[2] https://urldefense.com/v3/__https://www.nist.gov/nist-research-library/nist-technical-series-publications-author-instructions*table1__;Iw!!FJ-Y8qCqXTj2!baNqQZnmNBjxnnW3uDtQCda9RKDmFgsd8b62BMF8-61eA1Rc3kyJClXvl1d1SbBpoMeTaEGDuqON3dHufyU6r8APdGcmndUoEiHs$
[3] https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/msg/pqc/IntVA7nMUcBDqlg2wvV-5YGA-7g/__;!!FJ-Y8qCqXTj2!baNqQZnmNBjxnnW3uDtQCda9RKDmFgsd8b62BMF8-61eA1Rc3kyJClXvl1d1SbBpoMeTaEGDuqON3dHufyU6r8APdGcmnaC7Y89m$
--
Pqc mailing list
Pqc@ietf.org<mailto:Pqc@ietf.org>
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/pqc__;!!FJ-Y8qCqXTj2!baNqQZnmNBjxnnW3uDtQCda9RKDmFgsd8b62BMF8-61eA1Rc3kyJClXvl1d1SbBpoMeTaEGDuqON3dHufyU6r8APdGcmnXCw0JUA$
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

--
Pqc mailing list
Pqc@ietf.org<mailto:Pqc@ietf.org>
https://www.ietf.org/mailman/listinfo/pqc

v2.23.0 | Report a Bug | By Email