IETF Logo Mail Archive

Re: [Pqc] Listing pointers to not-yet-standardized PQC algorithms

Kris Kwiatkowski <kris@amongbytes.com> Fri, 05 May 2023 09:34 UTC

Return-Path: <kris@amongbytes.com>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37F13C15256E for <pqc@ietfa.amsl.com>; Fri, 5 May 2023 02:34:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.894
X-Spam-Level:
X-Spam-Status: No, score=-6.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MxFfV6BWe8vm for <pqc@ietfa.amsl.com>; Fri, 5 May 2023 02:34:43 -0700 (PDT)
Received: from 10.mo579.mail-out.ovh.net (10.mo579.mail-out.ovh.net [46.105.58.75]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55454C15256B for <pqc@ietf.org>; Fri, 5 May 2023 02:34:42 -0700 (PDT)
Received: from mxplan8.mail.ovh.net (unknown [10.109.143.71]) by mo579.mail-out.ovh.net (Postfix) with ESMTPS id 1C81A26E7E for <pqc@ietf.org>; Fri, 5 May 2023 09:34:39 +0000 (UTC)
Received: from amongbytes.com (37.59.142.98) by mxplan8.mail.ovh.net (172.16.2.62) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2507.23; Fri, 5 May 2023 11:34:39 +0200
Authentication-Results: garm.ovh; auth=pass (GARM-98R00286173677-0184-4cfb-b335-b99541365b84, A3FA252F6FE48BAD078D848D120EEDD946AA89D3) smtp.auth=kris@amongbytes.com
X-OVh-ClientIp: 62.30.61.232
Content-Type: multipart/alternative; boundary="------------FDqCq0JYtyQW3zoLRGqzaVds"
Message-ID: <7432b25f-4856-dec8-cb45-d968f7b4840c@amongbytes.com>
Date: Fri, 05 May 2023 10:34:38 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.1
To: pqc@ietf.org
References: <075469F4-5DC7-4EFC-ADD2-0BC22BA35BE9@icann.org> <84757b5a49094a08839ef8106b29d36b@amazon.com> <CH0PR11MB57399E0D4B51F064CE1FDCB79F6D9@CH0PR11MB5739.namprd11.prod.outlook.com> <LO0P123MB404175D0F1F581D7A3540FD8D7729@LO0P123MB4041.GBRP123.PROD.OUTLOOK.COM>
From: Kris Kwiatkowski <kris@amongbytes.com>
In-Reply-To: <LO0P123MB404175D0F1F581D7A3540FD8D7729@LO0P123MB4041.GBRP123.PROD.OUTLOOK.COM>
X-Ovh-Tracer-GUID: 5cb562c4-6004-45fa-9419-9546d7997569
X-Ovh-Tracer-Id: 14821064901742608151
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvhedrfeefvddgudekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpegtkfffgggfuffvfhfhjgesrgdtreertdefjeenucfhrhhomhepmfhrihhsucfmfihirghtkhhofihskhhiuceokhhrihhssegrmhhonhhgsgihthgvshdrtghomheqnecuggftrfgrthhtvghrnhepvdejvdefueelhfeltdegudejleetjeekueetuddtffeuhfefvefffeefvdevheffnecukfhppedtrddtrddtrddtpdeivddrfedtrdeiuddrvdefvddpfeejrdehledrudegvddrleeknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohguvgepshhmthhpohhuthdphhgvlhhopehmgihplhgrnhekrdhmrghilhdrohhvhhdrnhgvthdpihhnvghtpedtrddtrddtrddtpdhmrghilhhfrhhomhepkhhrihhssegrmhhonhhgsgihthgvshdrtghomhdpnhgspghrtghpthhtohepuddprhgtphhtthhopehpqhgtsehivghtfhdrohhrghdpoffvtefjohhsthepmhhoheejle
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/_LUk5UrS5-FVPJ4MOjf69kXeqtM>
Subject: Re: [Pqc] Listing pointers to not-yet-standardized PQC algorithms
X-BeenThere: pqc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pqc>, <mailto:pqc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc/>
List-Post: <mailto:pqc@ietf.org>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pqc>, <mailto:pqc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 May 2023 09:34:47 -0000

Hi,

1. yes. As much as all information can be found in pqc-forum and it is fun to 
follow (for some definition of "fun"), I wouldn't expect protocol developers 
to be up to date. I.e. things like recent modification in Kyber enacps/decaps 
(FO transform), fact that KAT vectors for most recent Dilithium (3.1) are not 
available at NIST pages, that -90s version of Kyber/Dilihtium were never ment 
to be standardized or fact that Falcon has 3 different signature encodings - 
may be not obvious to protocol designers.

2. I vote no.
I can think of one exception - Kyber with 12-round keccak is not going to be a 
NIST standardized, but still may sound interesting for TLS and (maybe), so to 
mention it somewhere makes sense. But in general, I agree with Mike, it sounds 
like never-ending task.

Kind regards,
Kris

On 05/05/2023 09:10, Florence D wrote:
> Hi,
>
> I vote yes to 1. (pointing towards NIST standards and standards in development) and no to 2. (pointing towards other algorithms).
>
> 1. While I agree with Panos that cryptographers are tracking NIST, part of the justification for doing the "PQ for engineers" work in this group is that we don't expect all engineers designing security protocols to be following NIST closely.  I think including a brief description of the current state of play for NIST algorithms (e.g. in the process of being standardised, still being assessed etc.) would be useful, as well as pointers to the latest versions.  The pointers could be to other IETF/IRTF drafts where they exist.  I think this should be short, but something would be better than nothing.
>
> 2. I think we should focus on the NIST algorithms. These have been selected due to their security and usability and these are the features that IETF should be looking for when incorporating algorithms into our protocols.  If we start pointing to other algorithms then this group would need to start weighing up their security and relative merits outside of NIST's process, which is not in our remit.
>
> Also, at Real World PQC Dustin Moody suggested that NIST would be standardising one of BIKE or HQC, but not both.  That might have changed, but we should check before writing anything.
>
> Flo
>
> Florence D
> UK National Cyber Security Centre
>
> -----Original Message-----
> From: Pqc<pqc-bounces@ietf.org>  On Behalf Of Mike Ounsworth
> Sent: 04 May 2023 19:12
> To: Kampanakis, Panos<kpanos=40amazon.com@dmarc.ietf.org>; Paul Hoffman<paul.hoffman@icann.org>;pqc@ietf.org
> Subject: Re: [Pqc] Listing pointers to not-yet-standardized PQC algorithms
>
> I vote no also.
>
> I see this list / github page as an index of *IETF* PQC work. Trying to document the PQC work in general beyond the IETF seems it is both not the IETF's responsibility, as well as a never-ending task.
>
> ---
> Mike Ounsworth
>
> -----Original Message-----
> From: Pqc<pqc-bounces@ietf.org>  On Behalf Of Kampanakis, Panos
> Sent: Wednesday, May 3, 2023 8:58 PM
> To: Paul Hoffman<paul.hoffman@icann.org>;pqc@ietf.org
> Subject: [EXTERNAL] Re: [Pqc] Listing pointers to not-yet-standardized PQC algorithms
>
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
>
> ______________________________________________________________________
> I would vote no to both.
>
> 1. Crypto developers are following NIST's work and there are plenty of resources that explain what these algorithms are. I don't see a benefit in encyclopedically documenting something that have been documented many times before.
>
> 2. Frodo is in the LWE family. It is not RLWE or MLWE, so as a primitive it has less structure and could be assumed to be more conservatively secure, but it is in the lattice family like Kyber. The Frodo public key and ciphertext are pretty big. NIST's schemes offer better size-performance balance and math primitive family diversity. IETF should only go with primitives that make sense for use in its WGs. I am not sure I would pick Frodo over Kyber or BIKE in any use-cases. Personally, I expect and hope that European regulatory bodies will endorse NIST's primitives in the long run as well.
>
>
>
> -----Original Message-----
> From: Pqc<pqc-bounces@ietf.org>  On Behalf Of Paul Hoffman
> Sent: Wednesday, May 3, 2023 6:57 PM
> To:pqc@ietf.org
> Subject: [EXTERNAL] [Pqc] Listing pointers to not-yet-standardized PQC algorithms
>
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
>
>
>
> Greetings again. The grand list of pointers at<https://urldefense.com/v3/__https://github.com/ietf-wg-pquip/state-of-protocols-and-pqc__;!!FJ-Y8qCqXTj2!ZIRdEHgW2t4iPCMG1WwqGfi7XfFSSJA-XHtPiDAvekvmrUjKPca5jNo7729Pg7MdVdjIAsnpOsrJV60gByKQ6FAyyqPXQlbvY916$ 
> >  primarily lists Internet Drafts and RFCs.
>
> We know that the protocols themselves are being developed elsewhere, primarily (but not exclusively) at NIST. NIST has said that it will publish standards for CRYSTALS-Kyber, CRYSTALs-Dilithium, Falcon, and SPHINX+ next year, and has more informally said that it will publish standards for other KEM finalists (Classic McEliece, BIKE, and HQC). Should this WG help let IETF developers know about these algorithms and their status at NIST; if so, how?
>
> Those of us following the European PQC world know that there is still a lot of interest in some non-NIST algorithms, particularly FrodoKEM. FrodoKEM is being standardized in ISO. Should this WG let IETF developers know about these algorithms? If so, how do we bound this list to prevent us from promoting MyMostlyUnreviewedKEM without enough context?
>
> --Paul Hoffman
>
> --
> Pqc mailing list
> Pqc@ietf.org
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/pqc__;!!FJ-Y8qCqXTj2!ZIRdEHgW2t4iPCMG1WwqGfi7XfFSSJA-XHtPiDAvekvmrUjKPca5jNo7729Pg7MdVdjIAsnpOsrJV60gByKQ6FAyyqPXQj4jUzt_$
>
> --
> Pqc mailing list
> Pqc@ietf.org
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/pqc__;!!FJ-Y8qCqXTj2!ZIRdEHgW2t4iPCMG1WwqGfi7XfFSSJA-XHtPiDAvekvmrUjKPca5jNo7729Pg7MdVdjIAsnpOsrJV60gByKQ6FAyyqPXQj4jUzt_$
> Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
>
> --
> Pqc mailing list
> Pqc@ietf.org
> https://www.ietf.org/mailman/listinfo/pqc
>

v2.23.0 | Report a Bug | By Email