IETF Logo Mail Archive

Re: [Pqc] I-D Action: draft-ietf-pquip-pqc-engineers-01.txt

Ben S3 <ben.s3@ncsc.gov.uk> Fri, 13 October 2023 12:13 UTC

Return-Path: <ben.s3@ncsc.gov.uk>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2217AC151061 for <pqc@ietfa.amsl.com>; Fri, 13 Oct 2023 05:13:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.107
X-Spam-Level:
X-Spam-Status: No, score=-8.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.999, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xqrOsu9sMaDc for <pqc@ietfa.amsl.com>; Fri, 13 Oct 2023 05:13:04 -0700 (PDT)
Received: from GBR01-LO4-obe.outbound.protection.outlook.com (mail-lo4gbr01on2133.outbound.protection.outlook.com [40.107.122.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 238AAC14CE42 for <pqc@ietf.org>; Fri, 13 Oct 2023 05:13:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Oqwz8XIvNPi+1k28bTmH2aTaTBIpmeZYoRtKBIOqWqciRSZt8R6dLaHaEah3EAkpBRMSojVB46X9voLzsLYEwoFdtFjMRwM70xn6CmKqBsH3J7IpH4GV/OSKm71ykhXGJmTlnpYBQAWEZgWv05r67wvH31/WyUfR7+fbUf3FkdRebLSEnYqR6IKqYqpo/VGlkuQ/jmNWlaXxfWu9y5MaviTaHRBpD88DJLYgab/Xr1ff4gz18KU3gKNu00ZtGN30Xp3Hac7oRJzkAbelAB1hDC+nlayBaHSj43kPM26VglFVreuX+mc5+eTuyCwkTY/J5iMVRzwISvwm70lhgzDGvw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UJ53nj2+wyYra3OvhygvY+h+RyIJZN2LRf1x2CmR+18=; b=PLcecJpjk/mwtpQ72o/B1Gxsd3DFHlkl4BQikKocNSATNjZdHYLi6aX9M8XTbFOmJguyZxaWCse+lLNnnrQ2mXZ3xHHEuk7Uar0At17uQa6y9a/YWB1V3IUfPnLCg1eFZsebMPr1jDs+3Ahi7CX2D54kgzHl7nqunl54WaWu4AzWFRdPi9ECJm2ANG/edqZY+w9eEkArrIyQNxCG6nR9ABi5gUtdrDADCaNXdPI8photj7KIqiU7vPkItYd1igq4LYuyvPD+6eVhrJKED1k5bT43+Ez00c2kdJ6Q/BKljN8BUPMMEN8jpbIITMAgpFUQlGe9bIvOehiA1xlHjKPaaA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UJ53nj2+wyYra3OvhygvY+h+RyIJZN2LRf1x2CmR+18=; b=oVOI+GYO/IDnUwNHaI7T0YRiWznHD00WlnvFCZAlhd6EQQoBnj3F9TvSH4AwfiM+JvwUbKn2GV1N2OBbOczMERiFVjq+Dudz+PY/4m1LPXoc5D5Ml+Uk+wwoCEGP0Vrgc7m8Jgk2rgvZMpaLDlrBJ2p7DXPa5EyiHm+rPzXNrfOdkqv193lgJyxdQeRlo0AjOnNpHLWSChto4F8gVC4CklANqasqDk+/fwrw+ac8NlTzEZXJg5Sz4osAJ9hcBYm3dfE9IWX+3Pwgmpc3pA4AiLrGxYTdWlvBqhoU3/P08+nuqr7oYzNnjpl8A1hFsSOaVScndSyiP1pWMGsymNm/uQ==
Received: from LNXP123MB3771.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:132::13) by CWXP123MB3158.GBRP123.PROD.OUTLOOK.COM (2603:10a6:400:43::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6863.46; Fri, 13 Oct 2023 12:12:51 +0000
Received: from LNXP123MB3771.GBRP123.PROD.OUTLOOK.COM ([fe80::8c16:7ce6:2fe1:1f9c]) by LNXP123MB3771.GBRP123.PROD.OUTLOOK.COM ([fe80::8c16:7ce6:2fe1:1f9c%6]) with mapi id 15.20.6863.046; Fri, 13 Oct 2023 12:12:51 +0000
From: Ben S3 <ben.s3@ncsc.gov.uk>
To: tirumal reddy <kondtir@gmail.com>, "pqc@ietf.org" <pqc@ietf.org>
Thread-Topic: [Pqc] I-D Action: draft-ietf-pquip-pqc-engineers-01.txt
Thread-Index: AQLKzqshl8pBwqdJ61sFSQSmEXmkoQHay7smrlcDhMA=
Date: Fri, 13 Oct 2023 12:12:51 +0000
Message-ID: <LNXP123MB377102D300139BEE0AF513B380D2A@LNXP123MB3771.GBRP123.PROD.OUTLOOK.COM>
References: <169700876293.57625.6300708311858983399@ietfa.amsl.com> <CAFpG3geMR6UUf91XDfZZ7yte-QYf-OjTNBsj==egBKkCYGkj9A@mail.gmail.com>
In-Reply-To: <CAFpG3geMR6UUf91XDfZZ7yte-QYf-OjTNBsj==egBKkCYGkj9A@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ncsc.gov.uk;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LNXP123MB3771:EE_|CWXP123MB3158:EE_
x-ms-office365-filtering-correlation-id: cd8db04c-fdd7-4fba-5d4a-08dbcbe5b91f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: gtt0PaCCMyb+CovxB2nzsE9nzwas4vTJkXvpq/JxPuz8w+QulldgwK0Hwa5I9oyiQrAoFH/4fl+yD9BZGPWuKZ2vontARodk1ErHRg5z+l5MUQArJjutbXrp3+D1DGT2GAkGlTr240dJH5KzbyWwXA/zUTuv/FkR6+5SvZlZ9iX2zyqozq4nzNlnh8qy2w9XAU9yU+O1IyquU1IlBpukbiH+vBbwTz1j+LpoKTdb1KaaP+S1cvq+E2HHLojItyfFB5ec718Kw4OJ53u5JGKm8pJP463ViQb7uzFO5Y3f6GIT0G5CZmCuHRa8xQduKc8kaJI9K5SBBvEhzI+hRnAplYaZC0iNisPbf2EnpAhgeEvTfKXvOVTDdrFBdheHcXoT/hEwUQR6mKpOZrx+Qns5hA24Vm8t3UvAqWSXa4H1Ht78WcCzzC2HrCKhLJkBofYhAIW8g3wMAdeHeOZwTlplHclx2cBR0HBVIuvY7pzA6oRuJcvpCflsjKsla/5Sq+KX2gzAvuiMLnp1gkkJDgmb/JEA147gdk5kVWwfYE/XHx47VfKUzFyUUOntVsd/JCfR3Z8KxkfeuxZ83x4MlmJsoo+QxfoQLJxeknlVQJ1oDek=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LNXP123MB3771.GBRP123.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(136003)(366004)(39860400002)(396003)(346002)(376002)(230922051799003)(451199024)(1800799009)(64100799003)(186009)(55016003)(66899024)(9686003)(53546011)(6506007)(71200400001)(7696005)(966005)(478600001)(33656002)(166002)(86362001)(82960400001)(38070700005)(122000001)(38100700002)(4001150100001)(2906002)(83380400001)(316002)(66574015)(26005)(66476007)(66446008)(66946007)(66556008)(5660300002)(76116006)(41300700001)(110136005)(64756008)(8936002)(8676002)(52536014)(21615005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: k12oA/4wdZyQ6DxDcnqEJy418gOH5eamWD77Cofwgy6n9ggbrtQYARRxKUY4c+bm7eBozYdYg0/XhB1TVGujJ/j4x5F2OEaDFVmPV79ZJJEPx4FuSG7WHLXtNu6CVmMvE969V0vuI54cD3UAoEGV4wxEM7C0WX70+KvjPKQ3IFSFfSRoX++zLci/CG/CzMSaSjN2UXDK1qF259L9P+qZZWpzihgWXRERTuKcbwrhZqJJI3JUT0r3cBk/IykTR0k/PvaqHEujYcQOpJxhe/0dl9cq1ubq0CcSBYOVFRY/EiiU/4ZMLoZ96VKeLoFp4SFRFpj8X/OiTfeZI8Lmu8tJdWc/VmhEDP5RaF28PzO4hm6XlxMIBI0flGeEGyw4RaYb9YuWYpylOU3d37CPu9fHTHNb+lja29kFiUAuISOcCahJh9JwN2XF00Ogv5SV7D4HcBXAO7fIqp5LgiYsowCNaUhVujB4IlkPyPiVKRbEvrL70Er88tWkkGoPAgmMWf/7w96x+pvxcJoGO1hQSgM4P0L2RPhjPDb+qf3zq3bBn32YbtrhaVbSM5yO4QejhoBNfnW+OtKcV49fSddAbRSt9YkfjapAQMNaBReLJEgikYZyISdIDqcyRcwHM3rufzZ9k/naGAypz93LiQQUFyHJIScniKY5SspPWS1w3xpm72k3vkW5kRJablLq6x3Wwok/KjYwomozcsJHCMeVT18XAdVcD3ddB0/cF9PWeYYBn6Yk6AXoTeXQxmEGNTECkP7nWYrCvmd7AA3I0D6m/fNhPnR3merOw+xE/C2BRyvBvoHa3jaKxPKHEgjmfoi6bKRvCjwPdj4ENFcN4XuOz5fzq5CDcqprTYy6fRTp9Lh37F7XUCxI99+Xnhha8dPbnkFzasW5L9U9F4xrvveMfdT3f3PTPBicoOrSYPH6Amdmmczb+vhKN7IN/BgyNEoYtwRj/kvohPaK2PsbOUX4+RTIjtpGgnHAFtuveBAhRbtK9KzfKJRJntLM/+/g+ssi9ZEDteezZvrNraFpZ0MMrLFv/iYV9J7ylmrymcTa0cujPWI8LiR2FbkPOAxs2dO29KpbPXp8zhI5MbrpmXnyvaaA52Imy5Sy2Rx5ByJfs5KqNAyp3e4pyiIgmm/eCarALY2V1zovqamCgEjW8VVNGrCsKYZOtlTk5Hbu4c1Fec8dVCCyAYx2QaybK8MHLfjFLaLJNcuERuXueZZsqHeR83f1McyA6KdFQu2Z4pdfv1e206ZkQAvZryS1SJytq8omMqFYNZF3d6tDJwijkNgp7HN7qSIztbh5619K8Ev4sw3kNiR0GOxv5j+kElLMdqUs1AxK1YImdZVcckYcN8dD6AEDKEFF0cj1P1OUoTDdcLSm54yz8wFF26QSGLjUJWXG5S9QBe5xqBL5RYMJmeEPOqXDerb95xtWVrUpANetM26rw+Cvm4zq+X5ZZX3B9YjRWvvs4vR1rC6vXCy+/wdemN4LmqOnkkP4tmyIvilVBpX43qUqRQELewt2QtgcmUoFixVVZMAKBbcwS+u65fRPbto1+x82Lg8aAnW6wds15iT54NK35Z7pbB6Om6uyJTaqFPTY
Content-Type: multipart/alternative; boundary="_000_LNXP123MB377102D300139BEE0AF513B380D2ALNXP123MB3771GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LNXP123MB3771.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: cd8db04c-fdd7-4fba-5d4a-08dbcbe5b91f
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Oct 2023 12:12:51.6483 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nasA1e1WCqlIF45v6KIB4XCtyPEDL0mcPdSXCy2bkuEkLefFlBbbUDImu9NOhIzcdIHFP3AVGLivTI1r8aRKlA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CWXP123MB3158
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/a1zmLLD1VRjJeM0sRhP7x8k2-84>
Subject: Re: [Pqc] I-D Action: draft-ietf-pquip-pqc-engineers-01.txt
X-BeenThere: pqc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pqc>, <mailto:pqc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc/>
List-Post: <mailto:pqc@ietf.org>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pqc>, <mailto:pqc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2023 12:13:09 -0000

Hi Aritra, Tiru, et al.,

Thanks for producing this, as others have said it looks like it'll be a very useful document going forward. Some thoughts below:

[General thoughts]
I think it’s important to make sure the amount of detail included is appropriate for the intended audience. As I understand it, this is intended for people utilising crypt/protocol libraries like OpenSSL, who need to decide which new algorithms to use and when to use them, whereas it is _not_ designed for people writing low-level implementations of post-quantum algorithms. I think it's useful to stick to that and not include excessive information which could bloat the scope of the paper and potentially deter the prospective audience.


[Section 6]
> RSA [RSA] and ECC [RFC6090] can be used for both key encapsulation and signatures, while for post-quantum algorithms, a different algorithm is needed for each. When upgrading protocols, it is important to replace the existing use of classical algorithms with either a PQC key encapsulation method or a PQC signature method, depending on how RSA and/or ECC was previously being used.

I think the language could be tightened up here a bit. ECC isn’t really an algorithm per se, and we can use ECC for both key encapsulation and signatures in the same sense that we can use Module Learning with Errors for both key encapsulation and signatures.
This might make more sense being limited to RSA - perhaps something along the lines of the following:

“These algorithms are not a drop-in replacement for classical asymmetric cryptographic algorithms. For instance, RSA [RSA] can be used as both a key encapsulation method (KEM) and as a signature scheme, whereas there is currently no post-quantum algorithm that can perform both functions. When upgrading protocols, it is important to replace the existing use of classical algorithms with either a PQC KEM or a PQC signature method, depending on how the classical algorithm was previously being used. Additionally, KEMs, as described in Section 10, present a different API than either key agreement or key transport primitives. As a result, they may require protocol-level or application-level changes in order to be incorporated.”


[Section 7.2]
> For example, to provide some context, one would need 20 million noisy qubits to break RSA-2048 in 8 hours [RSA8HRS] or 4099 stable qubits to break it in 10 seconds [RSA10SC].

The reference for the "4099 stable qubits in 10 seconds" figure is a company's blog that doesn't provide any sources to back up that claim. If we want to quote those figures here, it would be good to use a more academic reference that shows their working. Additionally, the standard term in academia is “logical qubit” rather than “stable qubit”, so it might be worth considering changing the terminology.

However, I question whether providing the figures for logical qubits is helpful. Essentially every company creating quantum computers is publishing their sizes in terms of noisy qubits without specifying as such, and not publishing their error rates, and it is unclear how many noisy qubits will be required to build a logical qubit. An engineer might see "4099-qubit quantum computers will break RSA" and become unduly worried, especially with at least one company aiming for a 4000 qubit QC in 2025 (indeed, several journalists have already made this mistake).


[Section 10.3]
> IND-CCA2 [...] prevents the adversary from forging new ciphertexts.

In an IND-CCA2 scheme, given the public key one can always create new ciphertexts, so I’m not sure what’s meant by this.


[Section 11.3]
> Access to a robust floating-point stack in Falcon is essential for accurate, efficient, and secure execution of the mathematical computations involved in the scheme. […]
 
I think the entire paragraph containing this sentence isn’t necessary. I don't think it provides much useful information for the intended audience that isn’t included in the surrounding paragraphs (do we expect everyone using a crypto library to be thinking about the robustness of floating-point support on their architecture?).

> Providing a masked implementation of Falcon also seems impossible, per the authors at the RWPQC 2023 symposium.

This draft doesn't define what a masked implementation is, and I don't think I’d expect the average reader to know. I'd argue that this level of detail is only necessary for low-level crypt library authors, and hence not the primary audience of this paper. You could probably get away with a single sentence along the lines of "Implementors of Falcon will need to be aware that Falcon signing is highly susceptible to side-channel attacks unless constant-time 64-bit floating point operations are used, which is extremely platform-dependent."

> Generally, Dilithium is known for its relatively fast signature generation, while Falcon can provide more efficient signature verification. [...] For further clarity, please refer to the tables in sections Section 12 and Section 13.

Sections 12 and 13 do not provide any info on the runtime of these algorithms. Either that info should be given, or the signposting removed.


[Section 11.5]
I'm a little confused by the title of this section. What is "Sign-Then-Hash"? If this is just comparing using Hash-Then-Sign versus not using it, then maybe the section should just be titled "Hash-Then-Sign".


[Section 15.1]
> Another form of quantum cryptanalysis is 'quantum side-channel' attacks. In such attacks, a device under threat is directly connected to a quantum computer, which then injects entangled or superimposed data streams to exploit hardware that lacks protection against quantum side-channels.

I assert that quantum side-channel attacks are beyond the scope of what the reader needs to know about.

> Recent attacks on the side-channel implementations using deep learning-based power analysis have also shown that one needs to be cautious while implementing the required PQC algorithms in hardware.

Power analysis is probably also beyond the scope of this paper.


- Ben S


From: tirumal reddy <kondtir@gmail.com>
Sent: Wednesday, October 11, 2023 8:24 AM
To: pqc@ietf.org
Subject: Re: [Pqc] I-D Action: draft-ietf-pquip-pqc-engineers-01.txt

This revision https://www.ietf.org/archive/id/draft-ietf-pquip-pqc-engineers-01.html, addresses most of the comments from WG.

-Tiru

On Wed, 11 Oct 2023 at 12:49, <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> wrote:
Internet-Draft draft-ietf-pquip-pqc-engineers-01.txt is now available. It is a
work item of the Post-Quantum Use In Protocols (PQUIP) WG of the IETF.

   Title:   Post-Quantum Cryptography for Engineers
   Authors: Aritra Banerjee
            Tirumaleswar Reddy
            Dimitrios Schoinianakis
            Timothy Hollebeek
   Name:    draft-ietf-pquip-pqc-engineers-01.txt
   Pages:   37
   Dates:   2023-10-11

Abstract:

   The presence of a Cryptographically Relevant Quantum Computer (CRQC)
   would render state-of-the-art, traditional public-key algorithms
   deployed today obsolete, since the assumptions about the
   intractability of the mathematical problems for these algorithms that
   offer confident levels of security today no longer apply in the
   presence of a CRQC.  This means there is a requirement to update
   protocols and infrastructure to use post-quantum algorithms, which
   are public-key algorithms designed to be secure against CRQCs as well
   as classical computers.  These new public-key algorithms behave
   similarly to previous public key algorithms, however the intractable
   mathematical problems have been carefully chosen so they are hard for
   CRQCs as well as classical computers.  This document explains why
   engineers need to be aware of and understand post-quantum
   cryptography.  It emphasizes the potential impact of CRQCs on current
   cryptographic systems and the need to transition to post-quantum
   algorithms to ensure long-term security.  The most important thing to
   understand is that this transition is not like previous transitions
   from DES to AES or from SHA-1 to SHA-2.  While drop-in replacement
   may be possible in some cases, others will require protocol re-design
   to accommodate significant differences in behavior between the new
   post-quantum algorithms and the classical algorithms that they are
   replacing.

The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-pquip-pqc-engineers/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-pquip-pqc-engineers-01.html

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-pquip-pqc-engineers-01

Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts


--
Pqc mailing list
Pqc@ietf.org<mailto:Pqc@ietf.org>
https://www.ietf.org/mailman/listinfo/pqc

v2.23.0 | Report a Bug | By Email