Re: [Pqc] Mapping the state of PQC and IETF - ssh
"D. J. Bernstein" <djb@cr.yp.to> Thu, 02 March 2023 08:32 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8D1EC14CE51 for <pqc@ietfa.amsl.com>; Thu, 2 Mar 2023 00:32:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.896
X-Spam-Level:
X-Spam-Status: No, score=-6.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rD3j7DqeRgsh for <pqc@ietfa.amsl.com>; Thu, 2 Mar 2023 00:32:29 -0800 (PST)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id 5376CC14CE55 for <pqc@ietf.org>; Thu, 2 Mar 2023 00:32:29 -0800 (PST)
Received: (qmail 12072 invoked by uid 1010); 2 Mar 2023 08:32:27 -0000
Received: from unknown (unknown) by unknown with QMTP; 2 Mar 2023 08:32:27 -0000
Received: (qmail 1037231 invoked by uid 1000); 2 Mar 2023 08:32:03 -0000
Date: Thu, 02 Mar 2023 08:32:03 -0000
Message-ID: <20230302083203.1037229.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: pqc@ietf.org
Mail-Followup-To: pqc@ietf.org
In-Reply-To: <28c503bff662497381ac87063106ce96@amazon.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/q1CJ9QrMphApxkv1L0Th3PSjiTA>
Subject: Re: [Pqc] Mapping the state of PQC and IETF - ssh
X-BeenThere: pqc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pqc>, <mailto:pqc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc/>
List-Post: <mailto:pqc@ietf.org>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pqc>, <mailto:pqc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2023 08:32:33 -0000
Kampanakis, Panos writes: > OpenSSH supports X25519+SNTRU for some time now. SNTRU is a > quantum-safe algorithm that got eliminated earlier in the NIST PQ > process. The timeline was actually as follows: * 2022.02: OpenSSH 8.9 enabled sntrup761x25519-sha512@openssh.com on the server by default (after experimental support before that). https://www.openssh.com/txt/release-8.9 * 2022.04: OpenSSH 9.0 enabled sntrup761x25519-sha512@openssh.com as the default choice by the client. https://www.openssh.com/txt/release-9.0 * 2022.07: NIST announced selection of Kyber as its only lattice KEM, and its only KEM option for the moment. (NIST announced that it would continue to consider BIKE, Classic McEliece, HQC, and SIKE in the next round; SIKE was then broken.) This is when NIST eliminated NTRU (e.g., ntruhrss701) and NTRU Prime (e.g., sntrup761). * 2022.11: Google announced deployment of ntruhrss701+X25519 for all of its internal communication. https://cloud.google.com/blog/products/identity-security/why-google-now-uses-post-quantum-cryptography-for-internal-comms The available evidence (see https://nist.pqcrypto.org/foia/index.html) suggests that NIST actually selected Kyber in 2021.12, but then delayed the announcement for several months trying to deal with patents. I'm saying "trying" here because the patent situation is still a mess: * NIST's patent buyouts don't activate until after NIST issues its Kyber standard (currently predicted to be 2024---probably there will be a draft standard early summer 2023); * NIST's buyouts are only for _exactly the version of Kyber in that standard_ (patching security problems would require new buyouts); and * NIST doesn't appear to have analyzed whether Kyber is safe from the other five patent families that were already identified on GAM/LPR systems. (See https://ntruprime.cr.yp.to/faq.html.) NIST's 2022.07 report said that NIST could still select NTRU as the patent-free option if something went wrong with patents. NIST retracted this after the buyout agreements were signed. (This could be undertsood as saying the other patent families aren't an issue, but by default I'd chalk this up to NIST not realizing how courts stretch patents.) NIST could instead have issued a 2021 announcement encouraging immediate deployment of NTRU. NIST's report said that "the overall performance of any of these KEMs would be acceptable for general-use applications" and that NIST finds Kyber's security "marginally" more convincing than NTRU's security. "Marginally" is an awfully thin rationale for diving into a patent minefield and delaying post-quantum deployment until 2024. It's important to remember that attackers systematically collect user data and keep it in the hopes of decrypting it later: https://www.forbes.com/sites/andygreenberg/2013/06/20/leaked-nsa-doc-says-it-can-collect-and-keep-your-encrypted-data-as-long-as-it-takes-to-crack-it/ Delaying post-quantum deployment means security damage. > There was nothing wrong with it, it just didn't move forward, > so there will be no final spec for it. NTRU Prime already has a complete specification and a Sage reference implementation (see https://ntruprime.cr.yp.to) along with the deployed software. Every detail of the internal PKE stabilized five years ago, and every remaining KEM detail stabilized four years ago. Obviously _NIST_ isn't about to issue an NTRU Prime specification, but IETF and IRTF aren't bound by what NIST does. When NIST's standards aren't in line with IETF priorities, IETF sets its own standards, as illustrated by the usage of Curve25519 in IETF standards for several years (starting with an IRTF informational spec, preceded by a detailed CFRG investigation of options) before NIST finally managed to issue a Curve25519 standard in 2023. For post-quantum cryptography, there's a security problem _right now_, and IETF should endorse taking action _right now_ in response. Given the patent situation, this isn't compatible with following NIST. > Also, OpenSSH currently does not support ECDH+PQ for "quantum-safe > FIPS" compliance. I'm not sure exactly which distinction you're drawing here, but I'd suggest that the top priority should be protecting users, even if this is negatively correlated with FIPS compliance. > Although it is a great that OpenSSH was an early adopter, in the long > run it makes sense to standardize on a consensus-based, peer-reviewed > spec The Kyber and NTRU Prime specs have both undergone peer review. This is more meaningful for NTRU Prime than for Kyber, for two basic reasons: (1) Kyber has a larger attack surface; (2) the Kyber design is a moving target, for example with discoveries of flaws in the security analysis leading to cryptosystem modifications 4 years ago and 2.5 years ago. As for "consensus-based", the process of reaching consensus in IETF starts with IETF investigation of the merits of the options at hand. Seeing deployment of various options can provide indirect information but shouldn't substitute for an IETF investigation. > instead of complying with the choices one widely-used > implementation made. OpenSSH's deployment of post-quantum cryptography began with TinySSH from Jan Mojzis. Two implementations of a protocol are sufficient for IETF standardization. There's security value in focusing cryptographic review on a limited number of options, but, given the GAM/LPR patent minefield, IETF and IRTF shouldn't restrict attention purely to GAM/LPR cryptosystems such as Kyber. > Currently SSH is an orphan protocol; there is no IETF WG to work on it > and PQUIP will not do any standardizations. I would like to see the X25519+PQ hybrids specified centrally so that they don't require protocol-specific work. ---D. J. Bernstein
- [Pqc] Mapping the state of PQC and IETF Sofía Celi
- Re: [Pqc] [Ext] Mapping the state of PQC and IETF Paul Hoffman
- Re: [Pqc] [Ext] Mapping the state of PQC and IETF Alexandre Petrescu
- Re: [Pqc] [Ext] Mapping the state of PQC and IETF Behcet Sarikaya
- Re: [Pqc] Mapping the state of PQC and IETF Rebecca Guthrie
- Re: [Pqc] [Ext] Mapping the state of PQC and IETF Paul Hoffman
- Re: [Pqc] Mapping the state of PQC and IETF John Gray
- Re: [Pqc] [EXTERNAL] Mapping the state of PQC and… Mike Ounsworth
- Re: [Pqc] [EXTERNAL] Mapping the state of PQC and… Mike Ounsworth
- Re: [Pqc] [Ext] [EXTERNAL] Mapping the state of P… Paul Hoffman
- Re: [Pqc] [EXTERNAL] Mapping the state of PQC and… Hannes Tschofenig
- Re: [Pqc] Mapping the state of PQC and IETF Kampanakis, Panos
- Re: [Pqc] Mapping the state of PQC and IETF Hannes Tschofenig
- Re: [Pqc] [EXTERNAL] Mapping the state of PQC and… Alexandre Petrescu
- Re: [Pqc] Mapping the state of PQC and IETF - ssh Kampanakis, Panos
- Re: [Pqc] Mapping the state of PQC and IETF - ssh Bas Westerbaan
- Re: [Pqc] Mapping the state of PQC and IETF - ssh Kampanakis, Panos
- Re: [Pqc] Mapping the state of PQC and IETF - ssh Behcet Sarikaya
- Re: [Pqc] Mapping the state of PQC and IETF - ssh Bas Westerbaan
- Re: [Pqc] Mapping the state of PQC and IETF Sofía Celi
- Re: [Pqc] [Ext] [EXTERNAL] Mapping the state of P… Sofía Celi
- Re: [Pqc] Mapping the state of PQC and IETF Sofía Celi
- Re: [Pqc] [Ext] [EXTERNAL] Mapping the state of P… Mike Ounsworth
- Re: [Pqc] Mapping the state of PQC and IETF - ssh D. J. Bernstein
- Re: [Pqc] Mapping the state of PQC and IETF - ssh Eric Rescorla
- Re: [Pqc] Mapping the state of PQC and IETF - ssh Alexandre Petrescu
- Re: [Pqc] Mapping the state of PQC and IETF - ssh D. J. Bernstein
- Re: [Pqc] Mapping the state of PQC and IETF - ssh Alexandre Petrescu
- Re: [Pqc] Mapping the state of PQC and IETF - ssh D. J. Bernstein
- Re: [Pqc] Mapping the state of PQC and IETF - ssh Blumenthal, Uri - 0553 - MITLL
- Re: [Pqc] Mapping the state of PQC and IETF - ssh Alexandre Petrescu
- Re: [Pqc] Mapping the state of PQC and IETF - ssh Thom Wiggers
- Re: [Pqc] Mapping the state of PQC and IETF - ssh Alexandre Petrescu
- Re: [Pqc] Mapping the state of PQC and IETF - ssh Thom Wiggers
- Re: [Pqc] Mapping the state of PQC and IETF - ssh Behcet Sarikaya
- Re: [Pqc] Mapping the state of PQC and IETF - ssh Alexandre Petrescu