Re: [saag] SSH & Ntruprime
"D. J. Bernstein" <djb@cr.yp.to> Fri, 05 April 2024 16:28 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3B34C14F615 for <saag@ietfa.amsl.com>; Fri, 5 Apr 2024 09:28:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.196
X-Spam-Level:
X-Spam-Status: No, score=-4.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ETqr_J5FX3QU for <saag@ietfa.amsl.com>; Fri, 5 Apr 2024 09:28:33 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id 969E2C1519AD for <saag@ietf.org>; Fri, 5 Apr 2024 09:28:33 -0700 (PDT)
Received: (qmail 2908 invoked by uid 1010); 5 Apr 2024 16:28:32 -0000
Received: from unknown (unknown) by unknown with QMTP; 5 Apr 2024 16:28:32 -0000
Received: (qmail 1801421 invoked by uid 1000); 5 Apr 2024 16:28:21 -0000
Date: Fri, 05 Apr 2024 16:28:21 -0000
Message-ID: <20240405162821.1801419.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: saag@ietf.org
Mail-Followup-To: saag@ietf.org
In-Reply-To: <05D73B77-ECFB-43E9-A2A8-00D46F63FC32@aiven.io>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/b2EYReik4ziPXhSC7kw-ajQzc8w>
Subject: Re: [saag] SSH & Ntruprime
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2024 16:28:37 -0000
I'm a member of the NTRU Prime team (and the Classic McEliece team and
the SPHINCS+ team) but am speaking for myself in this message.
The elephant in the room is the patent minefield surrounding Kyber. NIST
says it has bought Kyber licenses for the two oldest patent families, but
* those licenses are only for exactly what NIST ends up standardizing
(supposedly the standards will appear this year), so IETF doesn't
have change control---for example, if security continues to degrade
(as I expect it will), then presumably IETF will consider modifying
Kyber to provide security levels beyond Kyber-1024, but this would
go beyond what's allowed by the licenses; and
* there are other patents in the area, including at least one patent
holder publicly claiming Kyber coverage, with no public response
from NIST or from the Kyber team.
To quickly see the change-control problem, look at the last paragraph of
the text posted by NIST here:
https://web.archive.org/web/20221130033932/https://csrc.nist.gov/csrc/media/Projects/post-quantum-cryptography/documents/selected-algos-2022/nist-pqc-license-summary-and-excerpts.pdf
I should note that NIST hasn't posted the full signed licenses---it
labeled this text as edited excerpts from the licenses---so the actual
licenses might say something different. Seeing this possibility raises
even more questions and falls far short of ensuring change control.
To see another patent holder claiming Kyber coverage, look at
https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Fm4cDfsx65s/m/F63mixuWBAA
saying "Kyber is covered by our patents". The author of that message
holds patents CN107566121 etc., filed before Kyber was published.
There is ample evidence that the patent minefield has been to some
extent delaying and to some extent deterring deployment of Kyber (which,
obviously, means delaying and deterring post-quantum deployment _if_
people don't use other post-quantum systems). For example: NIST's
deadline for round-3 input was October 2021, but NIST did not announce
its Kyber selection until July 2022. NIST said in
https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/fvnhyQ25jUg/m/izNIg5BABwAJ
that "the delay is not due to technical considerations". NIST's July
2022 report
https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8413.pdf
said that "Issues relating to patents were a factor in NIST's decision
during the third round as NIST became aware of various third-party
patents. As noted in Section 2.2.3, NIST negotiated with several third
parties to enter into various agreements to overcome potential adoption
challenges posed by third-party patents" and said that "If the
agreements are not executed by the end of 2022, NIST may consider
selecting NTRU instead of KYBER". NIST's announcement in November 2022
that it had signed some licenses for Kyber didn't settle the issue, as
illustrated by
https://datatracker.ietf.org/meeting/116/materials/slides-116-pquip-patents-and-pqc-00
in March 2023 stating the following: "Some people have said in private
that they are very worried about the patents and may not be able to
implement CRYSTALS-KYBER". Some large companies have announced Kyber
applications since then, but smaller companies can be put out of
business by patent lawsuits.
IETF's IPR policy (https://datatracker.ietf.org/doc/rfc8179/) includes
the following two statements:
In general, IETF working groups prefer technologies with no known IPR
claims or, for technologies with claims against them, an offer of
royalty-free licensing. ... An IETF consensus has developed that no
mandatory-to-implement security technology can be specified in an
IETF specification unless it has no known IPR claims against it or a
royalty-free license is available to implementers of the
specification.
Working groups can make exceptions to the first statement "if they feel
that this technology is superior enough to alternatives with fewer IPR
claims or free licensing to outweigh the potential cost of the
licenses", and can make exceptions to the second statement if there is a
"very good reason to do so and if that reason is documented and agreed
to through IETF consensus". If these exceptions are applicable, and if
the change-control requirement can somehow be met, then it might be
possible for IETF to go ahead with Kyber without violating IETF's IPR
policy. But unpatented alternatives are playing a big role in real-world
efforts to protect user data against future quantum computers, and
should play a similarly major role in IETF's post-quantum activities.
Paul Wouters writes, regarding sntrup:
> It's not broken but the IETF Crypto Panel also said the cryptographic
> method used was somewhat dated and would no longer be recommended by
> the larger cryptographic community at this point.
Hmmm. No citation is provided here, and readers are forced to wonder
whether this could possibly be an accurate summary of a review from the
Crypto Review Panel:
* Whatever exactly this claim about the "community" is supposed to
be referring to (let me guess: NIST and other Kyber supporters who,
in fact, never recommended sntrup in the first place?), attributing
this (fictional) evolution of positions to the "community" clearly
isn't consistent with the word "objective" in the panel charter.
* Similarly, whatever exactly the claim about "dated" is supposed to
be referring to, why is this being described with the negative word
"dated" rather than, say, "having been studied for longer" or "more
stable" or "less likely to be covered by patents"? This again isn't
consistent with the word "objective" in the panel charter.
Content-wise, these "dated" and "community" claims appear to be
insinuating that sntrup has held up worse from a security perspective
than other lattice KEMs. That's simply not true. The actual situation is
as follows:
* Attack advances have degraded security levels for all lattice
KEMs---including sntrup, definitely, but also including Kyber.
* sntrup offers parameters with larger security margins than Kyber
does, and has consistently refused to provide anything as small as
Kyber-512.
* Kyber has repeatedly had security patches---I'm not just talking
about https://kyberslash.cr.yp.to, but about non-interoperable
design changes in response to flaws identified in Kyber's earlier
security analyses---while sntrup has never needed any.
* Some security claims for specific proposals of lattice KEMs have
been broken outright by attacks that were already proactively
blocked by clear sntrup design features.
References: https://ntruprime.cr.yp.to/latticerisks-20211031.pdf;
https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/o2roJXAlsUk/m/EHW9h87kAAAJ;
https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/YsGkKEJTt5c/m/V0eivEroAAAJ;
https://cr.yp.to/papers.html#lprrr; https://cr.yp.to/papers.html#hila5;
https://eprint.iacr.org/2020/241.
What did the Crypto Review Panel actually say about sntrup? A search
finds
https://mailarchive.ietf.org/arch/msg/crypto-panel/kDiLLcVOhwoix5BUDdv4r91ZhfY/
whose comments about sntrup (1) are purely political and (2) fail to say
anything about patents. Here are the comments:
It is true that sntrup was a rather popular candidate during the
first years of the NIST Post-Quantum Cryptography (PQC)
standardization process. However, the situation is much different
since the NIST report on round-3 candidates [NISTR3]. sntrup was not
selected for standardization, nor as a part of round-4 candidates for
possible late standardization. Knowing that an official FIPS
post-quantum KEM standard (ML-KEM) will be soon released, it is not
clear why the authors are focusing on sntrup and this should be then
motivated.
In context, the "rather popular" claim here seems to be referring to the
wide deployment already mentioned in the draft, but then how exactly did
NIST's round-3 report (selecting Kyber and de-selecting all other
lattice systems) supposedly change the situation? Is there any actual
content to the above "review" of sntrup beyond delegating IETF/IRTF
cryptographic decisions to NIST?
Maybe I've missed some other Crypto Review Panel text on topic, but this
doesn't appear to be "critical, objective, timely and consistent review
of cryptographic algorithms". The failure to consider patents is a clear
error and seems impossible to reconcile with IETF's IPR policy. It's not
as if the patent situation is some sort of secret.
Procedurally, I'm not sure what the right way forward is here. Maybe the
Crypto Review Panel should be asked to scrap this "review" and evaluate
the patent situation. Of course, IETF and IRTF can't make decisions on
patent validity, but IETF and IRTF _can_ observe that there are enough
patent questions around Kyber to justify standardizing other options.
---D. J. Bernstein
- [saag] SSH & Ntruprime Loganaden Velvindron
- Re: [saag] SSH & Ntruprime D. J. Bernstein
- Re: [saag] SSH & Ntruprime Loganaden Velvindron
- Re: [saag] SSH & Ntruprime Harry Halpin
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Paul Wouters
- Re: [saag] SSH & Ntruprime Simon Josefsson
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eliot Lear
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eliot Lear
- Re: [saag] SSH & Ntruprime Orie Steele
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eliot Lear
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eliot Lear
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Jan-Frederik Rieckers
- Re: [saag] SSH & Ntruprime Orie Steele
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Orie Steele
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime Eliot Lear
- Re: [saag] SSH & Ntruprime Melinda Shore
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime S Moonesamy
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime Eliot Lear
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime Ira McDonald
- Re: [saag] SSH & Ntruprime Michael Richardson
- Re: [saag] SSH & Ntruprime Paul Wouters
- Re: [saag] SSH & Ntruprime Simon Josefsson
- Re: [saag] SSH & Ntruprime Christian Huitema
- Re: [saag] SSH & Ntruprime Russ Housley
- Re: [saag] SSH & Ntruprime Orie Steele
- Re: [saag] SSH & Ntruprime Michael Richardson
- Re: [saag] SSH & Ntruprime Loganaden Velvindron
- Re: [saag] SSH & Ntruprime Loganaden Velvindron
- Re: [saag] SSH & Ntruprime Michael Richardson
- Re: [saag] SSH & Ntruprime Paul Wouters
- Re: [saag] SSH & Ntruprime Michael Richardson
- Re: [saag] SSH & Ntruprime Michael Richardson
- Re: [saag] SSH & Ntruprime Paul Wouters
- Re: [saag] SSH & Ntruprime Stephen Farrell
- Re: [saag] SSH & Ntruprime Simon Josefsson
- Re: [saag] SSH & Ntruprime Mark Baushke (ietf)
- Re: [saag] SSH & Ntruprime Stephen Farrell
- Re: [saag] SSH & Ntruprime D. J. Bernstein
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eliot Lear
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime Stephen Farrell
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime S Moonesamy
- Re: [saag] SSH & Ntruprime Paul Wouters
- Re: [saag] SSH & Ntruprime Watson Ladd
- Re: [saag] SSH & Ntruprime Stephen Farrell
- Re: [saag] SSH & Ntruprime Simon Josefsson
- Re: [saag] SSH & Ntruprime StJohns, Michael
- Re: [saag] SSH & Ntruprime Watson Ladd
- Re: [saag] SSH & Ntruprime Stephen Farrell
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime Watson Ladd
- Re: [saag] SSH & Ntruprime Michael StJohns
- Re: [saag] SSH & Ntruprime S Moonesamy
- Re: [saag] SSH & Ntruprime Eric Rescorla
- Re: [saag] SSH & Ntruprime D. J. Bernstein
- Re: [saag] SSH & Ntruprime Salz, Rich
- Re: [saag] SSH & Ntruprime Paul Wouters
- Re: [saag] SSH & Ntruprime D. J. Bernstein
- Re: [saag] SSH & Ntruprime Deb Cooley
- Re: [saag] SSH & Ntruprime Christian Huitema
- Re: [saag] SSH & Ntruprime Simon Josefsson