IETF Logo Mail Archive

Re: [saag] sntrup761x25519-sha512

John Mattsson <john.mattsson@ericsson.com> Tue, 23 May 2023 13:57 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43137C15171B for <saag@ietfa.amsl.com>; Tue, 23 May 2023 06:57:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id exvbOZPbiEnB for <saag@ietfa.amsl.com>; Tue, 23 May 2023 06:57:29 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0602.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1f::602]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 218B4C14CE22 for <saag@ietf.org>; Tue, 23 May 2023 06:57:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lE5TBTywF2Ksyc8djOcpeeO6mQc02nAum1ZNrQ/UoVQlOCwJaAXbwkldWNftzQweE3bBC9SvVmzySRSLqKKvS/CrR2MeB5f/DeA29Mo6K6pLgmDa9uftt0VJuNpKQpMO3NahzmjHvcOmMHbI9U7jK1uiEBaQGm/UR1vJIbUKKSDPZiF/U83uZpPn7vfRWWwcvIG2z1XXaA1ozUm17Uq88QjSev3/3PaYz8ojuiBbZKQduTApi8ub1Gj51WPXfYvY9VPHVBnHqWDSEz5PK7jK6fOf3fUqwRTUlSZrNe2c39XZoC82VOfQc5jnZ0JsdEpt73fcT4LK0xYpQgQP7q1KAg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cx5FsIYhGGLn8HmV52jZ+orkIHJW09M5YbdGNffNIGE=; b=CRuEBqHoeX26d248Cnk6umvp3K2gl6L8CIsyX+ucbRYEX933HAcqJYKmOYTk6vQAs+i8OkrEiJ/eNK5frQ7vr8Ve+aiUo8BrGclgzfNq9uvoO+zzGICTSoc6D4nMQcy8gT3brfO0Vg0phk7aC0NLWs0wD55e8wTmEREd3IXoGA08aGrN8kR+rlUjReidXd2AAL5Agy7UhOYQDtqpcKju8uyKs1mPyRRMsV7t+1eyQEv7kaD61XxERSGydh30TgfH1t6dizzG8/tEjFv8OURSAdbsh3FDzZexE3rL/NK7nkoFj9qbV59Zjokta09WXyRPhqo47vIU5K8KTyiqC/5IKg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cx5FsIYhGGLn8HmV52jZ+orkIHJW09M5YbdGNffNIGE=; b=k2rMH5k6710y9GPQBmzgpXH9SWNjZjuIBiW77e3SH1rpuPeRHJV/dgavVrexKPqt02q1IdhNh+dp093gfPWnAo8Kh1WagmrUqd0lXkzDSXcNlasAtwhNFsXQ90JASBsePBawOSj8R0Z8NyJbDEuRG1rCbiJpqT6nQHjWbnnlgCw=
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by VI1PR0701MB6941.eurprd07.prod.outlook.com (2603:10a6:800:190::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.28; Tue, 23 May 2023 13:57:23 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::47af:87d7:c8ce:1957]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::47af:87d7:c8ce:1957%7]) with mapi id 15.20.6411.029; Tue, 23 May 2023 13:57:23 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Eric Rescorla <ekr@rtfm.com>, Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>
CC: "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [saag] sntrup761x25519-sha512
Thread-Index: AQHZio3MDqoQLs3DHU6baDhOL5bX969iFiEAgAVmSN+AAGBfAIAAA7WY
Date: Tue, 23 May 2023 13:57:23 +0000
Message-ID: <GVXPR07MB967860D559F5BA4F2F7D03BB89409@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <875y8y4ip2.fsf@kaka.sjd.se> <84296E62-5843-4E7A-BD43-430491A5A1F3@akamai.com> <874jo8ytgw.fsf@kaka.sjd.se> <f6aa133635084609b0032ab1cfbfb7ce@amazon.com> <87sfbny046.fsf@kaka.sjd.se> <CABcZeBME4CRjd+4kqFCzYOmaOEafUiabsBoUQ0Eqm8A7OD-46A@mail.gmail.com>
In-Reply-To: <CABcZeBME4CRjd+4kqFCzYOmaOEafUiabsBoUQ0Eqm8A7OD-46A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|VI1PR0701MB6941:EE_
x-ms-office365-filtering-correlation-id: 2a0caf9d-770f-4fea-bcd9-08db5b95a274
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: R8mLSj+VY84UaWLHUkPhSQrDh3NZgfR+N4h+mmTA1CnXBm+DTKUeQH2Gxxih/WHuXkLABagGNkreOdDymwQ/WwMdU+YCyukTmQ/C6STTQVW828nVVewfFjvknlH7PsmoyZsfr8O468pRUVPMON+0pF2PsDLjViiZhTOvtMFEwvglt1e2GY6rbSMW+S+wdbsATXu+EZfgYhJ46DeUCPSSjUcMvbgRe7G+KNGfZSTadl7D7gDSM7D+GsE8jT4iYICQAnjJtoADGgGPg1NKkPm60ujjUybVP93R13xJ6e95ekR4JXKrW7+ArXV/9AqLYQaQAh5XPmYp9XjtW+zIO2dfBeY17YZEKo7VJrl/FWW1vEBeaQEUDxBL9MOlS7UnJ8SG17FihtAVC1ka8J/Va+GbR8oYbieUa5zX+lnnix5vtuOo2RA69xSg3LNRQOh75x/0y9xh8Cc78k87gOpv7geCDl+uvdHTLUnu1EzMv2rQ5gz7BR/tUKTH8oupjqA4X/iZuwKCwffhtBAvPQ9m4LbwmlmIqSSqy68U4b5LU8YiQYlHUy4/6N81b/SdDsiKW1is44f07lxOQfu8+Jef8+isZgQnixMvB9CA1/o0gYMddJlxJEeXnhpMkdmdZVQD0WFwp66+kAjeP32iiGOmH07tfckf/BAn7Lr71ZqOHJ+U5L0=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(39860400002)(136003)(396003)(346002)(366004)(376002)(451199021)(110136005)(71200400001)(38100700002)(41300700001)(7696005)(316002)(66476007)(4326008)(66556008)(66446008)(64756008)(76116006)(66946007)(122000001)(5660300002)(33656002)(8936002)(8676002)(82960400001)(86362001)(478600001)(38070700005)(44832011)(83380400001)(55016003)(6506007)(52536014)(26005)(9686003)(2906002)(53546011)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: I3z0b/S0AaENHe+TjBeSU6E+S7lsSoJn2moGsP7EDNGZ860qt5fCsSGWF5Hxrc/Wq8UpJjlsH16FFtSzgZiPU5yBC9CCYN6DfpJz/GsRwZJiiblPQkYffTcD/s1qloqOCdWE0UvU6/JmChGJMioTGL5uSeg14zUImZQRo9U+q1/qJcPqifNscQtBbxOlNUwm+KR4Kuq9jOyMKCC2piGpdqoka4wO9hK+zYzrM2dDrnrn3ajiHUhv+7E339DGNon4RdYQ0+g+8Zw3jzMxEij7Zcl7JSjbSLA+jdH9qzhQlGCdci82VT/zSasL6DVU0g4Nsq5XNw5kvJ4oG6v1FZ4i8E3EG9ZzYnpW+WHShPlqd6SmyrTioIXB9hhMfYb0wnHExoZ8ZaD1j8HG1quVfv6KGckzy/yec+uZQ4ekLyZdis28aEbBN4a7dqUbjwv4M2C+ArVkAOh0gGTSZ5Sjmu3Tv9PXoOZgGo5aMgVXxiIAVhrsL46YF83obf97wYBVtt0z9TCls6zeEphAZxIQ8+GxLTlCEOrx3w3NXk7Xnp3AdtJLrjFKZFXoGidUmS4ZsMeiF9NBPvjkzQvMztenegqcRKtN0kjXKFV7KhkIluvkU+HDo1CUnFF+6ejmZbOij1dq+WwWKIJ4Hyqf7aMkKvYlG13BCwnsZG16YJfRMY0CI8o4AS+mJljDywysvBca0GNV7CJQxOJ6psPkHFoUCXK8PGwZOEbkmtB2ZSfppOCFj9cPRcPs5JDQe2QqemsCjDWTkqLYWNWIr+dN4iSP597R0sMwoElF3ix+Ss/K5ra4inuZMholf3SJe9r9QA2RHbz/g3RvLF6fGujZgl4/eZhVAo0EK4Yh8BWc1PxJSRhpn2XnHxEWI07SU25KZ1DskSDNXt8HRw9iX7I0oy3RP/pa3b713irHor0pZdtbamlIbTVFtT3e8v2AMafukok6fjHHdfB40r8O2DZNowwNvHK5HSIZ7kYTpOoffCGrWtASP2no9ZTtWBXciWEDrbsgMG6whwexGakvNVll8hbcTNXoU1Plb+xmrf2H+OJeXlfE4h/oWynPPGJTjqSuwASOmH+zXsylwxzVLLvDbd7z1j9htJBA5lbFBWmFN4EcJPasT322JYSGuXyUpCdF3llJAxF++5SbYFhmT24UBWZSvvcRjLWu2VBCnZ0mHYpxzz2TKIJ0guUkFUqYCXJOuT5+01S6md5+2G6jEMYVF/C7PgPr2JtpiosGsaXcziwcs0bbla+KbglF8v538Y5wFUxeFLl+Q4ZxkeePBQMEdO3AAQudtRSGr/sNCmfc2bdvLgyig1vi5inW6FRZNwuXsZj/Zytm+QKQlarMirB9Xv/o4ClEpMRQBewdejr186DGJBOe2j0L0fQdSazm6ETOf7tlMyYr1xqD5XbR5n1MgvGUNvqHRKGmywiK4cs2qemWwGS5UInzHMfKdmx9YccrClmAWVgNKu4krwB/kGerresrIyN8dAlAbm1J1HQa2iVYa/ityE9iILV/gjoWB5L+ZaoNhhrxk3g8Sij9QpeJsIuINwet0RjWsbkCiS0L+e2Y+xlHMAJbwOrQACJY+EDnoaAxsQ/S3S3wwJPE/x968cHhUvc+1g==
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB967860D559F5BA4F2F7D03BB89409GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2a0caf9d-770f-4fea-bcd9-08db5b95a274
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 May 2023 13:57:23.6764 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Q+a0hrmhxgyu7bdMg2R+oidTHYkbA1F5gDeisjPX19WwUb9EYh+wyytW0QJL5B61cv2j1c2JBgGjYu0kN0XoeUD0Rttw7eRPDbpba4E5Mbs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB6941
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/dk47J0DQWqowLFYtcxkhOmneMfg>
Subject: Re: [saag] sntrup761x25519-sha512
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2023 13:57:33 -0000

+1 for SECDISPATCH
+1 for Kyber instead
+1 for IND-CCA (unless made specifically for a protocol only needing IND-CPA)

Regarding draft-kampanakis-curdle-ssh-pq-ke: Not sure that there is any reason to standardize P-256, P-384, P-521 anymore when X25519 and X448 are NIST approved and CNSA 2.0 removed P-384. Also, I think the use of SHA-2 makes no sense as Kyber use SHA-3 internally. Why require a second hash function?

My view is that that the only combinations worth doing IETF standards track for are final standardized Kyber with X25519 or X448 and SHAKE.

NTRU and NTRU Prime are not good backup algorithms to Kyber as they also use structured lattices. If IETF wants backup algorithms, then ”FrodoKEM” och "Classic McEliece” recommended by many European countries are more conservative choices. Unfortunately, they are currently being standardized in paywalled ISO, which I think make them unacceptable for use.



(For signatures Sphinx+ is a very conservative alternative to Dilithium and Falcon)

Cheers,
John

From: saag <saag-bounces@ietf.org> on behalf of Eric Rescorla <ekr@rtfm.com>
Date: Tuesday, 23 May 2023 at 15:18
To: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>
Cc: saag@ietf.org <saag@ietf.org>
Subject: Re: [saag] sntrup761x25519-sha512


On Tue, May 23, 2023 at 12:32 AM Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org<mailto:40josefsson.org@dmarc.ietf.org>> wrote:
"Kampanakis, Panos" <kpanos=40amazon.com@dmarc.ietf.org<mailto:40amazon.com@dmarc.ietf.org>> writes:

> Hi Simon,
>
> I have asked this question to the ADs 3-4 years back and reopening
> CURDLE was not an option. Introducing PQ algorithms to SSH has also
> been discussed in SAAG before and the outcome was that there is no WG
> to do this work right now. So, imo AD-sponshorship is your only
> option.

Paul, Roman, what is your decision on AD-sponsoring
draft-josefsson-ntruprime-ssh?

If you are asking for AD sponsorship then this should go through th
SECDISPATCH process in SFO. That would structure this discussion
properly.


From your other message:

> One point of my draft is to give IETF change control.  The process was
> the same with RFC 8731 when we documented how Curve25519 was used in
> OpenSSH at the time.  Many implementations (including OpenSSH) now use
> the RFC 8731 algorithm identifier that is under IETF change control.

So to clarify, if the IETF decided to change the use of SNTRU in some way,
for instance, by changing the encoding, then the SSH community would expect
to change over to that code point and use?

-Ekr

v2.23.0 | Report a Bug | By Email