Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM
Johan Pascal <johan.pascal@linphone.org> Mon, 22 November 2021 17:28 UTC
Return-Path: <johan.pascal@linphone.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC4573A0CB0 for <saag@ietfa.amsl.com>; Mon, 22 Nov 2021 09:28:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.85
X-Spam-Level:
X-Spam-Status: No, score=-3.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, NICE_REPLY_A=-1.852, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=linphone.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pHPkXHizEALA for <saag@ietfa.amsl.com>; Mon, 22 Nov 2021 09:28:14 -0800 (PST)
Received: from smtp.belledonne-communications.com (smtp.belledonne-communications.com [IPv6:2001:41d0:1:fec2::]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8B723A0CAE for <saag@ietf.org>; Mon, 22 Nov 2021 09:28:13 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.belledonne-communications.com (Postfix) with ESMTP id 4523DC0116B; Mon, 22 Nov 2021 18:28:10 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp.belledonne-communications.com 4523DC0116B
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linphone.org; s=default; t=1637602090; bh=GOapAvdxAu3ZDuAgWTO5vS19WzKOLQYw/c6r4OEbb0Q=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=eVoE4Yh0SjG1uSY8O88HVnVWSv2hUJG2FIPV577cE7gGJSBf/prnucIX4yaCrDWLu SGlj1nMj1kTCq3s5g2N5IeqFxQ8erUpwDjFRHOs2T4NFYngYw23gZ3euWjcPgGI63W V1SFK+op0nNx0QPFzGYPZ7Ata2yhXD1H4G4oBp1OF+r4Nf7Boln1eIkI7keKbTvEXo SfrF852HkqcDN/m3Y1XlwBEH7+ukFcJN0wsJsyvEMgLlSeRZ9Lm3l0q+PtJwAUXFow Att2qpcvQAYcGfB7SUaFMtxWoJNxV1L3Abqlb4g/iAo5N8R2wmrum33vYwnryEwe3u 3i2MCKwmXl9SA==
X-Virus-Scanned: amavisd-new at belledonne-communications.com
Received: from smtp.belledonne-communications.com ([127.0.0.1]) by localhost (smtp.belledonne-communications.com [127.0.0.1]) (amavisd-new, port 10026) with LMTP id MX8ceQKr6kCx; Mon, 22 Nov 2021 18:28:10 +0100 (CET)
Received: from [192.168.1.100] (unknown [80.214.147.122]) by smtp.belledonne-communications.com (Postfix) with ESMTPSA id D30F6C01081; Mon, 22 Nov 2021 18:28:09 +0100 (CET)
Message-ID: <f0aaeb33-0bf7-c5e0-5df3-d251a4c24b9f@linphone.org>
Date: Mon, 22 Nov 2021 18:28:08 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.2
Content-Language: en-US
To: Colin Perkins <csp@csperkins.org>
Cc: Eric Rescorla <ekr@rtfm.com>, IETF SAAG <saag@ietf.org>
References: <0c359a65-386e-8c09-4c8f-9cefb066cffc@linphone.org> <CABcZeBPME1Eos8SFQdmAGRP5smn=bfAdPVOTrxF10nU3wkEbeA@mail.gmail.com> <B8A00186-3F5E-4075-8244-B4B9F069BD5B@csperkins.org>
From: Johan Pascal <johan.pascal@linphone.org>
In-Reply-To: <B8A00186-3F5E-4075-8244-B4B9F069BD5B@csperkins.org>
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/itwZRqzh0lUmmUJNndFAJAe1-Sg>
Subject: Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Nov 2021 17:28:19 -0000
Hi,
thanks for your suggestions. I know the work
on hybrid design is already done in TLS and others . While
looking for some documentation on that specific problem I found
several protocols addressing it, each of them with specific
details related to the protocol and that is mainly what led me
to think that a document dedicated to hybrid scheme might make
sense: it would save the next person trying to achieve exactly
what I'm trying to do for ZRTP the work of reading the different
specifications, parting what is protocol related and what is
not. But the hybrid mechanism can be described in the PQC-ZRTP
I-D itself.
Colin, as the problem of updating ZRTP to a PQ-KEM scheme is mostly security related it made more sense to me to post it on Saag. The perfect list to discuss it would be the potential "PQC Agility" WG if it is charted at some point (https://mailarchive.ietf.org/arch/msg/saag/5uV72m80X9PTGFWFyDY5VrNyK-c/" rel="nofollow">https://mailarchive.ietf.org/arch/msg/saag/5uV72m80X9PTGFWFyDY5VrNyK-c/). Is there any update on this?
Regards,
Johan
Hi Johan,
ZRTP was never adopted as a working group item, but the draft was presented several times in the AVT working group. You might get useful feedback from AVTCORE.
Colin
On 16 Nov 2021, at 21:51, Eric Rescorla <ekr@rtfm.com> wrote:
Hi Johann,
As you say, there are some common design questions with any protocol which wants to graft PQ onto DH in a hybrid mode. There is already a fair amount of work in this in TLS (https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/" class="moz-txt-link-freetext" rel="nofollow">https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/), though it looks less like making ECDH act like a KEM and more often making the KEMs act like ECDH. I'm honestly not sure how much new work there is to do here; over in TLS we're mostly waiting for NIST. I do think it would be helpful to have CFRG or the like specific a PQ algorithm but I'm not sure a generic algorithm describing hybrid will help that much, as opposed to having that last mile be protocol specific
Process-wise, the IETF is not maintaining ZRTP, so you would probably need to do an individual submission or send it to the ISE if you want to update it.
-Ekr
______________________________________________________________________________________________Dear Saag,
on Roman's advice, I post on this list to mention the need for an update to ZRTP in order to support Post-Quantum Crytography. RFC6189 was an individual submission and as far as I know no active WG is maintaining this protocol.
ZRTP is based on (EC)DH and requires a deep rework to support the KEM interface used by the NIST PQ key exchange algorithms. I started working on this topic, my next step would be to submit am I-D updating RFC6189 but I'm far from it so if someone is interested let me know and I can share the preliminary analysis to start a discussion.
Side note: The PQC version of ZRTP should actually use an hybrid key exchange using both (EC)DH and PQ-KEM in parallel. Every protocol using key exchange/encapsulation algorithm and willing to transition toward PQC have to deal with this problem so I think it would be more effective to address it in a specific document that would describe:
- how to implement a KEM from X25519/X448 or others (EC)DH algorithms
- how to combine the output of two or more KEMs to provide an hybrid one that would be seen from the protocol level (like ZRTP for example) as a single KEM.
Some combiners suggestions can be found for example in this publication https://eprint.iacr.org/2018/903.pdf" target="_blank" class="moz-txt-link-freetext" rel="nofollow">https://eprint.iacr.org/2018/903.pdf
The idea would be to avoid repeating the hybrid KEM description in various documents and focus the discussions on that specific matter in one central point.
Regards,
Johan
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag" rel="noreferrer nofollow" target="_blank" class="moz-txt-link-freetext">https://www.ietf.org/mailman/listinfo/saag
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag" rel="nofollow">https://www.ietf.org/mailman/listinfo/saag
- [saag] PQC in ZRTP (RFC6189) and hybrid KEM Johan Pascal
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Eric Rescorla
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Colin Perkins
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Johan Pascal
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Colin Perkins
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Eric Rescorla
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Benjamin Kaduk
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Eric Rescorla
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Hannes Tschofenig
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Eric Rescorla
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Colin Perkins
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Jon Callas
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Johan Pascal
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Jon Callas
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM Hannes Tschofenig
- Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM loic.ferreira