Re: [Secdispatch] Problem statement for post-quantum multi-algorithm PKI

"Markku-Juhani O. Saarinen" <mjos@pqshield.com> Thu, 28 November 2019 11:17 UTC

Return-Path: <mjos@pqshield.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B896B120801 for <secdispatch@ietfa.amsl.com>; Thu, 28 Nov 2019 03:17:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pqshield-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8-YAauXs8MgG for <secdispatch@ietfa.amsl.com>; Thu, 28 Nov 2019 03:17:46 -0800 (PST)
Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 823E312080C for <secdispatch@ietf.org>; Thu, 28 Nov 2019 03:17:46 -0800 (PST)
Received: by mail-qk1-x736.google.com with SMTP id m125so22370074qkd.8 for <secdispatch@ietf.org>; Thu, 28 Nov 2019 03:17:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pqshield-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1QiOfiMfRauH9mqzz+nExQxkZ645nua71utX7kAsvlM=; b=H7d2BYb8HXkCY5jFdPa80cn5TbJlcS0Rp4hOYwlykRLBcUicP75alMxo84SW/QPCG7 nC5AjgcCt88q8FlUQg3zi5ujTCBj3pBrzCnf/5gIRYMJBOox0CgLcFoAGG8GU6bAVNj7 pyk+nPLpz5F2l4m1iGmMYFUOLzu8r2lGYYfPyTw2IHdSLfkq7YUrSj3MQ10T4YiTFSdf 2tzbjL8R4x1U3cTfdtpmfCvkk8TwSfK5UE+lpxwLLWzR3fCSFPwIzFsX6p3ne1HrnHRb Z86VlewTGsbMweSujW640FZ2h0+WMxA56XjTfRuiXQTOlM22VywenaDYbqI23Z+C368H 5ZTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1QiOfiMfRauH9mqzz+nExQxkZ645nua71utX7kAsvlM=; b=o+PtTrDmIRDfuPAh2ib0uTry63OI2HdRdEVviVZExiSCQk5fM10lkXe0DGmNOu5lYP IJZ4nvJpA5USpAgewjEiErLgA4Epiio1G2IDHgHue+NWQCWueZwqQ0+uflk+SHZTX7ZF JbMWv6ZtLK77sSZO5bAwerSklqB25KkrX675dNwkJoeSvDiKXTwLKM30s99xPgSG+Oa3 3FsII9dsTyqq4ZrpJ1yD2b214oBnxlbz+Ch4W9uirBO8cLTMAGU7dncm59bGsGtwjWt5 gxc8zIOrBe+M9oVD4VVTTDjsytJ3Z2Wa1/Wf+/Tm+39qHJ3CGpUcIYYPzNhVjxbL6h4O vDoQ==
X-Gm-Message-State: APjAAAWUCnxeVMaiy4nBydcj6umgT2PA7q2QUHgW0zZv3kiX8Yki/HH1 vDYSmlh4oouq2uHt/tiKxvWxZC9Fbac/A3SUx1VbtZvzAcE=
X-Google-Smtp-Source: APXvYqyWX9Js15uaqg1JiEhPZf+lxT3LyX66V85/VWjT4+nLM4+MMb/b3UCQPRpJhfnMQeFoBXqcguaNBiZ/TiOP0PI=
X-Received: by 2002:a37:61c2:: with SMTP id v185mr9758524qkb.429.1574939865385; Thu, 28 Nov 2019 03:17:45 -0800 (PST)
MIME-Version: 1.0
References: <FA8A119E-B234-41F5-A55B-989B54668C3C@ericsson.com>
In-Reply-To: <FA8A119E-B234-41F5-A55B-989B54668C3C@ericsson.com>
From: "Markku-Juhani O. Saarinen" <mjos@pqshield.com>
Date: Thu, 28 Nov 2019 11:17:34 +0000
Message-ID: <CAPwdP4Ncr276zrTG-bLRzkG2LKb66MqNh1GcqOcvFUYt=56pTg@mail.gmail.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Cc: "secdispatch@ietf.org" <secdispatch@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000381e1805986643cf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/AM8p5FvIraAE-2PzZU4DabL9Aeg>
Subject: Re: [Secdispatch] Problem statement for post-quantum multi-algorithm PKI
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Nov 2019 11:17:49 -0000

Hi,

Agree that Hybrid should be PKE/KEM + DEM. That's what I learned in school
and that's what cryptography textbooks have said for decades (although the
current KEM/DEM terminology is newer).

Note that to add to the confusion, NIST discusses "dual signatures" (not to
be confused with 1990's SET "dual signatures") in their proposed amendment
to the NIST PQC FAQ.

Dustin Moody (NIST), October 30: "Is it possible for a dual signature to be
validated according to FIPS 140?"
https://groups.google.com/a/list.nist.gov/d/msg/pqc-forum/qRP63ucWIgs/rY5Sr_52AAAJ

Sadly his key-establishment is still "hybrid". Hopefully we can change this.

A quick poll in this particular office seems to favour the word "composite"
for both key establishment and signatures.

Cheers,
- markku

Dr. Markku-Juhani O. Saarinen <mjos@pqshield.com> PQShield, Oxford UK.


On Thu, Nov 28, 2019 at 10:41 AM John Mattsson <john.mattsson=
40ericsson.com@dmarc.ietf.org> wrote:

> Hi,
>
> There are now two very different use cases of the word 'hybrid' being
> discussed in IRTF/IETF.
>
> Combination of KEM + DEM:
>
> https://tools.ietf.org/html/draft-irtf-cfrg-hpke
>
> Combination of multiple algorithms of the same type (KEM or Signature)
>
> https://tools.ietf.org/html/draft-tjhai-ipsecme-hybrid-qske-ikev2
> https://tools.ietf.org/html/draft-stebila-tls-hybrid-design
> https://tools.ietf.org/html/draft-campagna-tls-bike-sike-hybrid
> https://tools.ietf.org/html/draft-pq-pkix-problem-statement
> https://tools.ietf.org/html/draft-truskovsky-lamps-pq-hybrid-x509
> https://tools.ietf.org/html/draft-ounsworth-pq-composite-sigs
>
> I would suggest that IRTF/IETF do not use the word 'hybrid' for both of
> these different meanings. Given that 'hybrid' is quite established for the
> combination of KEM + DEM
>
> https://en.wikipedia.org/wiki/Hybrid_cryptosystem
>
> and the use of 'hybrid' for PQC is quite new and not yet that established,
> I would suggest that IRTF/IETF use 'hybrid' for KEM + DEM and agree on
> another term for the PQC use cases. 'multiple-algorithms' and 'composite'
> has been mentioned in documents and discussions. I would be fine with both
> of these. 'Multiple encryption' seem to be the most common term for
> encrypting with several algorithms.
>
> https://en.wikipedia.org/wiki/Multiple_encryption
>
> Cheers,
> John
>
>
> _______________________________________________
> Secdispatch mailing list
> Secdispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/secdispatch
>