[Secdispatch] Quantum Resiliant

Phillip Hallam-Baker <phill@hallambaker.com> Mon, 23 September 2019 16:03 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 02F10120137 for <secdispatch@ietfa.amsl.com>; Mon, 23 Sep 2019 09:03:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.916
X-Spam-Status: No, score=-1.916 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id dHxvNHPkbLob for <secdispatch@ietfa.amsl.com>; Mon, 23 Sep 2019 09:03:03 -0700 (PDT)
Received: from mail-ot1-f50.google.com (mail-ot1-f50.google.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A453212013A for <secdispatch@ietf.org>; Mon, 23 Sep 2019 09:03:03 -0700 (PDT)
Received: by mail-ot1-f50.google.com with SMTP id c10so12563536otd.9 for <secdispatch@ietf.org>; Mon, 23 Sep 2019 09:03:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=KcGH+wF/439oLXsiON31LVVZVfx3Ebaskg9aVCeo+GU=; b=QQ++CJzN2aYt8hf/s4YKEJKvozFjWOqXK+NiA8FEWMijeA6jCpIe/RNMEpsLqjFYKo jbJYEaayRBv3+iS9SBzXQD+zp9hQKf7nliOEjaZHGWo0GiuvHA2BnTb8Ht9HE30YAUX7 4B3Fhl6IMuCTqLEcqyIREAkHVxHQF96EKXCJ3NSk6Lf24+t6CNNQiHIEiNnXLGldYrKj scEE1u0qE8cHj6ZhwjWsVBsgpKIl11Ja37oGex54alpNyUVNyAInOpdYaij7V6TEp7dd Q7/6utriNMMUV2+wh87Gqo2Pi6iJNUGa1I/uQGxL31H4K+ooXs04ogsAtUH28gsQrU1c QeHQ==
X-Gm-Message-State: APjAAAWFMc/ZmFVaeyjklngoZVORPKJpwnEKAS5NKN/hSygwMFNkwKeE D41PlQxHSLrdFwjeFOZ4C/Dgk104HUQhJSQ7Jo/13k2/
X-Google-Smtp-Source: APXvYqzX5jK7CeGWILJ/K9pofV5j9GP6Xxi4bAogjtS8317DIpN+5kFo4sf3WpwltqVBFnfh1YAy1ImcEtCySxd4M6g=
X-Received: by 2002:a05:6830:14c5:: with SMTP id t5mr501938otq.112.1569254582229; Mon, 23 Sep 2019 09:03:02 -0700 (PDT)
MIME-Version: 1.0
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 23 Sep 2019 12:02:51 -0400
Message-ID: <CAMm+LwgL4szAN0Su441_XdCRGEY-O5peAAW=quB+C_LfNzt7Gg@mail.gmail.com>
To: IETF SecDispatch <secdispatch@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ef9f8e05933a8d4d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/CbUaKwPwu1MG4OeqnEWgEXqHLDI>
Subject: [Secdispatch] Quantum Resiliant
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2019 16:03:06 -0000

We have a lot of interest in building PKI architectures that are secure
against quantum cryptanalysis. I see three different levels at which this
can be achieved.

Class 1: The system uses a quantum cryptanalysis secure public key
algorithm that provides all the same capabilities as traditional public key

Class 2: The system uses symmetric key based security with a significant
impact on capabilities as it is only possible to establish trust after
first establishing a shared secret. (e.g. Kerberos, Lamport signatures).

Class 3: The system is a traditional PKI modified to mitigate the
consequences of quantum cryptanalysis without modifications that
significantly affect traditional use. (e.g. use of hash chain notary to
protect signatures, use of shared secret KDF mixins).

As a field, we have to explore all three. And it might well be that the
short term interest is in the last. For protocol designers like myself, the
class 1 is not an interesting problem and won't be until we know how
quantum resistant public key algorithms differ from traditional PKI. We are
assuming that the problem is solved without the need for any protocol
re-engineering or with minor tweaks.

Class 2 presents some very interesting challenges as Lamport signatures are
statefull so we need a way to manage the state. Another approach that could
be interesting is to attempt a federated version of Kerberos. CAs become
Kerberos ticket granters.

So lets say I am trying to contact Amazon.com, I do this using a ticket I
have acquired from TicketCo which has a shared ticket with both of us.
Easy! OK, but how do I establish that shared ticket? Well I am going to
have to meet each CA in person or rely on some sort of federated
introduction infrastructure and we end up with multiple inputs to KDFs or
Shamir secret sharing and the like.

Class 3 looks like it is the least interesting but it is the new
'constrained device' case for PKI and that makes it a fascinating challenge
as you have to provide as much quantum security in the context of
traditional PKI approaches.