Re: [Secdispatch] Problem statement for post-quantum multi-algorithm PKI

Mike Ounsworth <Mike.Ounsworth@entrustdatacard.com> Wed, 04 December 2019 23:35 UTC

Return-Path: <prvs=234697e62=Mike.Ounsworth@entrustdatacard.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B883312003F for <secdispatch@ietfa.amsl.com>; Wed, 4 Dec 2019 15:35:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=entrustdatacardcorp.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jpEtjkgakWCz for <secdispatch@ietfa.amsl.com>; Wed, 4 Dec 2019 15:35:55 -0800 (PST)
Received: from mx1.entrustdatacard.com (mx1.entrustdatacard.com [204.124.80.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F591120072 for <secdispatch@ietf.org>; Wed, 4 Dec 2019 15:35:55 -0800 (PST)
IronPort-SDR: tLFum1C4D6wMNGHKwkcDMOoRJ13VF0Ikdw3JAEjgxmQeAp0+Z4LaRqv/X/Y+jUwODmNc2xCaCi PieqA8yg70/Q==
X-IronPort-AV: E=Sophos; i="5.69,279,1571720400"; d="scan'208,217"; a="63078374"
Received: from pmspex01.corporate.datacard.com (HELO owa.entrustdatacard.com) ([192.168.211.29]) by pmspesa03inside.corporate.datacard.com with ESMTP/TLS/ECDHE-RSA-AES256-SHA384; 04 Dec 2019 17:35:54 -0600
Received: from PMSPEX04.corporate.datacard.com (192.168.211.51) by pmspex01.corporate.datacard.com (192.168.211.29) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 4 Dec 2019 17:35:54 -0600
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (172.28.1.8) by PMSPEX04.corporate.datacard.com (192.168.211.51) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 4 Dec 2019 17:35:54 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lpJDSFJjk0+/J0YE0RLy8inBUx83qAonH+tyJ84CZQQDiqSNpD4QgYRnWp9IWtfy8eILeDs9n+0e3EqRbkTaeXvRyJ9jRHsV5vTyuwxUcWtMjnLmdWAXS3zhMAnTLRIIdwsG0C8ENdm4RPT/YAiAtG5DEDd3sBFvpKfBn1eXPRj4Hvy4viPnrfl7xgtqXMEqgG8RC/0G+ehdkdmqZcqKn1kgoMXseXs+aZ1PXs1PS/KAQkJtorHFWZwRLDE1ik1aSUCn1Fr5Be5Zsv8uPqzA6k05xOiZyqYvu+arPeKRghsZ9QjVhDzTlRMZL4dmAvR15+F1KeqAv+sDRLgnayHmpQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jv9R4eyuhl6Fc4CTHtFQr77uJf0+up6zjONFffWgc2Q=; b=iiQngWhx6eZBfmtzT0aRXh0oVW6P5WGQ3/fdAxWpPnVvSrGZf1NNR9M0pukz4vTIR2vrNn7aTIxtAcMaN4ZRfoaKh+iU60OXBPRvT8SZmBf/sEBdgJX9A2qs6kw4JeVaC8pXuA0DvSdmXOMhPlk4njyqoJjzwUb1TH9zZ4ejWwde3lUXMs/yuHRBMuPoFDxdXNMScaHbfDWL7eJtLKCSMTEy8aIuJvMvdEYYNcsfzmctktCoEefTwjvUNYZMfKV4F+ByIc8gn7YqqgQrHiKJ7NveL9XC/MKlWh2hg78sAFwBD27JBPDvK7mND4eGZatUktbREiVuB37wIMQHbIMcSw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrustdatacard.com; dmarc=pass action=none header.from=entrustdatacard.com; dkim=pass header.d=entrustdatacard.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrustdatacardcorp.onmicrosoft.com; s=selector1-entrustdatacardcorp-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jv9R4eyuhl6Fc4CTHtFQr77uJf0+up6zjONFffWgc2Q=; b=CSy9DEudN5wO84y/JrO6mgE05L4OqcQaAwA1JOn6gR1kdn6yZvNOhQbZwIaj4NvfDzgSO7peNbzWnYwBfNyMdifd4WDAGrJBZm7KO3yc3qXeakxuTNIkrZswMC4HH5YFQYym8VaYXGPe/kXKjM1OeGRHrhGW8hrb4o5NojzkHH8=
Received: from MN2PR11MB3710.namprd11.prod.outlook.com (20.178.252.147) by MN2PR11MB3773.namprd11.prod.outlook.com (20.178.253.160) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2516.12; Wed, 4 Dec 2019 23:35:52 +0000
Received: from MN2PR11MB3710.namprd11.prod.outlook.com ([fe80::6525:fc5b:ffbb:acd]) by MN2PR11MB3710.namprd11.prod.outlook.com ([fe80::6525:fc5b:ffbb:acd%3]) with mapi id 15.20.2516.013; Wed, 4 Dec 2019 23:35:51 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrustdatacard.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "Markku-Juhani O. Saarinen" <mjos@pqshield.com>
CC: "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: [Secdispatch] Problem statement for post-quantum multi-algorithm PKI
Thread-Index: AQHVpecLpHJHmOEnXEOYqj9f1Ns8IaeqqQ7w
Date: Wed, 4 Dec 2019 23:35:51 +0000
Message-ID: <MN2PR11MB37102B2DF33A10636791EDBA9B5D0@MN2PR11MB3710.namprd11.prod.outlook.com>
References: <FA8A119E-B234-41F5-A55B-989B54668C3C@ericsson.com> <CAPwdP4Ncr276zrTG-bLRzkG2LKb66MqNh1GcqOcvFUYt=56pTg@mail.gmail.com> <84C6334F-BDB3-40F1-AEB1-6F4B4B4C06C5@ericsson.com>
In-Reply-To: <84C6334F-BDB3-40F1-AEB1-6F4B4B4C06C5@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Mike.Ounsworth@entrustdatacard.com;
x-originating-ip: [70.76.144.81]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cccb7dd0-6535-41b5-0949-08d77912b33c
x-ms-traffictypediagnostic: MN2PR11MB3773:
x-microsoft-antispam-prvs: <MN2PR11MB3773C451C51C0750A7DB5EAF9B5D0@MN2PR11MB3773.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0241D5F98C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(396003)(136003)(366004)(39860400002)(376002)(199004)(189003)(7696005)(76176011)(6306002)(33656002)(99286004)(4326008)(9686003)(54896002)(102836004)(6506007)(110136005)(316002)(6246003)(26005)(76116006)(478600001)(5660300002)(55016002)(66446008)(66556008)(66946007)(3846002)(6116002)(2906002)(6436002)(229853002)(790700001)(53546011)(52536014)(66476007)(64756008)(186003)(966005)(86362001)(14454004)(7736002)(74316002)(14444005)(81156014)(25786009)(8676002)(71200400001)(5024004)(81166006)(8936002)(71190400001)(11346002); DIR:OUT; SFP:1102; SCL:1; SRVR:MN2PR11MB3773; H:MN2PR11MB3710.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: vlrMGIG/KpKT0Mx+lD6v4F0Ek/N5rFkmZ5OLeky/pN3CUgrEA+NhTPw63pz0osw/srVg/ZhctfX8ozrDzB4oV2v2qU70KTNvjRYc8Cz3MGzwWAVqywOyo80dFAZ8iLwR5MBzjUaK6ctjOaUZETnNljg6V1ww3cMfDOcV8Y7R8ZCoVCJ5BQfvMImYGFi0sY8lHyNDMpt+uKbwT31Q0tPgiBfDtreFR/NzxvXxQ2jge9bzk8xv7smVosxTnsJG+9+4Brq/TZiTWI8/lntKAjrvcynWiXVPtX9MrNwKzSx8AO6gV4KOgbpfyvLV8haHOgL7h5Cha1glBepE3hlR32R/Uamo/jWX+RvTUx6Mv3uI4liZxmw4uip1hx4y4QkT0Uxq15YiIW6D803aacOiq+8GPpgHcyDg/6KLCN45QJ2/U1ucMxAq1X/D+A7rjA0qtZfh5T2d5t+3hE2aU9E+mzOgT/rH1cVB/gHMvdf42sd9nFw=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR11MB37102B2DF33A10636791EDBA9B5D0MN2PR11MB3710namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: cccb7dd0-6535-41b5-0949-08d77912b33c
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Dec 2019 23:35:51.8273 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: yELDe77nDr+rVH36ZTibWR76SUkpOCZKVMoVaoPcU8EEH/u09nErTnqgCDFWFPZFJNzwdxX92VmOouGxLWA7UU5gSIGp72Ft8UeoAb/ORr9ZnaZtDta/B4nlNzv1xrKf
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3773
X-OriginatorOrg: entrustdatacard.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/em1PA5YHTPAL3fmxH3JDTSZz4C8>
Subject: Re: [Secdispatch] Problem statement for post-quantum multi-algorithm PKI
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Dec 2019 23:35:59 -0000

As an author of a couple of the “hybrid” certificate drafts you mention, I can maybe add some context.

In the X.509 certificate space, we had been using the word “hybrid certificate” to refer to draft-truskovsky-lamps-pq-hybrid-x509. Since this is A) IP owned by ISARA, and B) ISARA has now branded this as an ISARA Catalyst Agile Digital Certificate, maybe that solves the problem of term-overloading.
https://www.isara.com/catalyst/

We have been using the term “composite certificate / signature” to refer to draft-ounsworth-pq-composite-sigs. If “composite” is going to become the most generic umbrella term, then perhaps we need to think of a new name to attach to this draft?

---
Mike Ounsworth
Software Security Architect, Entrust Datacard

From: Secdispatch <secdispatch-bounces@ietf.org> On Behalf Of John Mattsson
Sent: Thursday, November 28, 2019 6:26 AM
To: Markku-Juhani O. Saarinen <mjos@pqshield.com>
Cc: secdispatch@ietf.org
Subject: [EXTERNAL]Re: [Secdispatch] Problem statement for post-quantum multi-algorithm PKI

WARNING: This email originated outside of Entrust Datacard.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
I would be fine with the word “composite” for both key establishment and signatures.

Another reason “dual” is not a good choice is that many of the suggested solutions allow more than two algorithms.

Hopefully NIST agrees and is happy to align on terminology together with IETF. As you point out they are also using multiple terms like “dual” and “hybrid”.

Cheers,
John

From: "Markku-Juhani O. Saarinen" <mjos@pqshield.com<mailto:mjos@pqshield.com>>
Date: Thursday, 28 November 2019 at 12:18
To: John Mattsson <john.mattsson@ericsson.com<mailto:john.mattsson@ericsson.com>>
Cc: "secdispatch@ietf.org<mailto:secdispatch@ietf.org>" <secdispatch@ietf.org<mailto:secdispatch@ietf.org>>
Subject: Re: [Secdispatch] Problem statement for post-quantum multi-algorithm PKI

Hi,

Agree that Hybrid should be PKE/KEM + DEM. That's what I learned in school and that's what cryptography textbooks have said for decades (although the current KEM/DEM terminology is newer).

Note that to add to the confusion, NIST discusses "dual signatures" (not to be confused with 1990's SET "dual signatures") in their proposed amendment to the NIST PQC FAQ.

Dustin Moody (NIST), October 30: "Is it possible for a dual signature to be validated according to FIPS 140?" https://groups.google.com/a/list.nist.gov/d/msg/pqc-forum/qRP63ucWIgs/rY5Sr_52AAAJ<https://protect2.fireeye.com/v1/url?k=8fe20097-d368ca49-8fe2400c-86823e270a62-85c0287cf0a1d721&q=1&e=31172618-1e53-4018-8f88-e1d064ebe0f8&u=https%3A%2F%2Fgroups.google.com%2Fa%2Flist.nist.gov%2Fd%2Fmsg%2Fpqc-forum%2FqRP63ucWIgs%2FrY5Sr_52AAAJ>

Sadly his key-establishment is still "hybrid". Hopefully we can change this.

A quick poll in this particular office seems to favour the word "composite" for both key establishment and signatures.

Cheers,
- markku

Dr. Markku-Juhani O. Saarinen <mjos@pqshield.com<mailto:mjos@pqshield.com>> PQShield, Oxford UK.


On Thu, Nov 28, 2019 at 10:41 AM John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> wrote:
Hi,

There are now two very different use cases of the word 'hybrid' being discussed in IRTF/IETF.

Combination of KEM + DEM:

https://tools.ietf.org/html/draft-irtf-cfrg-hpke

Combination of multiple algorithms of the same type (KEM or Signature)

https://tools.ietf.org/html/draft-tjhai-ipsecme-hybrid-qske-ikev2
https://tools.ietf.org/html/draft-stebila-tls-hybrid-design
https://tools.ietf.org/html/draft-campagna-tls-bike-sike-hybrid
https://tools.ietf.org/html/draft-pq-pkix-problem-statement
https://tools.ietf.org/html/draft-truskovsky-lamps-pq-hybrid-x509
https://tools.ietf.org/html/draft-ounsworth-pq-composite-sigs

I would suggest that IRTF/IETF do not use the word 'hybrid' for both of these different meanings. Given that 'hybrid' is quite established for the combination of KEM + DEM

https://en.wikipedia.org/wiki/Hybrid_cryptosystem

and the use of 'hybrid' for PQC is quite new and not yet that established, I would suggest that IRTF/IETF use 'hybrid' for KEM + DEM and agree on another term for the PQC use cases. 'multiple-algorithms' and 'composite' has been mentioned in documents and discussions. I would be fine with both of these. 'Multiple encryption' seem to be the most common term for encrypting with several algorithms.

https://en.wikipedia.org/wiki/Multiple_encryption

Cheers,
John


_______________________________________________
Secdispatch mailing list
Secdispatch@ietf.org<mailto:Secdispatch@ietf.org>
https://www.ietf.org/mailman/listinfo/secdispatch