Re: [Secdispatch] Problem statement for post-quantum multi-algorithm PKI

John Mattsson <john.mattsson@ericsson.com> Thu, 28 November 2019 12:26 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB81A120848 for <secdispatch@ietfa.amsl.com>; Thu, 28 Nov 2019 04:26:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S83fHQh4SJRY for <secdispatch@ietfa.amsl.com>; Thu, 28 Nov 2019 04:26:09 -0800 (PST)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50084.outbound.protection.outlook.com [40.107.5.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3C0F120845 for <secdispatch@ietf.org>; Thu, 28 Nov 2019 04:26:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l8QIhm14J4o3CVRJQdlBSd/JJvZJPJbTrQrNfa6ZQHdlDaGXdxnxVsJXwBDTdzCY5vnyyC2/O3DyPzm5z2yn/KtkaNVzF/YK+e8HzyyEybgV/TLUjnAWHBljHR26rofPhzzD+z18CWalf04wm43jmcPyTZw/OVO/NxqL2kqJ9MX7MRGkmlkH5RCoRO/2vIkj4+i5QgAehYKbXyLZXpGY2NAp2lRUWQKkR/32yeY/ZrwiMPLJOHMdF9HnJPjp9XBZMKxE0K0xvWiiWq+LEVwXymDUlfbHold5IUCurj34foyIa+ECgOIamOpzpjKP/nPgtB8WLs1fHIW6gFOJyirCkQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yv2wQ4FKWVwT7p/LKWrSwjnY97cGoY04Rx9hBkeUIlo=; b=RuPJ9X9QiTrwsuu06W4UmYAt1rzdEb8fgOEowv36UopogG3zcsmNKGAv0mCKMQ7cq28u3h62xato+pJdykV3aZhNd5mqHtd0Q3BFz2hr5kg6/+HJopKodFM0sSodWiak+Xcc7MRRWwqAPle+6R7vmfiZZZQEsl4+Pi4mynfcbIYjB7C3IzG514axjvNfzZCs9sbvdRPMFFYi+wOjxJu13a0h838eeC0UN/F9Gvn83/W/89wqM3CAsWSKfzK2cLQPKHDLcm0cZ/LSDpa49/bOKb7l9eDjL1DV40jQE6gL7mY+mq1nv+I2RJ3Xwn68GYQqjdq5pMtP8Fe4Gtypc1LF/w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yv2wQ4FKWVwT7p/LKWrSwjnY97cGoY04Rx9hBkeUIlo=; b=HCi0gCHttmP/FLchVN0LYbJm1CMa4dXWOdllB+fjGyveOnV785RWcKSWheIiVL58Q9gH/iq0BvXT9ygtO2u1eWQbIuyDBWD9qyi3Z07oxT7DEPOvQwwOSyiG2bguvyx/+kTj97C+OZqw++rqDXwzW4MWfD9piXKcPkX32eHtKDg=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.165.153) by HE1PR07MB3403.eurprd07.prod.outlook.com (10.170.244.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2516.5; Thu, 28 Nov 2019 12:26:06 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::21e5:eaae:99ed:41ac]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::21e5:eaae:99ed:41ac%3]) with mapi id 15.20.2495.014; Thu, 28 Nov 2019 12:26:06 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "Markku-Juhani O. Saarinen" <mjos@pqshield.com>
CC: "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: [Secdispatch] Problem statement for post-quantum multi-algorithm PKI
Thread-Index: AQHVpd1/7lw0Lv5UWEm+bCbLPNVaTKegkwqA
Date: Thu, 28 Nov 2019 12:26:06 +0000
Message-ID: <84C6334F-BDB3-40F1-AEB1-6F4B4B4C06C5@ericsson.com>
References: <FA8A119E-B234-41F5-A55B-989B54668C3C@ericsson.com> <CAPwdP4Ncr276zrTG-bLRzkG2LKb66MqNh1GcqOcvFUYt=56pTg@mail.gmail.com>
In-Reply-To: <CAPwdP4Ncr276zrTG-bLRzkG2LKb66MqNh1GcqOcvFUYt=56pTg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [192.176.1.97]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4d3959b4-1556-47df-ece4-08d773fe246f
x-ms-traffictypediagnostic: HE1PR07MB3403:
x-microsoft-antispam-prvs: <HE1PR07MB34034A2ABA7BF7000DBC09DE89470@HE1PR07MB3403.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 0235CBE7D0
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(136003)(376002)(366004)(346002)(39860400002)(189003)(199004)(6506007)(53546011)(6916009)(8936002)(76176011)(81166006)(81156014)(14444005)(256004)(8676002)(36756003)(25786009)(66946007)(33656002)(478600001)(64756008)(66446008)(99286004)(71190400001)(966005)(5660300002)(7736002)(14454004)(3846002)(86362001)(76116006)(606006)(66476007)(66556008)(6116002)(229853002)(6486002)(58126008)(236005)(6512007)(6246003)(4326008)(6436002)(11346002)(2616005)(26005)(446003)(44832011)(71200400001)(316002)(2906002)(186003)(102836004)(66066001)(54896002)(6306002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3403; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: i6ekdPvx4U91kyy0oDdABPaATqNyCykKSzHkYB19IlnOJfPLf78XvXSIR9Yqsx1Dqb5vdiaFu/okPRfmbNyyyKe+K1q/bO6urHCnrmD8kLfANVW1VJ8UHaJcA+XnTfWGegpBZ/2uDAWQFnH/G7Vv5HopSvr/JxgmBaUCa7ledeMPNIEc026wElILHgJtah4pvAysFAHtsjuP2w1VDEIo6Fs/QH85CvUGAQwhf+iiUNhfYcqC/3ZxwVQghpaSxmB7ZZDJgtc7mUgdMZ+OyqBJ52PsIlj8gB1lkcQdQIeCEDTWpC+vxGXufrjb3B+eLd2sw2PO90p7qTuXBslI9K1Oskb8rPEfxTEIMx0rnOlfi8oGOBwI7ZelAoARRqdGEC77wSqSk9L+vWikCvlGMFW+VKBTn2p0i9um1WkbTsuuGtiMWL03LSsmCC2ZpKhQH76yV2NozWg9ElKX42DummlYJ3OAxQ9joYbY03ReuLUvfO8=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_84C6334FBDB340F1AEB16F4B4B4C06C5ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4d3959b4-1556-47df-ece4-08d773fe246f
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Nov 2019 12:26:06.4587 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: h/PjxFfvxUl6YojXhv140ME/w8I6nnz5kqlQPF9991oq3Vkj0qfcWCZHb7nHykbrKnSmFcrN0AkqxEo186tknybwC66bsebFmwoGzkmzSFk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3403
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/hK6r295AiKVtd7zksZW635TTYAI>
Subject: Re: [Secdispatch] Problem statement for post-quantum multi-algorithm PKI
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Nov 2019 12:26:13 -0000

I would be fine with the word “composite” for both key establishment and signatures.

Another reason “dual” is not a good choice is that many of the suggested solutions allow more than two algorithms.

Hopefully NIST agrees and is happy to align on terminology together with IETF. As you point out they are also using multiple terms like “dual” and “hybrid”.

Cheers,
John

From: "Markku-Juhani O. Saarinen" <mjos@pqshield.com>
Date: Thursday, 28 November 2019 at 12:18
To: John Mattsson <john.mattsson@ericsson.com>
Cc: "secdispatch@ietf.org" <secdispatch@ietf.org>
Subject: Re: [Secdispatch] Problem statement for post-quantum multi-algorithm PKI

Hi,

Agree that Hybrid should be PKE/KEM + DEM. That's what I learned in school and that's what cryptography textbooks have said for decades (although the current KEM/DEM terminology is newer).

Note that to add to the confusion, NIST discusses "dual signatures" (not to be confused with 1990's SET "dual signatures") in their proposed amendment to the NIST PQC FAQ.

Dustin Moody (NIST), October 30: "Is it possible for a dual signature to be validated according to FIPS 140?" https://groups.google.com/a/list.nist.gov/d/msg/pqc-forum/qRP63ucWIgs/rY5Sr_52AAAJ<https://protect2.fireeye.com/v1/url?k=8fe20097-d368ca49-8fe2400c-86823e270a62-85c0287cf0a1d721&q=1&e=31172618-1e53-4018-8f88-e1d064ebe0f8&u=https%3A%2F%2Fgroups.google.com%2Fa%2Flist.nist.gov%2Fd%2Fmsg%2Fpqc-forum%2FqRP63ucWIgs%2FrY5Sr_52AAAJ>

Sadly his key-establishment is still "hybrid". Hopefully we can change this.

A quick poll in this particular office seems to favour the word "composite" for both key establishment and signatures.

Cheers,
- markku

Dr. Markku-Juhani O. Saarinen <mjos@pqshield.com<mailto:mjos@pqshield.com>> PQShield, Oxford UK.


On Thu, Nov 28, 2019 at 10:41 AM John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> wrote:
Hi,

There are now two very different use cases of the word 'hybrid' being discussed in IRTF/IETF.

Combination of KEM + DEM:

https://tools.ietf.org/html/draft-irtf-cfrg-hpke

Combination of multiple algorithms of the same type (KEM or Signature)

https://tools.ietf.org/html/draft-tjhai-ipsecme-hybrid-qske-ikev2
https://tools.ietf.org/html/draft-stebila-tls-hybrid-design
https://tools.ietf.org/html/draft-campagna-tls-bike-sike-hybrid
https://tools.ietf.org/html/draft-pq-pkix-problem-statement
https://tools.ietf.org/html/draft-truskovsky-lamps-pq-hybrid-x509
https://tools.ietf.org/html/draft-ounsworth-pq-composite-sigs

I would suggest that IRTF/IETF do not use the word 'hybrid' for both of these different meanings. Given that 'hybrid' is quite established for the combination of KEM + DEM

https://en.wikipedia.org/wiki/Hybrid_cryptosystem

and the use of 'hybrid' for PQC is quite new and not yet that established, I would suggest that IRTF/IETF use 'hybrid' for KEM + DEM and agree on another term for the PQC use cases. 'multiple-algorithms' and 'composite' has been mentioned in documents and discussions. I would be fine with both of these. 'Multiple encryption' seem to be the most common term for encrypting with several algorithms.

https://en.wikipedia.org/wiki/Multiple_encryption

Cheers,
John


_______________________________________________
Secdispatch mailing list
Secdispatch@ietf.org<mailto:Secdispatch@ietf.org>
https://www.ietf.org/mailman/listinfo/secdispatch