IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: draft-ounsworth-pq-composite-sigs-11

Mike Ounsworth <Mike.Ounsworth@entrust.com> Thu, 08 February 2024 18:26 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BCF2C14F6E9 for <spasm@ietfa.amsl.com>; Thu, 8 Feb 2024 10:26:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 60JOTiatPuKo for <spasm@ietfa.amsl.com>; Thu, 8 Feb 2024 10:26:23 -0800 (PST)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98E80C14F6A4 for <spasm@ietf.org>; Thu, 8 Feb 2024 10:26:23 -0800 (PST)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 418G2DSb002869; Thu, 8 Feb 2024 12:26:13 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h= from:to:subject:date:message-id:references:in-reply-to :content-type:mime-version; s=mail1; bh=dHGBvxN4d+dPSAhTaTCMC2Y4 7nnpXkVqI9XBBlMl/j0=; b=OfJNFaS1LKpPQ7sK6qJxC2ZsMeeyHnq7ug+CTvPw eGTFWNMBFiRsHxybW42HNz1gBDMVc8yZvwegRDNQW6EGx3gX+a2hoA33Efj/Tl+r xZdr0MBMxFM0T5JlVGTB985DvWu1Ae4CFyzPhU/zAhnjU6cJIuQUgt5ugb/wuTuL uye+KsBgNk3I9/2dEzB6HqBQUoRPnYmdsuHoruzXKbzDp4yyBdyPhR6S/C3eKpsJ tSlzRr7ndP1lRawstPSavp9hry+QKPGy0M5ZneV4AmEbQPTj3wT6scjaeQekhlHA 6ElbUJDlyFrZdAWb+mrsiEuOmY5r1PRCiclyaDkYiTRyFw==
Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2169.outbound.protection.outlook.com [104.47.56.169]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3w1hbr3rf5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 08 Feb 2024 12:26:13 -0600 (CST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bVX8D6aHBqf//DwOK8GFjDu3LGcSbnAnvH6CQyDNqZPrzUTjDibWuabucF5iebYkKR1PNZ4ffuV5G5H6VX4V8yM2/56+6fxjR4w7IScI+g3vQSQyhio3m/0WVRhGYTPZfm9cXXMDeEkxipZhBBZxUVQSp+qg3eLy+yCDsQT1H688QXPb//I8bRjLECnY1b0FBqfEO/aWMzMvJ+qzchODLNPky/TDYX/bVFfVnPmpx+8kZ4rOWBGxf/PbJHdvejFzG4XvfGmbXrAlU2qOmX7Mz300dfSkTSK6me2/LkYbwY5c5rjHOH5ld8TNa+TKLGdC7ZUWOigseCv+nqh5J9QRXw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dHGBvxN4d+dPSAhTaTCMC2Y47nnpXkVqI9XBBlMl/j0=; b=aL/41yXBqG5q/tFZCy6GmMtVAwkXJHebH1fkgB8Tvjw19P0fbpVvsJ1uW1pZkNomYwALiJdOgMib22WWUjdS0IKfzljAHjTgC7cyfl/BAvSXSjVwZcZ/wC9OVS47VxOZLIx8lhvy/1nETkuwmDl7XOVI8WF79pfs3hVNDCWlAHEWNJLXz0c1cpi+UqIjXI1zex/TvJScLc9pmcUomUfN0zIc7+kPTFJB74ZJtM0h8wlhr/w7sW4rLgwXVl3lEX3V6eSLzoPsAzGLkEZJCOb0umhfdTTlqk0DmajcmHJaTYtLJg7TYviT430T9N4mhHG/3C7/tMxy5JVDPX8G3LveGg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by PH7PR11MB7962.namprd11.prod.outlook.com (2603:10b6:510:245::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7249.39; Thu, 8 Feb 2024 18:26:09 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::d401:ba56:87f2:7eb8]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::d401:ba56:87f2:7eb8%6]) with mapi id 15.20.7270.024; Thu, 8 Feb 2024 18:26:09 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Kris Kwiatkowski <kris@amongbytes.com>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [EXTERNAL] Re: [lamps] draft-ounsworth-pq-composite-sigs-11
Thread-Index: AQHaWhSXVHL9GeRflkufYbl0qndSgbEAkjgQgAAqwoCAAANnUA==
Date: Thu, 08 Feb 2024 18:26:08 +0000
Message-ID: <CH0PR11MB5739A9F75E71C5B99D980D479F442@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <1751D067-A337-4611-A638-02DB5F90394A@amongbytes.com> <d3abe6ed-4150-43fb-b6f4-d3402ae41599@cs.tcd.ie> <CH0PR11MB5739F82A580E1B892DF90DF69F442@CH0PR11MB5739.namprd11.prod.outlook.com> <08a4e633-6972-4a7d-a295-5ffea82df6dc@cs.tcd.ie>
In-Reply-To: <08a4e633-6972-4a7d-a295-5ffea82df6dc@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|PH7PR11MB7962:EE_
x-ms-office365-filtering-correlation-id: 80b880cf-b9ef-4ef0-f48b-08dc28d36bb8
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: rXaO8SEPvDhj64j5lvYTlMfmFjPlajVsvWxH68KbXsiNF8HzWZ/QJHlhGB/Wrj4/eB7vL3XDUDxKyPOaaQGyXHX3Zdgxj80V1z9sJZpOvRbMH3ySDgTkN9p+s6+pXnyDBCrDhLzz8YTUaFb2m8BEKevlKrHAIkOTwQwdDSub1q0xbPEPtUfMEzbSRrk42YksSnyNOOnnPkI8Nfvp29WPvm0fDkBh71nBUkQMxSl3IuhACiJb3LgxcGV7HwJl/jtLCH3u7SE2hlPXgQXCkKxCog3/aU69aMQl6p0B8hPpSdH3b0u37u/D7a03aj+WkmvSZCrLKVRuczh/nxBJ5GUQFtI26JODXDCGWn2nr+wYHxVVB6CCkoBmDtwbmsB6jGN0Sr52oZzMGc4/jirZpEeRjuZak11w/KaoOSKaqT9HYUa3MrE6IXVO6UlEivmu813SZMTjKubFrA99x+6uyHoTo6RXfXRt01bEUncAuasJHQ8HARaoXhXN9fjpTIfBuqS6yn3bT0Ko3bE4e02q0FkIJF+C69eRcYp5l9m2t6hK3LSoNniybOCN0Xp3y1xOEFKWlxfY4DKrw5df3Kj+qvglD2zYR+7NuKWddTE98NmZzAA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(396003)(366004)(346002)(376002)(136003)(230922051799003)(230273577357003)(1800799012)(64100799003)(186009)(451199024)(2906002)(71200400001)(9686003)(53546011)(6506007)(7696005)(966005)(83380400001)(38070700009)(478600001)(99936003)(26005)(38100700002)(122000001)(86362001)(33656002)(52536014)(5660300002)(8936002)(8676002)(110136005)(76116006)(296002)(66556008)(66946007)(66446008)(64756008)(66476007)(55016003)(316002)(41300700001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: CxFWx5RAxsvxoNGW5SBtYdl+gRtOTfzxyRje0pWxT4wSEk09YeWYWZLLFd948Jpl0Y8S5z+7zcMwTH12QA2crWXoeDg+YivxqrxlEKYt9QkkjZuWI25D8fM7s4rIlwBJNPF9HRUzAZCg702JqM+NEIf5dMu8szNomsWhZRzUdCJpBb1T2tKlD4ylAWwh9wZPGbqpBCfDbPxnk7/HK6Yjmk5YtNA2+w+9bhj+BnMRtbLg7NJHu4A0NfOjfmkIkQJ0WUznEZAh3Sr7o6pHVIJDroLpKltysiUwmv2pCHNFZ61LI3T0qkjkno4SIzFG+fP4Gf7xf7Khb376C60wE2yFYrfCLmHdIujuv8+T3nY0fL4EZ4bERmd9wCj0qeyuKHkb3sW32BlGMg/XJLAFexU0+RW8diQv+JZtY7G8XIOrL28YDJDv5B0h29jvbYm48jiv4AAWUeRt5NOn/wBTw/RvpH0dTfOedugmcz5fqEBumhVPJhpvmowW9u4zsNrzgfKHcfYk1C0t3RpvoMEDk6gIH5Le+m9xH9eTN2wrFtkBG27NEOZL6aYF12MN2h6A3YpnD4meLn0xiZwDE3sSxGjACfz2OMi2FfvqIDqexXe/wGXZn1PnNqv0FCujpF5uLad/ZH/5S85a6hTWXhYlQe6SbXBqSu/2vRdXkplTJ6O/h9PTB5rqxHrKzRd3eItB21nhwL9lmeADXlEqAHjrlFbiTPJWABhIp/lKcg7elQVDtNpiCTLhMffoyB5tcvXNADHCvW3+SSnVv2FqhyN2gbLAW66ySCPj3bsNPNvV/sOxsXOceG8OdZjgdEA5GAC9EpgW3xag3A/diXi6PcCf4orTLyYN39z9DPmNZtLrSWOEadX47Rd9oquZnqxLtPgvTTK0DSslkqisr8Dg6J74I+/FDFdhsT+Vr6MakF0mdoHdZUjhR5Gp+gbeTrfkiXWTHgSnhqxwwVO5yQ+EOer1YOFWH0qTgM1cNc5H4J5lQc7b5PNJrKNXh5ZQ6jf5QO+isVfz+0FN4YmjGEyCWfUD0D95oCZENr8VzeYWm901xbLxtX6aV1GehRTGzqq2MkHPU4bVnNN4P9G2RfcGTYAujqyzLwH13de2BSY921AAM3Qw3bOt0hzGiTtDxG8m+jVGZErV9/Ccys3UXumEmktlzPikafNS0p6v1pTrEz1937BJkZFcAfac9F9i6L1oLjJizGYI7XdoqtSHWQQOjAPpmaAwysg+KRb2ogolHKytlK+34+AbpyRoot78zEjAMztN+Zqy+WItgQnV9vE2cmt1cL72kAzN37VMg/JICvolJ0LWB5N5PL8MEqpe6LVLRcPaez740/fz9lT716yE6AkkTCGSbMzI285q7BZ+R3Pj5x7P4J7Io+/vT3+EOPXBv/3ZmeGc3G+xg3fh8tdoARlqfYxB9HBppxqJjOCJfDkbO/yAklXxSPkTPLt+V+xlhTMDuAOiZAVTxVKaNzH5WQ35UAarphzwT8eVy+qfyOvFJ2Z+CxwDYHBH0cKQbQN1Xhrlrr8sCxMPaJx3Rnx+2jUr8kx1djvXkgCpCIxH7VfDJS+QM6DVftibcJ/IezhzU66CrryQ
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0404_01DA5A89.FD803C30"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 80b880cf-b9ef-4ef0-f48b-08dc28d36bb8
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Feb 2024 18:26:08.9676 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9BcnIs74dY7bft84W1hHas/pSCnhE6Ag7rsahvruUCfbl5ePGC6ODhgqfhpuq1V3OgSe9xaIyzih2lEBAvL5ONP7rBHjZCMDSSPzasW21m0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR11MB7962
X-Proofpoint-GUID: kv_lxyRCX2TgszTLYQH_O6yG_D4eF0em
X-Proofpoint-ORIG-GUID: kv_lxyRCX2TgszTLYQH_O6yG_D4eF0em
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-02-08_08,2024-02-08_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 spamscore=0 phishscore=0 lowpriorityscore=0 mlxlogscore=297 clxscore=1011 impostorscore=0 priorityscore=1501 adultscore=0 suspectscore=0 bulkscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2401310000 definitions=main-2402080096
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/YVxBcUNGaSTswz3TFzvEppAtHYM>
Subject: Re: [lamps] [EXTERNAL] Re: draft-ounsworth-pq-composite-sigs-11
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2024 18:26:29 -0000

Hi Stephen,

> Other agencies have recommended against hybrid KEMs by times, and we happily ignore that.

I fully disagree. We are not ignoring that at all.
LAMPS has draft-ietf-lamps-kyber which instructs how to use Kyber by itself in CMS, which fulfills the requirements from people who do not want hybrids. And similarly draft-ietf-lamps-dilithium-certificates for pure Dilithium signatures.
My understanding is that the IETF does not play politics; if multiple governments have conflicting technical requirements, then we should produce separate mechanism to satisfy each. It is clear to me that there exists a need for this motivated by BSI and ANSSI recommendations. Full stop.


I have written some text into the composite signatures draft that I think addresses this. It is currently on a github pull request:

https://github.com/EntrustCorporation/draft-ounsworth-composite-sigs/pull/131

It adds the following text to the Introduction:

+ In particular, certain jurisdictions are recommending or requiring that PQC lattice schemes only be used within in a PQ/T hybrid. As an example, we point to [BSI2021] which includes the following recommendation:

+ "Therefore, quantum computer-resistant methods should
+ not be used alone - at least in a transitional period - but
+ only in hybrid mode, i.e. in combination with a classical
+ method. For this purpose, protocols must be modified
+ or supplemented accordingly. In addition, public key
+ infrastructures, for example, must also be adapted"

+ In addition, [BSI2021] specifically references this specification as a concrete example of hybrid X.509 certificates.

+ A more recent example is [ANSSI2024], a document co-authored by French Cybersecurity Agency (ANSSI), 
+ Federal Office for Information Security (BSI), Netherlands National Communications Security Agency (NLNCSA), and
+ Swedish National Communications Security Authority, Swedish Armed Forces which makes the following statement:

+ “In light of the urgent need to stop relying only on quantum-vulnerable public-key cryptography for key establishment, the clear priority should therefore be the migration to post-quantum cryptography in hybrid solutions”

+ This specification represents the straightforward implementation of the hybrid solutions called for by European cyber security agencies.


To flip the burden of proof back onto the detractors: if you think that this work should not proceed, then please justify why the IETF does not need to produce a mechanism to fulfil this recommendation from multiple governments. Or perhaps the IETF already has a mechanism that satisfies this requirement, but if so, I am not aware of one -- for example all of the Multi-Cert mechanisms that I am aware of operate in an OR mode, and are therefore not "hybrids" as defined in the above-referenced BSI recommendations document.

---
Mike Ounsworth

-----Original Message-----
From: Stephen Farrell <stephen.farrell@cs.tcd.ie> 
Sent: Thursday, February 8, 2024 12:00 PM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>; Kris Kwiatkowski <kris@amongbytes.com>; spasm@ietf.org
Subject: Re: [EXTERNAL] Re: [lamps] draft-ounsworth-pq-composite-sigs-11


Hiya,

On 08/02/2024 15:31, Mike Ounsworth wrote:
> Not to be flippant, but I think the answer is "everywhere".

You may be unsurprised to hear that I disagree.

> The current recommendations (at least from some European governments) 
> are to not use lattice schemes in isolation, but only in hybrids. So 
> anywhere that uses long-term keys (ex.: certs for CAs, S/MIME, Code 
> Signing, Document Signing, any-other-thing Signing, etc) and wants to 
> migrate to Dilithium *should* migrate to a dilithium+ecc or
> dilithium+rsa composite.
> 
> Would it address your comment if we add text to the Intro to that 
> effect that references the various government calls for hybrids?

Not for me, no. Other agencies have recommended against hybrid KEMs by times, and we happily ignore that. We should also be doing the engineering work to determine what's needed where and when. So I think we need a demonstration that these kinds of hybrid signing algs are needed, and needed now. I've not seen that myself, especially in a context where pq signing algs seem to be evolving a lot.

S.

> 
> --- Mike Ounsworth
> 
> -----Original Message----- From: Spasm <spasm-bounces@ietf.org> On 
> Behalf Of Stephen Farrell Sent: Wednesday, February 7, 2024 4:25 PM
> To: Kris Kwiatkowski <kris@amongbytes.com>; spasm@ietf.org Subject:
> [EXTERNAL] Re: [lamps] draft-ounsworth-pq-composite-sigs-11
> 
> 
> Hiya,
> 
> On 07/02/2024 22:07, Kris Kwiatkowski wrote:
>> * Is there a document describing real-world use cases for this draft? 
>> I’m aware of draft-vaira-pquip-pqc-use-cases, but really I’m looking 
>> for use cases where draft-ounsworth-pq-composite-sigs will be clearly 
>> very useful/necessary to have.
> 
> I'd also be v. interested in that, and didn't find such text when I 
> looked a few months back. (And I think such text is very much
> needed.)
> 
> Cheers, S.

v2.23.0 | Report a Bug | By Email