IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: draft-ounsworth-pq-composite-sigs-11

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 08 February 2024 18:31 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B64D0C1CAF21 for <spasm@ietfa.amsl.com>; Thu, 8 Feb 2024 10:31:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.006
X-Spam-Level:
X-Spam-Status: No, score=-2.006 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pg9WaKmc-p0Q for <spasm@ietfa.amsl.com>; Thu, 8 Feb 2024 10:31:37 -0800 (PST)
Received: from EUR03-DBA-obe.outbound.protection.outlook.com (mail-dbaeur03on2101.outbound.protection.outlook.com [40.107.104.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A429BC1CAF27 for <spasm@ietf.org>; Thu, 8 Feb 2024 10:31:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Gv+o+cwJfi1eTj3DM9jO56c8M068jQCg4WxshRC7kWiqE9HU3hGQM60DERBOs25LKY7gbaBcZkN47qzT68K1ilqnpUYiFEjeUfjcCup/JW7a6ODmd8F7mnAvg8yE6xntKMmo65+QIk7BgrffuEVcawDuiiXYQf/5a/GvnxHOUPNG8ibPL4GAOqSMBJ2M+OJbW1yI6nlefDip3oUiZ1QYF5vdjhNJb4tVozgiZhPUkkY+Z6rP8kMkVKA0KFO1iVao05MW0xG4YyL7QoRo9EhExvbOHtBkRlCw2KYDDYb+pVTVl0HRo+szKaknRGGWGO5YSLLwXeJZkLiws1hi2TzL4A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9cXghrrZulGPIvUZFyiSTffFNcMcgM7hoQuVTLKjSeQ=; b=hoAVJyHnt3xf16lVnZSpEwPdAD2FVnbo7R7xTc914ZVvHkiktkZBWMOqbXH/IOaR2eNChnsEVGY9dLa4RizhiitIJvNkGz5FmwvbgKROKTQXUz27C9qeoZZEuHmtrDPojSgWveiINfjcBh5UNyfuFQZ5AHUcNATf17SX07V2HNi9Ye3XnqjcO1jHN3mMcrBw2BO7rMoDoZhZm+RgDYd5lM0t51A62cZDb32SEqF3Y2Uq4Qgzt5Wxc7SoCdzZJQUAR1VLmvIDl/4oVP8/ean40f3lcYOZz4bTonT6aFyjiX9lgAZBU7kC1b7o56xAf7P+dEnw/5cB8rw2dCqEv/wefA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9cXghrrZulGPIvUZFyiSTffFNcMcgM7hoQuVTLKjSeQ=; b=i+nUaghZh9wt0d9YqyvMkPBZVmDyrLnd1g44Mt3gLFxZHF9+YJjeaMt1J/BrjIMp6Ev8cU7KUflMPyJiz5Bi7Cs9jRQjR0F9LJ+eINgOLAJQGXwyACk97Y6Q6dZH6OnhCvTk5AOOaLoYBc5EzuWQKbhDM4pqdxzGbPeL9OdUvyj1jMM6y0aeWszNmNU0esM5Uz+4qXt3KwHG5Pi9fi/lkk6i08g+x4b+1Y9gIkLKzXlNDQ//hBfHYa+6/TaIutl+q6Ld6INBxb3paG8YrgHAnWf8qPp20DUz5tAWN3nrLh/b+fTwOjsZh+3Dqao5PzthyFAXO9+rHlgwXrzLb3b51Q==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by AS2PR02MB9389.eurprd02.prod.outlook.com (2603:10a6:20b:59f::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7249.37; Thu, 8 Feb 2024 18:31:34 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::29da:8147:6e33:c2b7]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::29da:8147:6e33:c2b7%4]) with mapi id 15.20.7249.039; Thu, 8 Feb 2024 18:31:34 +0000
Message-ID: <4f3c3b15-6635-4afd-8df0-c5c3827e6f69@cs.tcd.ie>
Date: Thu, 08 Feb 2024 18:31:32 +0000
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>, Kris Kwiatkowski <kris@amongbytes.com>, "spasm@ietf.org" <spasm@ietf.org>
References: <1751D067-A337-4611-A638-02DB5F90394A@amongbytes.com> <d3abe6ed-4150-43fb-b6f4-d3402ae41599@cs.tcd.ie> <CH0PR11MB5739F82A580E1B892DF90DF69F442@CH0PR11MB5739.namprd11.prod.outlook.com> <08a4e633-6972-4a7d-a295-5ffea82df6dc@cs.tcd.ie> <CH0PR11MB5739A9F75E71C5B99D980D479F442@CH0PR11MB5739.namprd11.prod.outlook.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <CH0PR11MB5739A9F75E71C5B99D980D479F442@CH0PR11MB5739.namprd11.prod.outlook.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------IbuIxXbm5sAaGwBBC3czaUwh"
X-ClientProxiedBy: DU7PR01CA0011.eurprd01.prod.exchangelabs.com (2603:10a6:10:50f::14) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB7PR02MB5113:EE_|AS2PR02MB9389:EE_
X-MS-Office365-Filtering-Correlation-Id: 1855c5b6-b826-4fe9-4d77-08dc28d42d5a
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: vYtzUmaI36YTKvTsQfi6XhJANMgDRSXqjfeTwQwNqk4qvfRTb78blvAg/oUNLD0eS4JGAt38ypBWAP2DFl1dDT0hTeciGqAOeVus/Pm67ekzds9Mb4eLk65vYu/RyFosHodL9OHJptW+jdTNeYQGUgtJQgDWNDVWwqTvGVze4MKt2avnTppJLSUK+0RLTak8UwEI44U0rCWD5DJNQmK0UvWheMrylrbKBhGNd3CclMcTFGCcCxAa2LogZZUV0qBTaAJjLy1tIbcL+nGqKGhek42yakRg9tNBmL8x/wVb5YFfFhj5hpAlIDP8D6bUfAq80edHg/Zx6xpsLmPYSpBJEOabklMgPfOJL509KI2cgSPFX8kOJ0j+8iaaqVgXZpjOIfBhOnByLDF3+9x2Kgq1dALDsHWvmwCNvr/lKWkPK45Bf+XMubdffqgY20kTD8WvhwtPTCsGbaSMZRlj935PRPgC3/9eq4VHQl+LgdRpNv88wWVd3H3Z5mWYihbyoXd87g/m949Y3okGaKFJwPo1vZZCPA0Oe5BL/IbywJ+0Y+eINDzX/gGb9p2ULZnzMFtj
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(136003)(346002)(366004)(376002)(39860400002)(230273577357003)(230922051799003)(1800799012)(64100799003)(451199024)(186009)(31686004)(53546011)(36756003)(38100700002)(45080400002)(33964004)(6506007)(6512007)(966005)(478600001)(66556008)(2616005)(6486002)(86362001)(83380400001)(66476007)(2906002)(66946007)(5660300002)(41300700001)(110136005)(31696002)(786003)(235185007)(316002)(44832011)(21480400003)(8936002)(8676002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: y9AD0ZoOx+BwmmvOfHrrOSG+9F66BksMxiNBWPQnOrDdN8yTvaJuVuocdqnmwT9MkL++EIg5GCgXPzD6P7p0FcMHYoOrz8syc57wtxufvVMxevt7CzbYCh68UDBtkRobNaVfHqSWfzQWPuG2p9UXof2+CBn1QbufSUTnedJ+cmBA7X8SOWa8BNYTwzl4bJWk01Nejegt3FzHl6VWOSD4qNNAsFQDm7HVFmU7oZSYEFbXNEtFAolLpUcfwvqLhPm9MVZ6k9vs4DT0/GUjkqxRqQDpuTPpFs7X1gUV7kBO3WKuOdAVg6urOIAFvDUUEh7YvXeLarpeP7rjMmXJxIvA2urGsMbsFkXTZAFeTtWhkgBjybj84Wwe7y1UMR7gB0wHf0IRaTlJmeK7FnJDoahk8ssFquHxbhDWE+lx1E+RTjxcRT1kM0kE/T3Ddga1Iv4CU2IpjCgxXGQcSFmXBGwAZkkUaC3YpssUMBRLuOuVtT4hj8X3w4nf+jT9ui1OAayaXORo+bnO7Y3JT4UUbS5I8P/MU7XEUkCeuXXuQGbOTItOEx6FpPIGJZ9SaLXK+whOs+rFdjqmkibIfqHjStx6wrfE3cwTWYAv7hClVlUDSFv9qnPHhKB+Bt6B6QHm5ojz78COPR7P60NnzENGZ/BD3VB39KBi7pBEDtKRq4ODgzXYUohxQrCCp1KZJp7y1cpXblXMXEG7fYlhSnwz/MtEdzfuwm1miTe3K9TmKHYQRccl71DYvm5PhrFWl598vSNei/w5Nx892ioWSTGZR9AB5m/LEpf2WeNWmvLFEEZXy/IWBiYOOfDnrH7xE4im1sEeZCb0pF3RgK5SoXMjHJv/ht5kTl9RXL1X42VgdHYLqYSrT976o857kUyeGWngpWHbdL531/t5E3oGxvwMcW4xalxoKrD4UXQBMMGtpaIVitHp0j1JgSd0cICnTqcp9A22FmXhdWfyrPTo/6mTj4Nzi/NzldCI+GovBvhNN1Ke4OTHhIXMjP92XFCuapOpEEluE5S2LvGz7RunE8/pPIyP3TkaGxEr0lzSZjxU2w44iPbbp1iU5bjZyc93YNn3TZLM8vOKiqP7APuJN76+pNjg+T5yeaS5F5Qjkzu3UCLD7RcHWh7VKbs7hzqttnu4yLUTt4dk4UJMTwK1iWBAbtNNLfqpNyYcWpytVDqjlH/n1eIcQBM7vHQg2miwUxRLpn8sirYJUg0v4YL7W5f7+fr5puiYipcKMDMtyReJCcPSZXmMHpJD4bQLfX6HFu1d6EhttdXYgIPVi2WVkjxtiF5IaTNsV7GmxR+18Kx08tD2zcMRwAEHpaxcAxf7PDPRAnxPv2XgWl0Mi7rzvk0hHwM7QWyTI+0p1HdhjOlgmYyF828UbAequdfaOD7k1wl648v/2kSab0OZZvuYvzUoSFIiMJy6mXiXEqiDdYGgUTHxAkgZRVs8IrVGMoGko3Pcl0i2KqH2vNaZDGb2dhyZBGyJJdjIwjHUN68YCFD5gML/y+Lvs1sj63oH+PwQHNefGTBi/G32PgMMhS0xEjJynv+K1d1Fq0TfMcOVPWx5/mXc5WzrpwqCa3P79k0BkkbAOlEMmoUGUjHjftITt9XtTDnjnI/hR63n6lDCnzDDzOk419eVue7BAl0tdOGyzumuoLGD
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 1855c5b6-b826-4fe9-4d77-08dc28d42d5a
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Feb 2024 18:31:33.9762 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: qqtHyef3h5bllIuintuclyXCu9oPspOpz6V3ow7CCrb59SI5PzJDifEbRBA/6v6l
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS2PR02MB9389
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/n2XUb2ryTK2wu0DEEM6rXiXxE6w>
Subject: Re: [lamps] [EXTERNAL] Re: draft-ounsworth-pq-composite-sigs-11
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2024 18:31:42 -0000

Hiya,

On 08/02/2024 18:26, Mike Ounsworth wrote:
> Hi Stephen,
> 
>> Other agencies have recommended against hybrid KEMs by times, and we happily ignore that.
> 
> I fully disagree. We are not ignoring that at all.
> LAMPS has draft-ietf-lamps-kyber which instructs how to use Kyber by itself in CMS, which fulfills the requirements from people who do not want hybrids. And similarly draft-ietf-lamps-dilithium-certificates for pure Dilithium signatures.
> My understanding is that the IETF does not play politics; if multiple governments have conflicting technical requirements, then we should produce separate mechanism to satisfy each. It is clear to me that there exists a need for this motivated by BSI and ANSSI recommendations. Full stop.
> 
> 
> I have written some text into the composite signatures draft that I think addresses this. It is currently on a github pull request:
> 
> https://github.com/EntrustCorporation/draft-ounsworth-composite-sigs/pull/131
> 
> It adds the following text to the Introduction:
> 
> + In particular, certain jurisdictions are recommending or requiring that PQC lattice schemes only be used within in a PQ/T hybrid. As an example, we point to [BSI2021] which includes the following recommendation:
> 
> + "Therefore, quantum computer-resistant methods should
> + not be used alone - at least in a transitional period - but
> + only in hybrid mode, i.e. in combination with a classical
> + method. For this purpose, protocols must be modified
> + or supplemented accordingly. In addition, public key
> + infrastructures, for example, must also be adapted"
> 
> + In addition, [BSI2021] specifically references this specification as a concrete example of hybrid X.509 certificates.
> 
> + A more recent example is [ANSSI2024], a document co-authored by French Cybersecurity Agency (ANSSI),
> + Federal Office for Information Security (BSI), Netherlands National Communications Security Agency (NLNCSA), and
> + Swedish National Communications Security Authority, Swedish Armed Forces which makes the following statement:
> 
> + “In light of the urgent need to stop relying only on quantum-vulnerable public-key cryptography for key establishment, the clear priority should therefore be the migration to post-quantum cryptography in hybrid solutions”
> 
> + This specification represents the straightforward implementation of the hybrid solutions called for by European cyber security agencies.
> 

That's about the closest I've ever seen to a pure argument
from authority. I don't think we ought base IETF work on
such a well known fallacy.

> 
> To flip the burden of proof back onto the detractors: 

I'm not currently being a detractor. I'm asking for someone
to document a case where these hybrid signing algorithms are
needed and needed now. If that's not doable then I find that
fairly telling.

S.


> if you think that this work should not proceed, then please justify why the IETF does not need to produce a mechanism to fulfil this recommendation from multiple governments. Or perhaps the IETF already has a mechanism that satisfies this requirement, but if so, I am not aware of one -- for example all of the Multi-Cert mechanisms that I am aware of operate in an OR mode, and are therefore not "hybrids" as defined in the above-referenced BSI recommendations document.
> 
> ---
> Mike Ounsworth
> 
> -----Original Message-----
> From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
> Sent: Thursday, February 8, 2024 12:00 PM
> To: Mike Ounsworth <Mike.Ounsworth@entrust.com>; Kris Kwiatkowski <kris@amongbytes.com>; spasm@ietf.org
> Subject: Re: [EXTERNAL] Re: [lamps] draft-ounsworth-pq-composite-sigs-11
> 
> 
> Hiya,
> 
> On 08/02/2024 15:31, Mike Ounsworth wrote:
>> Not to be flippant, but I think the answer is "everywhere".
> 
> You may be unsurprised to hear that I disagree.
> 
>> The current recommendations (at least from some European governments)
>> are to not use lattice schemes in isolation, but only in hybrids. So
>> anywhere that uses long-term keys (ex.: certs for CAs, S/MIME, Code
>> Signing, Document Signing, any-other-thing Signing, etc) and wants to
>> migrate to Dilithium *should* migrate to a dilithium+ecc or
>> dilithium+rsa composite.
>>
>> Would it address your comment if we add text to the Intro to that
>> effect that references the various government calls for hybrids?
> 
> Not for me, no. Other agencies have recommended against hybrid KEMs by times, and we happily ignore that. We should also be doing the engineering work to determine what's needed where and when. So I think we need a demonstration that these kinds of hybrid signing algs are needed, and needed now. I've not seen that myself, especially in a context where pq signing algs seem to be evolving a lot.
> 
> S.
> 
>>
>> --- Mike Ounsworth
>>
>> -----Original Message----- From: Spasm <spasm-bounces@ietf.org> On
>> Behalf Of Stephen Farrell Sent: Wednesday, February 7, 2024 4:25 PM
>> To: Kris Kwiatkowski <kris@amongbytes.com>; spasm@ietf.org Subject:
>> [EXTERNAL] Re: [lamps] draft-ounsworth-pq-composite-sigs-11
>>
>>
>> Hiya,
>>
>> On 07/02/2024 22:07, Kris Kwiatkowski wrote:
>>> * Is there a document describing real-world use cases for this draft?
>>> I’m aware of draft-vaira-pquip-pqc-use-cases, but really I’m looking
>>> for use cases where draft-ounsworth-pq-composite-sigs will be clearly
>>> very useful/necessary to have.
>>
>> I'd also be v. interested in that, and didn't find such text when I
>> looked a few months back. (And I think such text is very much
>> needed.)
>>
>> Cheers, S.

v2.23.0 | Report a Bug | By Email