Save the Date: February 25-26, 2025. Virtual Workshop on guidance for KEMs

[Moody, Dustin (Fed)]

All,

As you may know, NIST recently published FIPS 203, which specifies ML-KEM. In addition, NIST plans to select one or two more quantum-resistant KEMs for future standardization.

To provide guidance on using KEMs, NIST is finalizing the draft of SP 800-227, Recommendations for Key Encapsulation Mechanisms, and we expect to release the draft for public comment by the end of the year.

In addition to seeking public comments, we also want to gather further community feedback on the draft. To facilitate this, we are planning a virtual workshop on February 25-26, 2025, focusing on the topics covered in SP 800-227. More details will be shared soon.

Thank you for your attention.

Dustin Moody

NIST PQC

[John Mattsson]

Hi Dustin,

 

Thanks for announcing this early and thanks for making some workshops virtual, it is hard to travel to everything. Looking forward to the SP 800-227 draft. I hope SP 800-227 will cover:

 

• Begin the document with an easy-to-understand explanation that KEMs can be used for key exchange, public-key encryption, and authentication. When talking with developers, end-users, and non-crypto persons in SDOs, my view is that a lot of people do not understand that ECDH can be used for public-key encryption and authentication.
• Explain that as long as the application can handle larger public keys and ciphertexts, KEMs are drop-in replacements for ephemeral-ephemeral key exchange in e.g., TLS and IPsec, and static-ephemeral key exchange in ECIES.
• Explain what KEMs are not a drop-in replacement for, and explain that protocols like Signal, Noise, multiple recipient RSA-OEAP, and static-static ECDHE need to be redesigned.
• Remind that reuse of ephemeral keys are forbidden according to SP 800-56A and explain why. https://github.com/post-quantum-cryptography/draft-kwiatkowski-tls-ecdhe-mlkem/pull/25
• Give advice on hybrid keying, including the value of frequent rekeying with ephemeral keys and chaining sessions together.
• Give advice on how to use a single seed for several KEMs

 

Cheers,

John

 

--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/SA1PR09MB8669093BB9599210B9138260E54B2%40SA1PR09MB8669.namprd09.prod.outlook.com.

[niux_d...@icloud.com]

+1. I especially like the idea of background information for non-crypto professionals.

To view this discussion visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/GVXPR07MB96783596D8C017A5EC7449EA89512%40GVXPR07MB9678.eurprd07.prod.outlook.com.

[Veljko Tekelerović]

Absolutely agree with the above.

Too many of us (developers) simply do not understand very basics of even https or ssh, not to mention key encapsulation, above all mathematical background behind everything.

Another +1 for putting some efforts on describing the basics. 

To view this discussion visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/FF275D4D-D9FD-4D9B-8E35-6CB7310490DE%40icloud.com.

[Krzysztof Kwiatkowski]

The IETF has already made considerable progress on this. You may find
some helpful details in the IETF draft below, which covers a lot of
ground on the topic.
https://datatracker.ietf.org/doc/draft-ietf-pquip-pqc-engineers/

> To view this discussion visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CAOX8wSVDr%2BcWgNeZwSsBf3cRhZrGC%2BdgJPs9Sp_H7Zc72zL2LQ%40mail.gmail.com.