Update of BSI Technical Guideline

Hemmert, Tobias

unread,

Mar 14, 2024, 7:13:32 AMMar 14

to pqc-forum

Dear All

I would like to highlight that BSI has published an updated version of Technical Guideline TR-02102-1 "Cryptographic Algorithms and Key Lengths", which can be found here:

https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr02102/tr02102_node.html

It includes several updates on quantum-safe cryptography, in particular on key agreement schemes, digital signatures and hybridisation.

All best
Tobias

Dr. Tobias Hemmert
________________________________
Referat KM 21 - Vorgaben an und Entwicklung von Kryptoverfahren
Bundesamt für Sicherheit in der Informationstechnik

Godesberger Allee 87
53175 Bonn
E-Mail: tobias....@bsi.bund.de
Internet: www.bsi.bund.de

John Mattsson

unread,

May 19, 2024, 7:23:01 AMMay 19

to Hemmert, Tobias, pqc-forum

Dear Tobias

Thanks for this very welcome information! For companies with a global presence, it is very important with alignment on a small set of algorithms that are trusted globally. For firmware update it is far easier to convince suppliers to support ML-DSA than SLH-DSA as ML-DSA is included in CNSA 2.0. LMS and XMSS are not possible to use in many industries as NIST forbids export of the private key, which often is a strong requirement. Furthermore BSI recommends multi-tree variants, while CNSA forbids multi-tree variants. FrodoKEM and Classic McEliece are not considered viable options unless they get published by NIST, BSI, or as an RFC without paywalls. We think BSI should follow NIST and IETF and strive to remove paywalled references.

I think the unalignment between European countries and the US has opened up for embarrassing and dangerous discussions in Europe to use QKD for practical security, when in fact QKD even theoretically provides extremely little and is practically insecure. Hopefully the excellent technical summary [1] and alignment and quick deployment of PQC will kill the QKD nonsense.

It would be good if BSI clarified why BSI only intends to include security category 3 and 5 of SLH-DSA while security category 1 for LMS, XMSS seems to be included. Do BSI intend to remove LMS and XMSS parameter set such as SHA-256/192 recommended in CNSA? I note that BSI requires 120-bit symmetric keys and recommends 128-bit keys. Equally important is guidance on how long time 128-bit keys can continue to be used. There is a lot of misinformation that CRQCs will practically break AES-128. My current understanding is that there is zero chance that a cluster of CRQCs will brute force AES-128 before classical supercomputers.

Cheers,

John Preuß Mattsson

[1]

https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Crypto/Quantum_Positionspapier.pdf?__blob=publicationFile&v=4

From: 'Hemmert, Tobias' via pqc-forum <pqc-...@list.nist.gov>
Date: Thursday, 14 March 2024 at 12:13
To: pqc-forum <pqc-...@list.nist.gov>
Subject: [pqc-forum] Update of BSI Technical Guideline

Dear All

I would like to highlight that BSI has published an updated version of Technical Guideline TR-02102-1 "Cryptographic Algorithms and Key Lengths", which can be found here:

https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.bsi.bund.de%2FEN%2FThemen%2FUnternehmen-und-Organisationen%2FStandards-und-Zertifizierung%2FTechnische-Richtlinien%2FTR-nach-Thema-sortiert%2Ftr02102%2Ftr02102_node.html&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7Ceab857cff83645a7e34008dc4417ca93%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638460116183217632%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=h0ZM8lhW7alDoXZRkRx6EhrY28bsqeCxt1wdCMXhcrc%3D&reserved=0

It includes several updates on quantum-safe cryptography, in particular on key agreement schemes, digital signatures and hybridisation.

All best
Tobias

Dr. Tobias Hemmert
________________________________
Referat KM 21 - Vorgaben an und Entwicklung von Kryptoverfahren
Bundesamt für Sicherheit in der Informationstechnik

Godesberger Allee 87
53175 Bonn
E-Mail: tobias....@bsi.bund.de

Internet: https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bsi.bund.de%2F&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7Ceab857cff83645a7e34008dc4417ca93%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638460116183230177%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=19E0GpGkzH0e1zpZUe%2Bi5hvX2QGUtJxWf0w1VkOggkI%3D&reserved=0

--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Flist.nist.gov%2Fd%2Fmsgid%2Fpqc-forum%2Fbb2986712f094bde81b6353ae5ac58b2%2540bsi.bund.de&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7Ceab857cff83645a7e34008dc4417ca93%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638460116183239966%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=ayNPEtsPKXVPjtNQANch2IkJAEHLLB2i3yLjOV%2BbI9U%3D&reserved=0.

Hemmert, Tobias

unread,

May 29, 2024, 11:05:44 AMMay 29

to John Mattsson, pqc-forum

Dear John

Thank you for your remarks and questions and apologies for my late reply.

Thank you for your question on our recommendation of SLH-DSA and LMS, XMSS. We are happy to clarify. We only recommend parameter sets which meet NIST security categories 3 or 5. Note that for our recommendation of LMS and XMSS in TR-02102-1, we refer to NIST SP 800-208, which only contains parameter sets that are expected to meet these security categories. Therefore, we do not intend to remove LMS and XMSS parameter sets using SHA-256/192 from our recommendations.

I hope this answers your question.

All best

Tobias (on behalf of the BSI cryptography division)

Reply all

Reply to author

Forward