security category reference

[Phillip Hallam-Baker]

I am trying to find the authoritative definition for the term ' security category'. FIPS 203 cites 

  security category A number associated with the security strength of a post-quantum cryptographic algorithm, as specified by NIST (see [7]).  

 [7] Barker EB (2020) Recommendation for key management: Part 1 - General, (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5 [or as amended]. https://doi.org/10.6028/NIST.SP.800-57pt1r5  

But that reference only specifies the security strengths, I searched on 'security category' without any hits. So I am not able to determine the mapping of bits to category numbers.

[Torsten Schuetze]

I don’t know if it’s THE authoritative definition, but in the Call for Proposals from December 2016, so the start of the whole process,

 Submission Requirements and Evaluation Criteria

for the Post-Quantum Cryptography Standardization Process

 

you can find 4.A.5 Security Strength Categories

with the five categories.

 

Best,

Torsten

--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CAMm%2BLwhtFERXFW7yDmtwL%3D6%3DidXQ7QEeHu9vZBZb6Cr5qxpsmg%40mail.gmail.com.

[Mike Ounsworth]

Hey Phillip,

 

I fully agree!

 

Since FIPS 203 / 204 are full of references to “Category 1 / 2 / 3 / 4 / 5”, but those are not actually defined in the referenced section 5.6 of SP 800-57pt1r5.

 

The definitions are in section 4.A.5 of this web page, which is part of the Call for Proposals from the beginning of the PQC competition.

 

https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria)

 

I’m a little surprised that this important info didn’t make it into any official FIPS or SP document.

 

---

Mike Ounsworth

 

From: pqc-...@list.nist.gov <pqc-...@list.nist.gov> On Behalf Of Phillip Hallam-Baker

Sent: Friday, September 13, 2024 3:09 PM
To: pqc-forum <pqc-...@list.nist.gov>

--

[Moody, Dustin (Fed)]

SP 800-57 is being revised, and will include the definition of the security categories when it is released.  The definition is the same as already noted (from the original Call for Proposals).

The SP is one of several documents being updated, now that FIPs 203, 204, and 205 are published.  We appreciate your patience as we revise and update our documents.

Dustin Moody

 

---

From: 'Mike Ounsworth' via pqc-forum <pqc-...@list.nist.gov>
Sent: Friday, September 13, 2024 5:38 PM
To: Phillip Hallam-Baker <ph...@hallambaker.com>; pqc-forum <pqc-...@list.nist.gov>
Subject: RE: [EXTERNAL] [pqc-forum] security category reference

 

To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CH0PR11MB5739F77F074C7528D3EE44859F652%40CH0PR11MB5739.namprd11.prod.outlook.com.

Get Outlook for iOS

[Phillip Hallam-Baker]

No problem, I was pretty sure it was something of the sort.

About 20% of my cryptography code is actual algorithms and the other 80% turns out to be serialization and tagging and bagging crypto for different formats - ASN.1, XML DigSig, Jose, etc. Deriving algorithm identifiers according to multiple different formats (OID, string, URI) and different styles (algorithm, algorithm+keysize, algorithm+digest, etc.)

So after working with all the identifier code contained in each serialization module, I realized it was time to bring it all together in a registry of algorithms so it is possible to select for a particular assurance level. So I really wanted to get that straight.

The goal is that instead of asking for RSA2048+AES256, the application asks for CS112 (conventional security 112 bit) and the application makes the choice.

Or when validating a certificate path chain, you specify SC4 (security category 4) so it can eliminate assertions that don't meet that criteria as it tries to do path math.

[Mike Ounsworth]

Thanks Dustin!

 

In the meantime, I wonder if there is something you can do to make the security category definitions easier to find? It always takes me at least 10 minutes to dig up the call-for-proposals doc on google, and I generally know where to look.

 

Could you maybe put a link to the call-for-proposals page on the FIPS 203 / 204 / 205 landing pages?

 

https://csrc.nist.gov/pubs/fips/204/final

 

I’m thinking an entry on the “Supplemental Material” sidebar with a link called “Security Categories defined in Call for Proposals Security Criteria".

 

---

Mike Ounsworth

[Brent Kimberley]

When i hear the term security category,  I tend to think of things like the degree of injury that could (reasonably?) be expected - considering , but not limited issues such as loss of availability,  integrity, or confidentiality.

---

From: pqc-...@list.nist.gov <pqc-...@list.nist.gov> on behalf of Phillip Hallam-Baker <ph...@hallambaker.com>
Sent: Friday, September 13, 2024 4:08:33 PM
To: pqc-forum <pqc-...@list.nist.gov>
Subject: [pqc-forum] security category reference

 

--

You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CAMm%2BLwhtFERXFW7yDmtwL%3D6%3DidXQ7QEeHu9vZBZb6Cr5qxpsmg%40mail.gmail.com.

THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.

[Mike Ounsworth]

Hi Brent,

 

The “security categories” that we’re talking about with respect to the NIST post-quantum primitives have the following definitions [1], they could apply to any type of application-level security property (availability, integrity, or confidentiality), depending on how the cryptographic primitive is used within the application.

 

“””

NIST will define a separate category for each of the following security requirements (listed in order of increasing strength²):

1. Any attack that breaks the relevant security definition must require computational resources comparable to or greater than those required for key search on a block cipher with a 128-bit key (e.g. AES128)
2. Any attack that breaks the relevant security definition must require computational resources comparable to or greater than those required for collision search on a 256-bit hash function (e.g. SHA256/ SHA3-256)
3. Any attack that breaks the relevant security definition must require computational resources comparable to or greater than those required for key search on a block cipher with a 192-bit key (e.g. AES192)
4. Any attack that breaks the relevant security definition must require computational resources comparable to or greater than those required for collision search on a 384-bit hash function (e.g. SHA384/ SHA3-384)
5. Any attack that breaks the relevant security definition must require computational resources comparable to or greater than those required for key search on a block cipher with a 256-bit key (e.g. AES 256)

“”

 

[1]: https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria)

---

Mike Ounsworth

 

From: 'Brent Kimberley' via pqc-forum <pqc-...@list.nist.gov>

Sent: Sunday, September 15, 2024 12:28 PM
To: Phillip Hallam-Baker <ph...@hallambaker.com>; pqc-forum <pqc-...@list.nist.gov>

Subject: [EXTERNAL] Re: [pqc-forum] security category reference

 

When i hear the term security category, I tend to think of things like the degree of injury that could (reasonably?) be expected - considering , but not limited issues such as loss of availability, integrity, or confidentiality. From: pqc-forum@ list. nist. gov

To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/YT3PR01MB10544399347A4417D1C1F526CFA672%40YT3PR01MB10544.CANPRD01.PROD.OUTLOOK.COM.

[Phillip Hallam-Baker]

The overcommitment of commonly understood terms is inevitable in building standards. This is the term that has been established.

The paradigm shift we are going to have to address is that previously we would perform path discovery relative to an accepted set of algorithms. In future we are going to have to do path discovery relative to an assurance level.

Consider the case in which we are looking to verify a signature on a document signed in 2025 using Ed448 that is enrolled in a notary chain and timestamped according to an authority we trust (i.e. ourselves). A signature created before a CRQC is believed to have existed probably has a rebuttable assumption of validity.

[John Mattsson]

Hi,

 

I was also a bit suprised that there is no definition of the security categories in the final documents. I agree that having it in supplementatary matererial would be good until SP 800-57 is revised.

 

Not sure linking to the "call of proposals" is the best option. The call of proposal is 7 years old and not very relevant after the submission deadline. I think it would might be better if NIST linked to Appendix A in the draft versions.

 

In the SP 800-57 revision I think NIST should:

- Add MAXDEPTH also for classical gates.

- Explain that other symmetric algorithms with 128-bit keys might have slightly smaller circuits than AES-128 but would still be category 1 as attacks require computational resources _comparable_ with key search on AES-128.

- Align some of the text with the IETF statement in https://datatracker.ietf.org/liaison/1942/

 

Cheers,

John

 

To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CH0PR11MB5739168B4E84140BE534D7DC9F672%40CH0PR11MB5739.namprd11.prod.outlook.com.

[John Mattsson]

>- Explain that other symmetric algorithms with 128-bit keys might have slightly smaller >circuits than AES-128 but would still be category 1 as attacks require computational >resources _comparable_ with key search on AES-128.

 

Regarding this, has any done analysis of Ascon and KMAC128? My guess would be that they require more gates than AES-128.

 

Cheers,
John

[Sebastien Riou]

has any done analysis of Ascon and KMAC128? My guess would be that they require more gates than AES-128.

YES and NO:

- Certainly YES if you do a purely functional implementations

- NO if you do side channel protected implementation (where side channel = power or EM), because AES sbox is hard to mask

 

Sebastien Riou

Director, Product Security Architecture

PQShield Ltd

 

M:             +33 782 320 285

E:              sebasti...@pqshield.com

W:             www.pqshield.com

To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/GVXPR07MB967842113D7A291B5BA962A189602%40GVXPR07MB9678.eurprd07.prod.outlook.com.

[Friedrich Wiemer]

For a quantum cryptanalysis attack, I don't need to implement the primitive with side channel measures, do I?

On September 16, 2024 1:43:43 PM UTC, 'Sebastien Riou' via pqc-forum <pqc-...@list.nist.gov> wrote:
>>
>> has any done analysis of Ascon and KMAC128? My guess would be that they
>> require more gates than AES-128.
>
>
>YES and NO:
>- Certainly YES if you do a purely functional implementations
>- NO if you do side channel protected implementation (where side channel =
>power or EM), because AES sbox is hard to mask
>
>
>Sebastien Riou
>
>Director, Product Security Architecture
>
>PQShield Ltd
>
>
>
>M: +33 782 320 285
>
>E: sebasti...@pqshield.com
>
>W: www.pqshield.com
>
>
>On Mon, 16 Sept 2024 at 15:02, 'John Mattsson' via pqc-forum <
>pqc-...@list.nist.gov> wrote:
>
>> >- Explain that other symmetric algorithms with 128-bit keys might have
>> slightly smaller >circuits than AES-128 but would still be category 1 as

>> attacks require computational >resources *_comparable_* with key search

>> on AES-128.
>>
>>
>>
>> Regarding this, has any done analysis of Ascon and KMAC128? My guess would
>> be that they require more gates than AES-128.
>>
>>
>>
>> Cheers,
>> John
>>
>>
>>

>> *From: *John Mattsson <john.m...@ericsson.com>
>> *Date: *Monday, 16 September 2024 at 08:38
>> *To: *Mike Ounsworth <Mike.Ou...@entrust.com>, Moody, Dustin (Fed) <

>> dustin...@nist.gov>, Phillip Hallam-Baker <ph...@hallambaker.com>,
>> pqc-forum <pqc-...@list.nist.gov>

>> *Subject: *Re: [EXTERNAL] [pqc-forum] security category reference

>>
>> Hi,
>>
>>
>>
>> I was also a bit suprised that there is no definition of the security
>> categories in the final documents. I agree that having it in
>> supplementatary matererial would be good until SP 800-57 is revised.
>>
>>
>>
>> Not sure linking to the "call of proposals" is the best option. The call
>> of proposal is 7 years old and not very relevant after the submission
>> deadline. I think it would might be better if NIST linked to Appendix A
>> in the draft versions.
>>
>>
>>
>> In the SP 800-57 revision I think NIST should:
>>
>> - Add MAXDEPTH also for classical gates.
>>
>> - Explain that other symmetric algorithms with 128-bit keys might have
>> slightly smaller circuits than AES-128 but would still be category 1 as

>> attacks require computational resources *_comparable_* with key search on

>> AES-128.
>>
>> - Align some of the text with the IETF statement in
>> https://datatracker.ietf.org/liaison/1942/
>>
>>
>>
>> Cheers,
>>
>> John
>>
>>
>>

>> *From: *'Mike Ounsworth' via pqc-forum <pqc-...@list.nist.gov>
>> *Date: *Sunday, 15 September 2024 at 17:03
>> *To: *Moody, Dustin (Fed) <dustin...@nist.gov>, Phillip Hallam-Baker <
>> ph...@hallambaker.com>, pqc-forum <pqc-...@list.nist.gov>
>> *Subject: *RE: [EXTERNAL] [pqc-forum] security category reference

>>
>> Thanks Dustin!
>>
>>
>>
>> In the meantime, I wonder if there is something you can do to make the
>> security category definitions easier to find? It always takes me at least
>> 10 minutes to dig up the call-for-proposals doc on google, and I generally
>> know where to look.
>>
>>
>>
>> Could you maybe put a link to the call-for-proposals page on the FIPS 203
>> / 204 / 205 landing pages?
>>
>>
>>
>> https://csrc.nist.gov/pubs/fips/204/final
>>
>>
>>
>> I’m thinking an entry on the “Supplemental Material” sidebar with a link
>> called “Security Categories defined in Call for Proposals Security
>> Criteria".
>>
>>
>>
>> ---
>>

>> *Mike* Ounsworth
>>
>>
>>
>> *From:* Moody, Dustin (Fed) <dustin...@nist.gov>
>> *Sent:* Friday, September 13, 2024 9:17 PM
>> *To:* Mike Ounsworth <Mike.Ou...@entrust.com>; Phillip Hallam-Baker <
>> ph...@hallambaker.com>; pqc-forum <pqc-...@list.nist.gov>
>> *Subject:* Re: [EXTERNAL] [pqc-forum] security category reference

>>
>>
>>
>> SP 800-57 is being revised, and will include the definition of the
>> security categories when it is released. The definition is the same as
>> already noted (from the original Call for Proposals).
>>
>>
>>
>> The SP is one of several documents being updated, now that FIPs 203, 204,
>> and 205 are published. We appreciate your patience as we revise and update
>> our documents.
>>
>>
>>
>> Dustin Moody
>>
>>
>>
>>

>> ------------------------------
>>
>> *From:* 'Mike Ounsworth' via pqc-forum <pqc-...@list.nist.gov>
>> *Sent:* Friday, September 13, 2024 5:38 PM
>> *To:* Phillip Hallam-Baker <ph...@hallambaker.com>; pqc-forum <
>> pqc-...@list.nist.gov>
>> *Subject:* RE: [EXTERNAL] [pqc-forum] security category reference

>>
>>
>>
>> Hey Phillip,
>>
>>
>>
>> I fully agree!
>>
>>
>>
>> Since FIPS 203 / 204 are full of references to “Category 1 / 2 / 3 / 4 /
>> 5”, but those are not actually defined in the referenced section 5.6 of SP
>> 800-57pt1r5.
>>
>>
>>
>> The definitions are in section 4.A.5 of this web page, which is part of
>> the Call for Proposals from the beginning of the PQC competition.
>>
>>
>>
>>
>> https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria)
>>
>>
>>
>> I’m a little surprised that this important info didn’t make it into any
>> official FIPS or SP document.
>>
>>
>>
>> ---
>>

>> *Mike* Ounsworth
>>
>>
>>
>> *From:* pqc-...@list.nist.gov <pqc-...@list.nist.gov> *On Behalf Of *Phillip
>> Hallam-Baker
>> *Sent:* Friday, September 13, 2024 3:09 PM
>> *To:* pqc-forum <pqc-...@list.nist.gov>
>> *Subject:* [EXTERNAL] [pqc-forum] security category reference

>>
>>
>>
>> I am trying to find the authoritative definition for the term ' security
>> category'. FIPS 203 cites security category A number associated with the
>> security strength of a post-quantum cryptographic algorithm, as specified
>> by NIST (see
>>
>> I am trying to find the authoritative definition for the term ' security
>> category'. FIPS 203 cites
>>
>>
>>
>> security category A number associated with the security strength of a
>> post-quantum cryptographic algorithm, as specified by NIST (see [7]).
>>
>>
>>
>> [7] Barker EB (2020) Recommendation for key management: Part 1 - General,
>> (National Institute of Standards and Technology, Gaithersburg, MD), NIST
>> Special Publication (SP) 800-57 Part 1, Rev. 5 [or as amended].
>> https://doi.org/10.6028/NIST.SP.800-57pt1r5

>> <https://urldefense.com/v3/__https:/doi.org/10.6028/NIST.SP.800-57pt1r5__;!!FJ-Y8qCqXTj2!dYZ2RDWRLTIgJ1mqSTOxv_LjRpPDp4919eGNkh1UoPgzZ-4P6e0Ds83FUIJrsHt8gRx6fbARX-7kNKCYiTw6Eg$>

>>
>>
>>
>>
>>
>>
>> But that reference only specifies the security strengths, I searched on
>> 'security category' without any hits. So I am not able to determine the
>> mapping of bits to category numbers.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "pqc-forum" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to pqc-forum+...@list.nist.gov.
>> To view this discussion on the web visit
>> https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CAMm%2BLwhtFERXFW7yDmtwL%3D6%3DidXQ7QEeHu9vZBZb6Cr5qxpsmg%40mail.gmail.com

>> <https://urldefense.com/v3/__https:/groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CAMm*2BLwhtFERXFW7yDmtwL*3D6*3DidXQ7QEeHu9vZBZb6Cr5qxpsmg*40mail.gmail.com?utm_medium=email&utm_source=footer__;JSUlJQ!!FJ-Y8qCqXTj2!dYZ2RDWRLTIgJ1mqSTOxv_LjRpPDp4919eGNkh1UoPgzZ-4P6e0Ds83FUIJrsHt8gRx6fbARX-7kNKBQz2_SWQ$>
>> .

>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "pqc-forum" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to pqc-forum+...@list.nist.gov.
>> To view this discussion on the web visit

>> https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CH0PR11MB5739F77F074C7528D3EE44859F652%40CH0PR11MB5739.namprd11.prod.outlook.com
>> <https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CH0PR11MB5739F77F074C7528D3EE44859F652%40CH0PR11MB5739.namprd11.prod.outlook.com?utm_medium=email&utm_source=footer>
>> .
>>
>>
>>
>> Get Outlook for iOS <https://aka.ms/o0ukef>

>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "pqc-forum" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to pqc-forum+...@list.nist.gov.
>> To view this discussion on the web visit

>> https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CH0PR11MB5739168B4E84140BE534D7DC9F672%40CH0PR11MB5739.namprd11.prod.outlook.com
>> <https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CH0PR11MB5739168B4E84140BE534D7DC9F672%40CH0PR11MB5739.namprd11.prod.outlook.com?utm_medium=email&utm_source=footer>
>> .

>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "pqc-forum" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to pqc-forum+...@list.nist.gov.
>> To view this discussion on the web visit

>> https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/GVXPR07MB967842113D7A291B5BA962A189602%40GVXPR07MB9678.eurprd07.prod.outlook.com
>> <https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/GVXPR07MB967842113D7A291B5BA962A189602%40GVXPR07MB9678.eurprd07.prod.outlook.com?utm_medium=email&utm_source=footer>
>> .
>>
>

--
Dr. Friedrich Wiemer,
orcid.org/0000-0003-2998-6777

[John Mattsson]

'Friedrich Wiemer wrote:

>For a quantum cryptanalysis attack, I don't need to implement the primitive with side >channel measures, do I?

 

No definitely not. For some algorithms you might even be able to use a non-compatible implementation that skips some corner cases.

 

Cheers,
John Preuß Mattsson

 

[Brent Kimberley]

Just be sure to add 'Maneuvering Characteristics Augmentation System' to the list of acronyms before you ship. 

---

From: 'John Mattsson' via pqc-forum <pqc-...@list.nist.gov>
Sent: Monday, September 16, 2024 11:55 AM
To: Friedrich Wiemer <friedric...@mailbox.org>; Sebastien Riou <sebasti...@pqshield.com>; 'Sebastien Riou' via pqc-forum <pqc-...@list.nist.gov>
Cc: Mike Ounsworth <Mike.Ou...@entrust.com>; Moody, Dustin (Fed) <dustin...@nist.gov>; Phillip Hallam-Baker <ph...@hallambaker.com>; pqc-forum <pqc-...@list.nist.gov>
Subject: Re: [EXTERNAL] [pqc-forum] security category reference

 

--

You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.

To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/GVXPR07MB96782D431C1824888AD9719089602%40GVXPR07MB9678.eurprd07.prod.outlook.com.

[Sebastien Riou]

Side channel attacks and countermeasure have nothing to do with quantum cryptanalysis. I answered to the question  without realising that it was about quantum cryptanalysis, please ignore it. (I understood «  gates » as classical hardware gates, a popular proxy for the size of a design on a chip)

Sebastien Riou

Director, Product Security Architecture

PQShield Ltd

 

M:             +33 782 320 285

E:              sebasti...@pqshield.com

W:             www.pqshield.com

[Anubhab Baksi]

Dear John,

Regarding you message,

> "Has any done analysis of Ascon and KMAC128?",

you may be interested in our research:

Ascon [https://eprint.iacr.org/2023/1030] and SHA-2/-3 [https://eprint.iacr.org/2024/513].

Thanks,

Anubhab

সোম, ১৬ সেপ্টেম্বর, ২০২৪ ২২:০২ তারিখে 'John Mattsson' via pqc-forum <pqc-...@list.nist.gov> লিখেছেন:

To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/GVXPR07MB967842113D7A291B5BA962A189602%40GVXPR07MB9678.eurprd07.prod.outlook.com.