Hi Markku,
Thank you for your feedback - this discussion is a dimension that is important, namely the interface between NIST's schemes and managing keys that those schemes require.
> There are proposals such as [2] that diverge from the public key serialization methods specified by the Dilithium design team, and which have been evaluated in the NIST process.
We would like to point out that this work is focused entirely on managing keys and not in any way on the schemes themselves. It has already found several issues with the specifications in a number of submitted schemes. This work is in preparation for a submission to IETF where a broader community can debate the content and has already received feedback from authors of most schemes.
There was no guidance during the NIST process on how keys should be managed - only an interface that required a serialized blob. Over the rounds serialization formats have changed and it is likely that this will be the case in the future. Interoperability between early implementations has not been easy for this reason. Add to this the fact that many legacy environments will not be able to manage even the smaller of the PQC key sets (Isogenies aside) unless they are stored/transported in a compressed format. For these reasons we would argue that binary blobs are not an appropriate way to manage keys and we need a discussion on how to do that in an agile but safe way. We hope that having that discussion early and at the right venue will prevent many of the mistakes that were made with ECC and help with the divergence between standards.
Your feedback is useful in the context of security considerations for key management.
Regards, on behalf of the team,
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/4f61d62c-b83b-4729-8726-d10232ae2b93n%40list.nist.gov.
Hi,
We are now very close to the end of round 3. As US government plans to update the CNSA suite already at the end of round 3, we might very soon see use of PQC in a lot of operational systems.
https://www.nsa.gov/Cybersecurity/Post-Quantum-Cybersecurity-Resources/
NIST seems to have a sensible and concrete plan for Round 4 with a new call of proposals.
But round 4 will still be limited to KEMs and Signatures, which is a great start but clearly limiting. The most obvious thing missing is maybe NIKE. Static-Static DH has been used a lot for a long time. While Static-Static and Ephemeral-Static DH have for good reasons been replaced Ephemeral-Ephemeral DH in TLS, the use of Static-Static Key Exchange and Ephemeral-Static DH for implicit authentication has increased in other areas to lower the number of flights / message size / complexity, or to move away from the insecure use of symmetrical group keys. KEMs can do implicit authentication, but not very efficiently.
https://s3.amazonaws.com/files.douglas.stebila.ca/files/research/presentations/20210513-Alphabet.pdf
https://signal.org/docs/specifications/x3dh/
https://noiseexplorer.com/patterns/XX/
https://datatracker.ietf.org/doc/draft-ietf-lake-edhoc/
https://datatracker.ietf.org/doc/html/rfc8152
https://datatracker.ietf.org/doc/draft-ietf-core-oscore-groupcomm/
https://ieeexplore.ieee.org/document/8950068
There are of course also a lot of other use cases where public-key cryptography is used such as Privacy-Enhancing Cryptography, Identity-Based Encryption, Signature Aggregation, etc., that cannot directly be replaced by KEMs and simple signatures.
https://csrc.nist.gov/projects/pec
https://www.ietf.org/archive/id/draft-irtf-cfrg-bls-signature-04
The community should start to discuss what comes after round 4. Standardization and deployment takes a long time. It is possible that CRQCs will never exist, but in the worst case we only have 10-20 years.
Some of this work might be done in CFRG which lately has complemented NIST in a very nice way, with NIST adopting CFRG publications such as Curve25519, EdDSA, XMSS, and LMS.
https://datatracker.ietf.org/rg/cfrg/documents/
Cheers,
John Preuß Mattsson
Ericsson