PQC Dialogue with Government Stakeholders Side-Meeting at IETF 122 Bangkok

328 views
Skip to first unread message

John Mattsson

unread,
Feb 28, 2025, 1:44:40 AM2/28/25
to

Hi,

 

There was significant interest from several countries to have a side-meeting on PQC at IETF 122 Bangkok, so Ericsson will organize such a meeting on Monday 17 March 15.15 - 16.45 Bangkok time in Meeting Room 2 [40 seats] (overlapping with Monday Session III). It is possible to attend remotely.

https://trello.com/c/nH9exeWo

 

Potential discussion topics are listed below. There might be a few short presentations to foster discussion, but the plan is to focus on dialogue and discussion between people in the IETF and government stakeholders.

 

Cheers,

John Preuß Mattsson

Expert, Cryptographic Algorithms and Security Protocols, Ericsson

 

Description

Time: 15:15-16:45
Meeting Title: PQC Dialogue with Government Stakeholders
IETF Webex: https://ietf.webex.com/meet/ietfsidemeeting2
Meeting Organizer: John Preuß Matsson, Ericsson and Alexander Engström, NDRE
Email address: john.m...@ericsson.com

Meeting Description: Potential discussion topics:

  • Recommended PQC algorithms (KEMs and signatures)
    o ML-KEM, ML-DSA, SLH-DSA, FN-DSA, Classic McEliece, FrodoKEM, BIKE/HQC, XMSS/LMS, …
    o Security category 1,2,3,4,5? Does it depend on algorithm and use case?
  • Timelines for PQC migration
    o When should migration begin? When will it be required?
    o Does it depend on user, use case, protection lifetime, hardware vs software, migration complexity, value of the protected node and data, scheduled hardware replacement, etc.?
  • Hybridization or standalone PQC
    o Difference between KEMs and Signatures
    o Differences between algorithms (e.g., lattice-based vs. hash-based)
    o Differences between use cases (e.g., confidentiality vs. authentication)
    o Is hybridization a short-term necessity or a long-term strategy?
  • Hybridization of PQC KEMs
    o Single vs. multiple PQC algorithms? Role of symmetric keys?
    o KEM combiners: general-purpose vs. optimized designs
    o Which traditional curves? X25519/X448, NIST P-curves, Brainpool, …
  • Hybridization of signatures
    o Role of symmetric keys?
    o Signature combiners, general or optimized?
    o Desired properties: SUF-CMA? Other security properties?
    o Which traditional signatures? EdDSA, ECDSA, RSA?
  • KDF and hash functions
    o ML-KEM and ML-DSA mandate SHA-3.
    o Time to move away from SHA-2/HMAC/HKDF/MGF?
Reply all
Reply to author
Forward
0 new messages