Re: [pqc-forum] Abridged summary of pqc-forum@list.nist.gov - 2 updates in 2 topics

[Tushar Patel]

I think the FIPS design for KAS and KDF clearly delineate the public key based authentication and key exchange from the application specific KAS and KDF, 

1.  Authentication is through PQC

2. Symmetric/ Shared Key is through KAS/PQC key transpose.

3. Authorization and/or network access can be setup with  the shared key, application specific context & label with an approved KDF

4. One may use a one time pad or another app specific challenge for some parts which can bind to the KDF as an X509 url/uri/event.

5. For a KDF run in the HSM wrap the pad before providing it to the HSM, all it needs is the CTR, 0 byte and pad length, all other items are app specific.

6. Also many providers love to bundle the KAS and KDF into an integrated setup, this varies whether the decision is for Top Secret confidentiality or Cybersecurity/DLP/Appid/Transparency. I am not in favor of any specific approach and leave it to the stakeholders to decide on it, however, have had a grunt debugging many ghost ops on hub/spoke, service meshes/containers to realize it is a delicate balance between the simplicity/complexity trade-offs that led to the issue.

7. The proliferation of vulnerabilities speaks for itself and even PQC is just a complexity  to address QC superimposition which is at risk with two or three currently known algorithms like Shor’s, Grover’s and Normalization. If QC itself stays at that level then it has no invention model and it is highly unlikely that it won’t innovate over the next few years with the investments in it, so it will get rough over the period we start PQC roots and intermediates.

This is the correct way that one of my StIG mentors guided me in 2006 that if any participant entity does not have an exclusive ( non-public) element is a cryptographic setup, then there is always an attack vector possible.

Let me know if there are still have any doubts  or any clarification on a separate private email.

Sinc. & Thx.,

Tushar

On Mon, Mar 24, 2025 at 8:07 PM <pqc-...@list.nist.gov> wrote

pqc-...@list.nist.gov

Google Groups

Today's topic summary

View all topics

• PQC algorithm standardization in the context of FIPS 140-3 and ISO - 1 Update
• ML-KEM / ML-DSA expanded key formats and trapdoors - 1 Update

PQC algorithm standardization in the context of FIPS 140-3 and ISO

Samuel Lee <samue...@microsoft.com>: Mar 24 07:00PM -0700 Hey folks,     I raised a concern last August that I did not think the FIPS 140-3 IG updates for finalized PQC algorithms were quite right: ...more

Back to top

ML-KEM / ML-DSA expanded key formats and trapdoors

Samuel Lee <samue...@microsoft.com>: Mar 24 04:08PM -0700 Hey folks, I was reasoning around malicious keypair generation for ML-DSA, and realized that there is a pretty trivial attack one can carry out to introduce a trapdoor from public keys to private ...more

Back to top

You received this digest because you're subscribed to updates for this group. You can change your settings on the group membership page. To unsubscribe from this group and stop receiving emails from it send an email to pqc-forum+...@list.nist.gov.