Criteria for selection of public-key cryptographic algorithms for quantum-safe hybrid cryptography
draft-whyte-select-pkc-qsh-02

Document Type Active Internet-Draft (individual)
Last updated 2016-10-05
Stream (None)
Intended RFC status (None)
Formats plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
INTERNET-DRAFT                                             J. M. Schanck
Intended Status: Experimental          Security Innovation & U. Waterloo
Expires: 2017-04-04                                             W. Whyte
                                                     Security Innovation
                                                                Z. Zhang
                                                     Security Innovation
                                                              2016-10-04

     Criteria for selection of public-key cryptographic algorithms 
                  for quantum-safe hybrid cryptography
                   draft-whyte-select-pkc-qsh-02.txt

Abstract

   Authenticated key exchange mechanisms instantiated with cryptosystems
   based on integer factorization, finite field discrete log, or
   elliptic curve discrete log, are believed to be secure now but are
   vulnerable to a harvest-then-decrypt attack where an attacker who
   cannot currently break the mechanism records the traffic anyway, then
   decrypts it at some point in the future when quantum computers become
   available.  The Quantum-safe Hybrid approach is a modular design,
   allowing any authenticated key exchange mechanism to be protected
   against the harvest-then-decrypt attack by exchanging additional
   secret material protected with an ephemeral key for a quantum-safe
   public key cryptographic algorithm and including that secret material
   in the Key Derivation Function (KDF) run at the end of the key
   exchange.  This approach has been proposed in TLS as the Quantum-safe
   Hybrid handshake mechanism for Transport Layer Security protocol
   (QSH_TLS).  This document provides a guideline to criteria for
   selecting public key encryption algorithms approved for experimental
   use in the quantum safe hybrid setting.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html.  

 

Schanck et al.             Expires 2017-04-04                   [Page 1]
INTERNET DRAFT     PKC Selecting Criteria for QSH-TLS         2016-10-04

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   Update from last version: keeping alive till TLS WG review.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Background . . . . . . . . . . . . . . . . . . . . . . . . . .  4
     2.1.  Quantum Attacks on Cryptosystems . . . . . . . . . . . . .  4
       2.1.1.  Shor's algorithm . . . . . . . . . . . . . . . . . . .  4
       2.1.2.  Grover's algorithm . . . . . . . . . . . . . . . . . .  5
     2.2.  Harvest-then-decrypt attack  . . . . . . . . . . . . . . .  5
     2.3.  Quantum-safe hybrid approach . . . . . . . . . . . . . . .  5
     2.4.  Symmetric algorithm  . . . . . . . . . . . . . . . . . . .  6
     2.5.  Random bit generation  . . . . . . . . . . . . . . . . . .  6
   3.  Selection Criteria . . . . . . . . . . . . . . . . . . . . . .  6
     3.1.  Similar work . . . . . . . . . . . . . . . . . . . . . . .  6
     3.2.  Mandatory aspects  . . . . . . . . . . . . . . . . . . . .  7
       3.2.1.  Security levels  . . . . . . . . . . . . . . . . . . .  7
       3.2.2.  Freely available specifications of the algorithm . . .  7
       3.2.3.  Freely available source code for a reference
               implementation . . . . . . . . . . . . . . . . . . . .  8
     3.3 Desirable aspects  . . . . . . . . . . . . . . . . . . . . .  8
       3.3.1.  SUPERCOP implementation  . . . . . . . . . . . . . . .  8
       3.3.2.  Constant-time implementation . . . . . . . . . . . . .  9
       3.3.3.  Standardization  . . . . . . . . . . . . . . . . . . .  9
       3.3.4.  Patent and IP related issues . . . . . . . . . . . . .  9
   4.  Recommendations, justifications and considerations . . . . . .  9
     4.1.  Preliminary list of recommendations  . . . . . . . . . . .  9
     4.2.  Schemes under consideration  . . . . . . . . . . . . . . . 10
   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 10
   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
     6.1.  Normative References . . . . . . . . . . . . . . . . . . . 10
Show full document text