Minutes IETF122: pquip
minutes-122-pquip-00

PQUIP WG
IETF 122, Bangkok (กรุงเทพมหานคร) (Krung Thep Maha Nakhon)
Monday March 17, 2025
Session IV, 17:00 - 18:30

Minutes by Paul Hoffman
Stuff here is only of what was said at the mic, not by the presenters
Full video is at https://www.youtube.com/watch?v=qIA2nN4o3mc
Materials are at https://datatracker.ietf.org/meeting/122/session/pquip/

Welcome
        Note Well
        Agenda bashing
Current document status

PQC in certificates at the Hackathon, Jean-Pierre Fiset
        Paul Hoffman: The group meets eery two weeks, not just at Hackathons

Side meeting on PQC Dialogue with Government Stakeholders, John Preuß Matsson
        Session was recorded
        Will send notes to the mailing list

Hash-based Signatures: State and Backup Management, Thom Wiggers
        Paul: Will have more discussion on mailing list
                Please pass this draft to others in your organization who might
                care

Adapting HSMs for Post-Quantum Cryptography, Tiru Reddy
        Scott Fluher: Is it within the IETF charter to tell hardware
        manufacturers what to do? Richard Barnes: Doesn't seem in scope of the
        IETF or this WG Jean-Pierre: Is an HSM developer
                The last thing he wants is another document telling him what to
                do Governments are asking themselves what makes something "PQC"
                This is an opportunity to answer that for HSMs, so there might
                be some value there
        Deirdre Connolly: Thinks this is valuable, supports its adoption
        Tiru: Willing to change the levels of requirements and change the
        content

Efficient (!) PQ through Hybrids, Britta Hale
        Deirdre: Thanks especially for the benchmarks
                Do you have benchmarks for the different epochs you like for
                the different hybrids using a hybrid KEM inside HPKE? This
                design has a lot of nice things, like tunability Britta: In
                MLS, if you're using X-Wing as the combiner, you might be
                tempted to do updates less, which would be bad
                        It all despends on your use case
        Tiru: What happens after the transition from hybid to a pure scheme?
        Won't the benefits go away?
                Britta: Would this ever go away?
                        There is a lot of ease in the proof of security
                        This could be a long-term solution for light-weight
                        scenarios
        John: Didn't understand which security levels were being compared
                Could be used for making those comparisons
                Britta: These were all 768
        Scott: Even if the traditional is completely broken, add in a 512, and
        this still gives you some savings
                Britta: Lots of combinations to look at

The Great Private Key War of ‘25, Mike Ounsworth
        Tiru: Can COSE and JOSE just pick one of these approaches (seed), or do
        they need to go with the "choice" approach?
                Mike: If your protocol is software-only and you'll never have
                keys in hardware things, do whatever you want
                        If your protocol is going to have to use hardware where
                        they did the "choice" approach, you're going to have to
                        deal with it
                How will I know that?
                        Mike: I won't know that either
        PaulW: The COSE draft is waiting on my desk, I held it there
                The document will have to implement the "both" construct
        Mike, to everyone: Do private keys need to be cross-protocol compatible?
        Rich Salz: The think that makes this not horrible is that everything is
        fixed-size
                If you get something as 64 plus wrapper, you know what it is
                This makes it easy to use even if you ignore decoders
        Deirdre: LAMPS landed on seed, expande key, or both, but when you have
        both, you SHOULD check if seed and expanded key match
                This is only a SHOULD, not a MUST; this feels bad and a lot of
                us have argued against it Mike: This is the unresolved point,
                still two camps on this issue


IETF is Quantum-Fragile, Deirdre Connolly
        This presentation and its mic line would be impossible to annotate as
        minutes
                The spoken part of the presentation was often different than
                the slides The mic line started early in the presentation and
                often interrupted the slides The presenter and the mic line
                were more passionate
        See https://www.youtube.com/watch?v=qIA2nN4o3mc starting at 1:00:40