Liaison statement
Response to the Liason Statement on Quantum Safe Cryptographic Protocol Inventory

The IETF thanks the ETSI TC CYBER for your liaison titled, "Quantum Safe
Cryptographic Protocol Inventory" (https://datatracker.ietf.org/liaison/1893/).
We appreciate the ETSI TC CYBER work on this important topic and your effort to
keep the IETF apprised of your progress, including sharing developed document,
and details of the ongoing work.

IETF considers PQC migration a very important topic and are working on
introducing PQC algorithms for key exchange, public-key encryption, and digital
signatures as soon as possible after the ML-KEM, ML-DSA, and SLH-DSA standards
are finalized by NIST. All pre-standardized algorithms have been marked as not
recommended. IETF is currently discussing which hybrids and pure-PQ options to
recommend. At this point there has been no suggestions to make PQC
mandatory-to-implement.

The ETSI TC CYBER liaison, developed document, and ongoing work were discussed
within the IETF. Most active IETF working groups specifying protocols using
asymmetric cryptography are discussing and working on the introduction of
quantum-resistant algorithms.

- IRTF CFRG has specified LMS and XMSS and is discussing how to best combine
ECC and PQC in hybrid KEMs and how to introduce ML-KEM in Hybrid Public Key
Encryption.

https://datatracker.ietf.org/rg/cfrg/documents/

- IETF LAMPS are working on introducing LMS, XMSS, ML-DSA, SLH-DSA, and ML-KEM
in X.509 Public Key Infrastructure and Cryptographic Message Syntax (CMS).

https://datatracker.ietf.org/wg/lamps/documents/

- IETF IPSECME has specified a quantum-resistant PSK extension as well as
intermediate and multiple key exchanges to prepare for PQC. IPSECME is
discussing introduction of ML-KEM, ML-DSA, and FrodoKEM.

https://datatracker.ietf.org/group/ipsecme/documents/

- IETF TLS is discussing introduction of ML-KEM+ECC hybrids and ML-KEM
standalone for (D)TLS 1.3 . There are already deployments of pre-standard
Kyber768. Note that the obsolete TLS 1.2 will not receive any updates.

https://datatracker.ietf.org/group/tls/documents/
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

- IETF JOSE and COSE are working on introduction of ML-DSA and SLH-DSA for use
in e.g. JWS/JWT/OAuth 2.0. Discussions on how to introduce ML-KEM.

https://datatracker.ietf.org/wg/jose/documents/
https://datatracker.ietf.org/wg/cose/documents/

- IETF PQUIP is a standing venue to discuss PQC migration. PQUIP is working on
classification, terminology, and guidance documents.

https://datatracker.ietf.org/wg/pquip/documents/

- IETF has reopened the SSH mailing list to allow discussion of migration to
PQC.

https://mailarchive.ietf.org/arch/browse/ssh/

One recommended contact point for clarification on specific topics is to send a
mail to the relevant mailing list or to the working group chairs.

The document ETSI TR 103 619 V1.1.1 (2020-07) highlighted in the LS was
discussed on several IETF mailing lists. We kindly suggest that ETSI CYBER
consider the following suggestions in the next revision of TR 103 619:

-  Consider using the established term Cryptographically Relevant Quantum
Computers (CRQCs). It is important that readers understand that there is a huge
difference between current quantum computers and CRQCs.

- Consider using another term than “classical cryptography”. It might confuse
the reader as quantum-resistant cryptography like ML-KEM and ML-DSA runs on
classical computers. A term used in IETF is “traditional” [1].

- Consider updating and correcting the information regarding symmetric
cryptography. The idea that symmetric cryptography will be practically affected
by CRQCs is now seen as a misconception. The “bits of security” concept does
not work with algorithms that are not parallelizable and NIST is therefore
transitioning to quantum-resistant security levels based on symmetric
algorithms where level 1 is equivalent with AES-128, level 2 is SHA-256, etc.
[2]. UK government assesses that “symmetric algorithms with at least 128-bit
keys (such as AES) can continue to be used” [3]. While classical supercomputers
might be able to brute force AES-128 around the year 2090 [4-5], a huge cluster
of one billion CRQCs (according to one estimate costing one billion USD each)
would take a million years of uninterrupted calculation to find a single
AES-128 key. Algorithms with quadratic (n^2) speedup like Grover’s algorithm
(which is proven to be optimal) will not provide any practical quantum
advantage for breaking symmetric cryptography and likely not for any other
problems [6-7].

- The name of the X.509 field is “Subject Public Key Info”, not “Subject Key
Info”.

Sincerely,

Deb Cooley
IETF Security Area Director

[1] Driscoll, Parsons, “Terminology for Post-Quantum Traditional Hybrid Schemes”
https://datatracker.ietf.org/doc/draft-ietf-pquip-pqt-hybrid-terminology/

[2] NIST, “Comments Requested on Three Draft FIPS for Post-Quantum Cryptography”
https://csrc.nist.gov/news/2023/three-draft-fips-for-post-quantum-cryptography

[3] UK NCSC, “Next steps in preparing for post-quantum cryptography”
https://www.ncsc.gov.uk/whitepaper/next-steps-preparing-for-post-quantum-cryptography

[4] CRYPTEC, “Cryptographic Technology Evaluation Committee Activity Report”
https://www.cryptrec.go.jp/symposium/2023_cryptrec-eval.pdf

[5] CRYPTEC, “Japan CRYPTREC Activities on PQC”
https://events.btq.li/Japan_CRYPTREC_Activities_on_PQC_Shiho_Moriai.pdf

[6] Hoefler, Häner, Troyer, “Disentangling Hype from Practicality: On
Realistically Achieving Quantum Advantage”
https://cacm.acm.org/magazines/2023/5/272276-disentangling-hype-from-practicality-on-realistically-achieving-quantum-advantage/fulltext

[7] Babbush, McClean, Newman, Gidney, Boixo, Neven, “Focus beyond Quadratic
Speedups for Error-Corrected Quantum Advantage”
https://arxiv.org/pdf/2011.04149.pdf