[{"author": "Thom Wiggers", "text": "

Time for a slides working group

", "time": "2023-07-25T20:09:46Z"}, {"author": "Phillip Hallam-Baker", "text": "

Synonyms for Traditional 'unadventurous', 'ritual'

", "time": "2023-07-25T20:12:47Z"}, {"author": "Jonathan Hoyland", "text": "

Well we should probably avoid the clash with classical cryptography

", "time": "2023-07-25T20:13:51Z"}, {"author": "Phillip Hallam-Baker", "text": "

Every good alternative to Traditional starts with a C

", "time": "2023-07-25T20:14:13Z"}, {"author": "Michael Richardson", "text": "

@meetecho, that speaker mic is rather low, while Paul is not a problem.

", "time": "2023-07-25T20:17:31Z"}, {"author": "Lorenzo Miniero", "text": "

Is this a problem only remotely or in the room too?

", "time": "2023-07-25T20:18:28Z"}, {"author": "Deb Cooley", "text": "

only remote

", "time": "2023-07-25T20:18:56Z"}, {"author": "Rui Paulo", "text": "

room sounds ok

", "time": "2023-07-25T20:19:00Z"}, {"author": "Lorenzo Miniero", "text": "

Ack, we'll go check if we can fix this, heading there

", "time": "2023-07-25T20:20:41Z"}, {"author": "Lorenzo Miniero", "text": "

For the chair: there's an ethernet cable on the desk you can use, no need to use the wifi

", "time": "2023-07-25T20:21:34Z"}, {"author": "Yoav Nir", "text": "

@Lorenzo: Paul is using a Mac, and they haven't had an Ethernet cable in a while

", "time": "2023-07-25T20:22:27Z"}, {"author": "Deb Cooley", "text": "

there are adapters up there too....

", "time": "2023-07-25T20:22:54Z"}, {"author": "Mike Ounsworth", "text": "

@Sofia Celi If I'm paraphrasing your property, \"architecture terms\" vs \"mathematical crypto properties\"; the later should not be in the draft.
\nInteresting point. I can see that being a good direction.

", "time": "2023-07-25T20:22:54Z"}, {"author": "Sofia Celi", "text": "

@mike I think they can eventually, but first to reach a research \"consensus\", which is still in the works

", "time": "2023-07-25T20:25:35Z"}, {"author": "Florence D", "text": "

Jonathan Hoyland said:

\n
\n

Well we should probably avoid the clash with classical cryptography

\n
\n

The other problem (aside from the C thing) with this is that \"classical\" refers to a type of computer and PQ algorithms run on classical computers.

", "time": "2023-07-25T20:29:24Z"}, {"author": "Florence D", "text": "

@Sofia Celi that's interesting about the lack of consensus, it would be interesting to know more

", "time": "2023-07-25T20:30:09Z"}, {"author": "Jonathan Hoyland", "text": "

Florence D said:

\n
\n

Jonathan Hoyland said:

\n
\n

Well we should probably avoid the clash with classical cryptography

\n
\n

The other problem (aside from the C thing) with this is that \"classical\" refers to a type of computer and PQ algorithms run on classical computers.

\n
\n

Yeah, it's gonna be messy, because there is something of a difference between PQ algorithms and the Caesar cipher.

", "time": "2023-07-25T20:30:39Z"}, {"author": "Florence D", "text": "

I agree this draft isn't for mathematical definitions, but if we can translate the mathematical properties into language that is clear for protocol designers (e.g. as used in the strongly non-separable sigs draft) then that would be useful

", "time": "2023-07-25T20:31:00Z"}, {"author": "Jonathan Hoyland", "text": "

What's the distinction between \"Harvest now, decrypt later\" and perfect forward secrecy?

", "time": "2023-07-25T20:31:20Z"}, {"author": "Yoav Nir", "text": "

@Florence D, so translate from academics language to engineer's language?

", "time": "2023-07-25T20:31:51Z"}, {"author": "Florence D", "text": "

More or less. Where that's useful for protocol design.

", "time": "2023-07-25T20:32:30Z"}, {"author": "Deb Cooley", "text": "

@Jonathan: they are different.... even w/ perfect forward secrecy one could collect a key exchange to be broken later.

", "time": "2023-07-25T20:34:14Z"}, {"author": "Thom Wiggers", "text": "

Jonathan Hoyland said:

\n
\n

What's the distinction between \"Harvest now, decrypt later\" and perfect forward secrecy?

\n
\n

PFS covers long-term key compromise; in store-now, decrypt-later, you are breaking each ephemeral key exchange still. Without PFS, store-now, decrypt-later is much easier, obviously, but they are different problems

", "time": "2023-07-25T20:34:40Z"}, {"author": "Sofia Celi", "text": "

@Flo, I think this is one of the first instances of trying to formalise properties of hybrid signature schemes, so it will be nice to see what is eventually found and peer-reviewed. I think it is still a research effort

", "time": "2023-07-25T20:35:24Z"}, {"author": "Phillip Hallam-Baker", "text": "

This model really needs some probabilities.

", "time": "2023-07-25T20:35:46Z"}, {"author": "Sofia Celi", "text": "

@Flo but it will be super cool to do the actual formalization of properties. That will be a nice paper indeed ;)

", "time": "2023-07-25T20:36:11Z"}, {"author": "Phillip Hallam-Baker", "text": "

Probability someone builds a consequential quantum computer in the next decade is really low, <1%. But if they do, the banking system collapses.

", "time": "2023-07-25T20:36:37Z"}, {"author": "Thom Wiggers", "text": "

<fightclubendingscene.gif>

", "time": "2023-07-25T20:37:42Z"}, {"author": "Thom Wiggers", "text": "

(deleted)

", "time": "2023-07-25T20:38:13Z"}, {"author": "Phillip Hallam-Baker", "text": "

Security levels are traditional. But how many customers are going to say they really really want PQC security but 128 bit AES is cool?

", "time": "2023-07-25T20:38:36Z"}, {"author": "Thom Wiggers", "text": "

(sorry, a first attempt of sending a message with <> seemed to crash the browser chat in the beta)

", "time": "2023-07-25T20:38:58Z"}, {"author": "Thom Wiggers", "text": "

hey that looks like it's quoted from my email lol

", "time": "2023-07-25T20:40:43Z"}, {"author": "Thom Wiggers", "text": "

(you're welcome to it)

", "time": "2023-07-25T20:40:52Z"}, {"author": "Yoav Nir", "text": "

In practice, new standards like TLS 1.3 have two algorithms, AES and ChaCha20. For the former, the differece in performance between 128 and 256 bit keys is small. For the latter, all keys are 256-bit.

", "time": "2023-07-25T20:40:59Z"}, {"author": "Phillip Hallam-Baker", "text": "

With AES, Shamir was nervous about the number of rounds in the 128 bit version. Going to 256 bits is justified even if you think 2^128 work factor is fine.

", "time": "2023-07-25T20:42:17Z"}, {"author": "Thom Wiggers", "text": "

++

", "time": "2023-07-25T20:50:38Z"}, {"author": "Michael Prorock", "text": "

Should ntru be in this doc from a kem standpoint?

", "time": "2023-07-25T20:50:52Z"}, {"author": "Mike Ounsworth", "text": "

Phillip Hallam-Baker said:

\n
\n

Probability someone builds a consequential quantum computer in the next decade is really low, <1%. But if they do, the banking system collapses.

\n
\n

To me, it doesn't really matter whether the probability is 1% or 10% or 90%. All of those are orders of magnitude more likely than the 2^-128 that cryptographers are comfortable with.
\nAlso, and I think this is the point you are making: risk = probability * cost. The cost of \"collapse of the banking system\" is pretty close to \"infinite\", which makes the risk pretty high so long as the probability is not zero.

", "time": "2023-07-25T20:51:25Z"}, {"author": "Thom Wiggers", "text": "

\"Wiki\" seems the apt description?

", "time": "2023-07-25T20:53:10Z"}, {"author": "Phillip Hallam-Baker", "text": "

Mike, the cost of remediation is really small. So call it the the Hands test or calculus or negligence or whatever, we have to do this stuff.

", "time": "2023-07-25T20:54:24Z"}, {"author": "Aritra Banerjee", "text": "

@Michael, we currently focus on candidates advancing/selected thats why did not add NTRU yet.

", "time": "2023-07-25T20:54:49Z"}, {"author": "Michael Prorock", "text": "

+1 @Aritra Banerjee makes total sense, and I agree with that approach. Ntru has just come up often enough I might or some language around it

", "time": "2023-07-25T20:56:04Z"}, {"author": "Phillip Hallam-Baker", "text": "

But the other side of the issue here is that traditional INFOSEC has used a single break model: Make sure the system is secure if nothing breaks. I think it is time to move onto a multiple break model where we insist that the system is still secure even if some things break.

", "time": "2023-07-25T20:56:11Z"}, {"author": "Aritra Banerjee", "text": "

@Michael, yes NTRU lattices (with SIS hardness) are used in Falcon thats why indirectly it is involved.

", "time": "2023-07-25T20:58:04Z"}, {"author": "Mike Ounsworth", "text": "

Phillip Hallam-Baker said:

\n
\n

But the other side of the issue here is that traditional INFOSEC has used a single break model: Make sure the system is secure if nothing breaks. I think it is time to move onto a multiple break model where we insist that the system is still secure even if some things break.

\n
\n

InfoSec people are definitely aware of the phrase \"defense in depth\". Just build on that concept ...

", "time": "2023-07-25T21:01:41Z"}, {"author": "Jonathan Hoyland", "text": "

Can we _please_ _please_ kill ASN.1?

", "time": "2023-07-25T21:15:55Z"}, {"author": "Sofia Celi", "text": "

+1 to Jonathan

", "time": "2023-07-25T21:16:06Z"}, {"author": "Rich Salz", "text": "

store now decrypt later should be store now decrypt eventually -> SNOWDEN

", "time": "2023-07-25T21:16:56Z"}, {"author": "Sofia Celi", "text": "

amazing!

", "time": "2023-07-25T21:17:13Z"}, {"author": "Phillip Hallam-Baker", "text": "

I am PHB and I do X.509

", "time": "2023-07-25T21:17:15Z"}, {"author": "Florence D", "text": "

Thanks Sophie, that was really interesting.

", "time": "2023-07-25T21:17:52Z"}, {"author": "Sofia Celi", "text": "

thank you, sophie!

", "time": "2023-07-25T21:18:03Z"}, {"author": "Mike Ounsworth", "text": "

Thank you Sophie!

", "time": "2023-07-25T21:18:16Z"}, {"author": "Mike Ounsworth", "text": "

@Michael Prorock I think Sophie's talk counts as a vote for the \"ciphersuites\" option from the COSE WG (that was in regards to handling HPKE, right?)

", "time": "2023-07-25T21:20:03Z"}, {"author": "Sofia Celi", "text": "

Signatures are beeeautiful to build in the cryptographic sense

", "time": "2023-07-25T21:20:48Z"}, {"author": "Phillip Hallam-Baker", "text": "

We can't dispatch to CFRG...

", "time": "2023-07-25T21:26:28Z"}, {"author": "Yoav Nir", "text": "

And yet \"go away and take this to CFRG\" is one of the most common results of secdispatch

", "time": "2023-07-25T21:26:55Z"}, {"author": "Sofia Celi", "text": "

open quantum safe: https://openquantumsafe.org/

", "time": "2023-07-25T21:28:30Z"}, {"author": "Jonathan Lennox", "text": "

Some dispatch outcomes are technically recommendations but are nonetheless correct. Also \"take this to the ISE.\"

", "time": "2023-07-25T21:28:58Z"}, {"author": "Thom Wiggers", "text": "

https://pqshield.github.io/nist-sigs-zoo/

", "time": "2023-07-25T21:29:41Z"}, {"author": "Nicola Tuveri", "text": "

Thanks Thom, that has been a very useful work you did!

", "time": "2023-07-25T21:30:04Z"}, {"author": "Sofia Celi", "text": "

the new PQC signatures: https://csrc.nist.gov/projects/pqc-dig-sig

", "time": "2023-07-25T21:30:07Z"}, {"author": "Yoav Nir", "text": "

They're all recommendations, because \"take it to LAMPS\" or \"AD-sponsored\" does not require LAMPS or the AD to adopt or sponsor.

", "time": "2023-07-25T21:30:41Z"}, {"author": "Florence D", "text": "

@Michael Prorock could you fill in your last comment in the notes please? My connection went and I didn't catch it.

", "time": "2023-07-25T21:31:55Z"}, {"author": "Thom Wiggers", "text": "

Or pay a lot of attention and break some schemes :)

", "time": "2023-07-25T21:32:41Z"}, {"author": "Aritra Banerjee", "text": "

Thank you all!

", "time": "2023-07-25T21:33:01Z"}]