PQUIP WG IETF 121, Dublin Thursday November 7, 2024 Session III, 15:30 - 17:00 Minutes do not show text from the slides See all meeting materials at https://datatracker.ietf.org/meeting/121/session/pquip Welcome and Note Well Current document statuses Terminology for Post-Quantum Traditional Hybrid Schemes Paul Wouters (AD): Lots of disagreements at the end of the WG discussion Wanted to be sure that those were either dealt with or are in the rough Not stuck, just is additional work for him to go through Paul Hoffman: We sometimes get long comments, let's read them instead of ignoring them These comments can sometimes help the documents MikeP: Also willing to help go through those final comments Hybrid signature spectrums https://datatracker.ietf.org/doc/draft-ietf-pquip-hybrid-signature-spectrums/ In WG Last Call until today; will stretch it by a few days because: Very few comments so far, and more would be appreciated Authors will update based on Last Call comments Post-Quantum Cryptography for Engineers Tim Hollebeek presented Deirdre Connolly: Agree on targeted recommendations Doesn't really cover "we use these because of these security proofs" Say more about why we think these are proven to be good replacement Operators are doing cryptography whether or not they think they are There is formal methods and math here Mike Ounsworth: Half disagrees with Deirdre about how much should go in Should we be using normative MUST and SHOULD language? Hopefully not. Kathleen Moriarty: Can help get her grad students to help review Joe Salowey: Be more technical Some engineers need to understand that there are proofs PaulW: There are some limits Should say things like "this must be constant-time because of blah" without explaining blah Mike: For laypeople, "break" means a much more immediate threat Previously discussed More discussion on the list for these Post-quantum cryptography migration use cases Hash-based Signatures: State and Backup Management PQC in certificates at the Hackathon FIPS issues with deploying ML-KEM and ML-DSA, Mike Ounsworth Quynh Dang: NIST has been talking about seeds and expanded seeds internally, no answer right now Ordering: also talking internally, also no answer right now Hope to have answers soon APIs: there some options for many reasons Some users prefer one API over another SP800-227: there will be a draft before the seminar in February Phill Hallam-Baker: On the OASIS thing, their group met yesterday Are discussing the seed issue On the signatures, there is a context string, we would like to use it, but can't because of PKCS#11 Should have a joint virtual meeting with OASIS Deirdre: If NIST allows seed expansion, we get an accidentally FIPS-compliant X-Wing with no changes Not having a 32-byte seed would not be the end of the world It's OK to have more key material It's unfortunate that people are putting P256 first in the hybrid because it is likely that it will not be FIPS-compliant down the road Hybrids should be temporary, consider what going to a fully-PQ system would look like instead Sean Turner: For OASIS, don't have a virtual meeting, just find out who the right people are there Just call them and get it done Don't call it "RealHash" John Gray (later in the meeting): At ICMC, asked the author of PKCS11 They will support parameters and context PQC algorithm commonality across the IETF PaulW: Lots of overlap between CFRG and PQUIP Charter has a timer for a two-year review Algorithms are talked about in SAAG Charter discussion: what has been done, what needs to be done? Was WG of last resort, mostly for SSH, but then that WG got started Maybe that clause is not needed any more What is still left that is not overlapping with CFRG? Start the rechartering discussion in January 2025 Not so worried about the wording, but come up with the content Is there new work to be done that is relevant to this WG? Joe Harvey: Some WGs have drafts that cross-reference each other, but are not consistent Maybe PQUIP can help with consistency