Post quantum Crypto Standardisation in IETF/IRTF. Kenny Paterson Information Security

Transcription

1 Post quantum Crypto Standardisation in IETF/IRTF Kenny Paterson Information Security

2 Overview IETF/IRTF and the role of CFRG CFRG work on post quantum crypto CFRG s current future plans 2

3 Caveat I do not speak for the IRTF, the IETF or any other organisation. What follows are my personal opinions and not an official policy statement by any organisation. 3

4 Objective of IETF/IRTF Make this work! 4

5 IETF and IRTF IETF: focus on engineering, standardisation of better protocols and new features. IRTF: research oriented, longer term perspective. IRTF is organised into Research Groups (RGs). CFRG is the Crypto Forum Research Group. 5

6 CFRG Charter C F R G The Crypto Forum Research Group (CFRG) is a general forum for discussing and reviewing uses of cryptographic mechanisms, both for network security in general and for the IETF in particular. The CFRG serves as a bridge between theory and practice, bringing new cryptographic techniques to the Internet community and promoting an understanding of the use and applicability of these mechanisms via Informational RFCs. Our goal is to provide a forum for discussing and analyzing general cryptographic aspects of security protocols, and to offer guidance on the use of emerging mechanisms and new uses of existing mechanisms. 6

7 CFRG Processes C F R G ID (Internet Draft): a raw text document describing an algorithm, protocol or idea. CFRG process RFC (Request for Comments): de facto an Internet standard *. Main CFRG objective: turn useful looking IDs into complete, clear, well specified RFCs by tapping into expertise of the Internet community. Current documents: 7

8 CFRG Chairs and Their Roles C F R G Current chairs of CFRG: Alexey Melnikov: IETF lifer, huge experience in IETF processes, writing RFCs, running IETF WGs. Kenny Paterson: cryptographer, gradually learning the process ropes. 8

9 CFRG and PQC C F R G CFRG started work on PQC before the NIST PQC standardisation process was announced. Initial focus on stateful, hash based signatures. Rationale: mature, well understood cryptography, ready for standardisation. Two Internet Drafts are now in the last stages of becoming RFCs: XMSS: Extended Hash Based Signatures (draft irtf cfrg xmss hashbased signatures 10). Hash Based Signatures (draft mcgrew hash sigs 07). 9

10 Beyond Hash based Signatures C F R G CFRG currently has no plans to develop RFCs for further PQC algorithms. This could change if the CFRG community has the appetite for it. My personal view: the NIST process should continue to take precedence. It is the focus of the scientific community. It has the resources and experience to run the large scale, multi year process that is envisaged. 10

11 Beyond Hash based Signatures The IETF needs to be ready to start using new algorithms and protocols once they are finalised by NIST. This requires keeping a watching eye on the NIST process, and understanding how new crypto mechanisms can be smoothly integrated into IETF protocols. Easy in theory, some road bumps in practice: 11 Larger key sizes may break packet limits in some situations. PQ key exchange flows may badly affect protocol latency/round trips. Securely combining different types of key exchange (pre q and post q), hedging against uncertainty over timescale for arrival of large scale QC and against uncertainty over pre Q security of post Q algorithms. CFRG can act as a conduit between the NIST process and IETF.

12 What about QKD? C F R G For the avoidance of doubt, and as far as I can tell, there is no appetite for doing anything with QKD in IETF/IRTF. The EU Quantum Technologies Flagship has made a virtue out of current QKD systems inherent range limitation: The advantage of trusted node schemes is that they provide access for lawful intercept ( QT Flagship Intermediate.pdf, page 6) The IETF takes a very different view on the desirability of such an approach. See RFC 2804 IETF Policy on Wiretapping and RFC7258 Pervasive Monitoring is an Attack. 12

13 Thanks/Danke/Merci C F R G 13

14 Thanks/Danke/Merci F C F R 14

15 Thanks/Danke/Merci T F C F 15

16 Thanks/Danke/Merci R/E T F C 16

17 Thanks/Danke/Merci I R/E T F 17