| draft-hale-pquip-hybrid-signature-spectrums-03.txt | draft-hale-pquip-hybrid-signature-spectrums-04.txt | |||
|---|---|---|---|---|
| Network Working Group N. Bindel | Network Working Group N. Bindel | |||
| Internet-Draft SandboxAQ | Internet-Draft SandboxAQ | |||
| Intended status: Informational B. Hale | Intended status: Informational B. Hale | |||
| Expires: 26 August 2024 Naval Postgraduate School | Expires: 22 September 2024 Naval Postgraduate School | |||
| D. Connolly | D. Connolly | |||
| SandboxAQ | SandboxAQ | |||
| F. Driscoll | F. Driscoll | |||
| UK National Cyber Security Centre | UK National Cyber Security Centre | |||
| 23 February 2024 | 21 March 2024 | |||
| Hybrid signature spectrums | Hybrid signature spectrums | |||
| draft-hale-pquip-hybrid-signature-spectrums-03 | draft-hale-pquip-hybrid-signature-spectrums-04 | |||
| Abstract | Abstract | |||
| This document describes classification of design goals and security | This document describes classification of design goals and security | |||
| considerations for hybrid digital signature schemes, including proof | considerations for hybrid digital signature schemes, including proof | |||
| composability, non-separability of the component signatures given a | composability, non-separability of the component signatures given a | |||
| hybrid signature, backwards/forwards compatiblity, hybrid generality, | hybrid signature, backwards/forwards compatiblity, hybrid generality, | |||
| and simultaneous verification. | and simultaneous verification. | |||
| Discussion of this work is encouraged to happen on the IETF PQUIP | Discussion of this work is encouraged to happen on the IETF PQUIP | |||
| mailing list pqc@ietf.org or on the GitHub repository which contains | mailing list pqc@ietf.org or on the GitHub repository which contains | |||
| the draft: https://github.com/dconnolly/draft-hale-pquip-hybrid- | the draft: https://github.com/dconnolly/draft-hale-pquip-hybrid- | |||
| signature-spectrums | signature-spectrums | |||
| Discussion Venues | ||||
| This note is to be removed before publishing as an RFC. | ||||
| Discussion of this document takes place on the Post-Quantum Use In | ||||
| Protocols Working Group mailing list (pqc@ietf.org), which is | ||||
| archived at https://mailarchive.ietf.org/arch/browse/pqc/. | ||||
| Source for this draft and an issue tracker can be found at | ||||
| https://github.com/dconnolly/draft-connolly-pquip-hybrid-signature- | ||||
| spectrums. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 26 August 2024. | This Internet-Draft will expire on 22 September 2024. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2024 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 2, line 39 ¶ | skipping to change at page 2, line 27 ¶ | |||
| 1.1. Revision history . . . . . . . . . . . . . . . . . . . . 4 | 1.1. Revision history . . . . . . . . . . . . . . . . . . . . 4 | |||
| 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 1.3. Motivation for use of hybrid signature schemes . . . . . 6 | 1.3. Motivation for use of hybrid signature schemes . . . . . 6 | |||
| 1.3.1. *Complexity* . . . . . . . . . . . . . . . . . . . . 6 | 1.3.1. *Complexity* . . . . . . . . . . . . . . . . . . . . 6 | |||
| 1.3.2. *Time* . . . . . . . . . . . . . . . . . . . . . . . 7 | 1.3.2. *Time* . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 1.4. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 1.4. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 1.4.1. *Hybrid Authentication* . . . . . . . . . . . . . . . 8 | 1.4.1. *Hybrid Authentication* . . . . . . . . . . . . . . . 8 | |||
| 1.4.2. *Proof Composability* . . . . . . . . . . . . . . . . 9 | 1.4.2. *Proof Composability* . . . . . . . . . . . . . . . . 9 | |||
| 1.4.3. *Weak Non-Separability* . . . . . . . . . . . . . . . 9 | 1.4.3. *Weak Non-Separability* . . . . . . . . . . . . . . . 9 | |||
| 1.4.4. *Strong Non-Separability* . . . . . . . . . . . . . . 10 | 1.4.4. *Strong Non-Separability* . . . . . . . . . . . . . . 10 | |||
| 1.4.5. *Backwards/Forwards Compatibility* . . . . . . . . . 10 | 1.4.5. *Backwards/Forwards Compatibility* . . . . . . . . . 11 | |||
| 1.4.6. *Simultaneous Verification* . . . . . . . . . . . . . 11 | 1.4.6. *Simultaneous Verification* . . . . . . . . . . . . . 11 | |||
| 1.4.7. *Hybrid Generality* . . . . . . . . . . . . . . . . . 12 | 1.4.7. *Hybrid Generality* . . . . . . . . . . . . . . . . . 12 | |||
| 1.4.8. *High performance* . . . . . . . . . . . . . . . . . 12 | 1.4.8. *High performance* . . . . . . . . . . . . . . . . . 12 | |||
| 1.4.9. *High space efficiency* . . . . . . . . . . . . . . . 12 | 1.4.9. *High space efficiency* . . . . . . . . . . . . . . . 12 | |||
| 1.4.10. *Minimal duplicate information* . . . . . . . . . . . 12 | 1.4.10. *Minimal duplicate information* . . . . . . . . . . . 12 | |||
| 2. Non-separability spectrum . . . . . . . . . . . . . . . . . . 12 | 2. Non-separability spectrum . . . . . . . . . . . . . . . . . . 13 | |||
| 3. Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 3. Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 3.1. Artifact locations . . . . . . . . . . . . . . . . . . . 15 | 3.1. Artifact locations . . . . . . . . . . . . . . . . . . . 15 | |||
| 3.2. Artifact Location Comparison Example . . . . . . . . . . 15 | 3.2. Artifact Location Comparison Example . . . . . . . . . . 16 | |||
| 4. Need-For-Approval Spectrum . . . . . . . . . . . . . . . . . 19 | 4. Need-For-Approval Spectrum . . . . . . . . . . . . . . . . . 19 | |||
| 5. EUF-CMA Challenges . . . . . . . . . . . . . . . . . . . . . 21 | 5. EUF-CMA Challenges . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 21 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 21 | |||
| 7. Discussion of Advantages/Disadvantages . . . . . . . . . . . 21 | 7. Discussion of Advantages/Disadvantages . . . . . . . . . . . 21 | |||
| 7.1. Backwards compatibility vs. SNS. . . . . . . . . . . . . 21 | 7.1. Backwards compatibility vs. SNS. . . . . . . . . . . . . 21 | |||
| 7.2. Backwards compatibility vs. hybrid unforgeability. . . . 22 | 7.2. Backwards compatibility vs. hybrid unforgeability. . . . 22 | |||
| 7.3. Simultaneous verification vs. low need for approval. . . 22 | 7.3. Simultaneous verification vs. low need for approval. . . 22 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 9. Informative References . . . . . . . . . . . . . . . . . . . 22 | 9. Informative References . . . . . . . . . . . . . . . . . . . 22 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| skipping to change at page 3, line 26 ¶ | skipping to change at page 3, line 20 ¶ | |||
| traditional algorithms could be decrypted in the future by an | traditional algorithms could be decrypted in the future by an | |||
| attacker with a Cryptographically-Relevant Quantum Computer (CRQC). | attacker with a Cryptographically-Relevant Quantum Computer (CRQC). | |||
| While traditional authentication is only at risk once a CRQC exists, | While traditional authentication is only at risk once a CRQC exists, | |||
| it is important to consider the transition to post-quantum | it is important to consider the transition to post-quantum | |||
| authentication before this point. This is particularly relevant for | authentication before this point. This is particularly relevant for | |||
| systems where algorithm turn-over is complex or takes a long time | systems where algorithm turn-over is complex or takes a long time | |||
| (e.g., long-lived systems with hardware roots of trust), or where | (e.g., long-lived systems with hardware roots of trust), or where | |||
| future checks on past authenticity play a role (e.g., digital | future checks on past authenticity play a role (e.g., digital | |||
| signatures on legal documents). | signatures on legal documents). | |||
| One approach to design quantum-resistant protocols, particularly | The relative newness of many (although not all) post-quantum | |||
| during the transition period from traditional to post-quantum | algorithms means that less cryptanalysis of such algorithms is | |||
| algorithms, is incorporating hybrid signatures schemes, which combine | available than for long-established counterparts, such as RSA and | |||
| both traditional and post-quantum (or more generally next-generation) | elliptic-curve based solutions for confidentiality and authenticity. | |||
| algorithms in one cryptographic scheme. Hybridization has been | This has drawn attention to hybrid cryptographic schemes, which | |||
| looked at for key encapsulation [HYBRIDKEM], and in an initial sense | combine both traditional and post-quantum (or more generally next- | |||
| for digital signatures [HYBRIDSIG]. Compared to key encapsulation, | generation) algorithms in one cryptographic scheme. These may offer | |||
| hybridization of digital signatures, where the verification tag may | increased assurance for implementers, namely that as long as the | |||
| be expected to attest to both standard and post-quantum components, | security of one of the two component algorithms of the hybrid scheme | |||
| is subtler to design and implement due to the potential separability | holds, the confidentiality or authenticity offered by that scheme is | |||
| of the hybrid/dual signatures and the risk of downgrade/stripping | maintained. | |||
| attacks. There are also a range of requirements and properties that | ||||
| may be required from dual signatures, not all of which can be | Whether or not hybridization is desired depends on the use case and | |||
| achieved at once. | security threat model. Conservative users may not have complete | |||
| trust in the post-quantum algorithms or implementations available, | ||||
| while also recognizing a need to start post-quantum transition. For | ||||
| such users, hybridization can support near-term transition while also | ||||
| avoiding trusting solo post-quantum algorithms too early. On the | ||||
| other hand, hybrid schemes, particularly for authentication, may | ||||
| introduce significant complexity into a system or a migration | ||||
| process, so might not be the right choice for all. For cases where | ||||
| hybridization is determined to be advantageous, a decision on how to | ||||
| hybridize needs to be made. With many options available, this | ||||
| document is intended to provide context on some of the trade-offs and | ||||
| nuances to consider. | ||||
| Hybridization has been looked at for key encapsulation [HYBRIDKEM], | ||||
| and in an initial sense for digital signatures [HYBRIDSIG]. Compared | ||||
| to key encapsulation, hybridization of digital signatures, where the | ||||
| verification tag may be expected to attest to both standard and post- | ||||
| quantum components, is subtler to design and implement due to the | ||||
| potential separability of the hybrid/dual signatures and the risk of | ||||
| downgrade/stripping attacks. There are also a range of requirements | ||||
| and properties that may be required from hybrid signatures, not all | ||||
| of which can be achieved at once. | ||||
| This document focuses on explaining advantages and disadvantages of | This document focuses on explaining advantages and disadvantages of | |||
| different hybrid signature scheme designs and different security | different hybrid signature scheme designs and different security | |||
| goals for them. It is intended as a resource for designers and | goals for them. It is intended as a resource for designers and | |||
| implementers of hybrid signature schemes to help them decide what | implementers of hybrid signature schemes to help them decide what | |||
| properties they do and do not require from their scheme. It | properties they do and do not require from their scheme. It does not | |||
| attempt to answer the question of whether or not a hybrid scheme is | ||||
| desirable for, or should be used in a given case. It also | ||||
| intentionally does not propose concrete hybrid signature combiners or | intentionally does not propose concrete hybrid signature combiners or | |||
| instantiations thereof. | instantiations thereof. | |||
| 1.1. Revision history | 1.1. Revision history | |||
| *RFC Editor's Note:* Please remove this section prior to | *RFC Editor's Note:* Please remove this section prior to | |||
| publication of a final version of this document. | publication of a final version of this document. | |||
| * 01: Significant fleshing out after feedback from IETF 118. | * 01: Significant fleshing out after feedback from IETF 118. | |||
| skipping to change at page 6, line 41 ¶ | skipping to change at page 7, line 9 ¶ | |||
| traditional algorithms, such as RSA. RSA is a relatively simple | traditional algorithms, such as RSA. RSA is a relatively simple | |||
| algorithm to understand and explain, yet during its existence and use | algorithm to understand and explain, yet during its existence and use | |||
| there have been multiple attacks and refinements, such as adding | there have been multiple attacks and refinements, such as adding | |||
| requirements to how padding and keys are chosen, and implementation | requirements to how padding and keys are chosen, and implementation | |||
| issues such as cross-protocol attacks. Thus, even in a relatively | issues such as cross-protocol attacks. Thus, even in a relatively | |||
| simple algorithm subtleties and caveats on implementation and use can | simple algorithm subtleties and caveats on implementation and use can | |||
| arise over time. Given the complexity of next generation algorithms, | arise over time. Given the complexity of next generation algorithms, | |||
| the chance of such discoveries and caveats needs to be taken into | the chance of such discoveries and caveats needs to be taken into | |||
| account. | account. | |||
| Of note, next generation algorithms have been heavily vetted. Thus, | Of note, some next generation algorithms have received substantial | |||
| if and when further information on caveats and implementation issues | analysis attention, for example through the NIST Post-Quantum Process | |||
| come to light, it is less likely that a "break" will be catastrophic. | [NIST_PQC_FAQ]. Thus, if and when further information on caveats and | |||
| Instead, such vulnerabilities and issues may represent a weakening of | implementation issues come to light, it is less likely that a "break" | |||
| security - which may in turn be offset if a hybrid approach has been | will be catastrophic. Instead, such vulnerabilities and issues may | |||
| used. The complexity of post-quantum algorithms needs to be balanced | represent a weakening of security - which may in turn be offset if a | |||
| against the fact that hybridization itself adds more complexity to a | hybrid approach has been used. The complexity of post-quantum | |||
| protocol and introduces the risk of implementation mistakes in the | algorithms needs to be balanced against the fact that hybridization | |||
| hybridization process. | itself adds more complexity to a protocol and introduces the risk of | |||
| implementation mistakes in the hybridization process. | ||||
| One example of a next generation algorithm is the signature scheme | One example of a next generation algorithm is the signature scheme | |||
| ML-DSA (a.k.a. CRYSTALS-Dilithium) that has been selected for | ML-DSA (a.k.a. CRYSTALS-Dilithium) that has been selected for | |||
| standardization by NIST. While the scheme follows the well-known | standardization by NIST. While the scheme follows the well-known | |||
| Fiat-Shamir transform to construct the signature scheme, it also | Fiat-Shamir transform to construct the signature scheme, it also | |||
| relies on rejection sampling that is known to give cache side channel | relies on rejection sampling that is known to give cache side channel | |||
| information (although this does not lead to a known attack). | information (although this does not lead to a known attack). | |||
| Furthermore, recent attacks again the post-quantum multivariate | Furthermore, recent attacks again the post-quantum multivariate | |||
| schemes Rainbow and GeMSS might call into question the asymptotic and | schemes Rainbow and GeMSS might call into question the asymptotic and | |||
| concrete security for conservative adopters and therefore might | concrete security for conservative adopters and therefore might | |||
| skipping to change at page 23, line 39 ¶ | skipping to change at page 23, line 39 ¶ | |||
| [I-D.ietf-tls-hybrid-design] | [I-D.ietf-tls-hybrid-design] | |||
| Stebila, D., Fluhrer, S., and S. Gueron, "Hybrid key | Stebila, D., Fluhrer, S., and S. Gueron, "Hybrid key | |||
| exchange in TLS 1.3", Work in Progress, Internet-Draft, | exchange in TLS 1.3", Work in Progress, Internet-Draft, | |||
| draft-ietf-tls-hybrid-design-09, 7 September 2023, | draft-ietf-tls-hybrid-design-09, 7 September 2023, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-tls- | <https://datatracker.ietf.org/doc/html/draft-ietf-tls- | |||
| hybrid-design-09>. | hybrid-design-09>. | |||
| [I-D.ounsworth-pq-composite-sigs] | [I-D.ounsworth-pq-composite-sigs] | |||
| Ounsworth, M., Gray, J., Pala, M., and J. Klaußner, | Ounsworth, M., Gray, J., Pala, M., and J. Klaußner, | |||
| "Composite Signatures For Use In Internet PKI", Work in | "Composite ML-DSA for use in Internet PKI", Work in | |||
| Progress, Internet-Draft, draft-ounsworth-pq-composite- | Progress, Internet-Draft, draft-ounsworth-pq-composite- | |||
| sigs-12, 11 February 2024, | sigs-13, 4 March 2024, | |||
| <https://datatracker.ietf.org/doc/html/draft-ounsworth-pq- | <https://datatracker.ietf.org/doc/html/draft-ounsworth-pq- | |||
| composite-sigs-12>. | composite-sigs-13>. | |||
| [MOSCA] Kaye, P., Laflamme, R., and M. Mosca, "An Introduction to | [MOSCA] Kaye, P., Laflamme, R., and M. Mosca, "An Introduction to | |||
| Quantum Computing, Oxford University Press", November | Quantum Computing, Oxford University Press", November | |||
| 2007. | 2007. | |||
| [NIST_PQC_FAQ] | [NIST_PQC_FAQ] | |||
| National Institute of Standards and Technology (NIST), | National Institute of Standards and Technology (NIST), | |||
| "Post-Quantum Cryptography FAQs", 5 July 2022, | "Post-Quantum Cryptography FAQs", 5 July 2022, | |||
| <https://csrc.nist.gov/Projects/post-quantum-cryptography/ | <https://csrc.nist.gov/Projects/post-quantum-cryptography/ | |||
| faqs>. | faqs>. | |||
| End of changes. 14 change blocks. | ||||
| 46 lines changed or deleted | 58 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||