Markdown Version | Session Recording
Session Date/Time: 07 Nov 2024 15:30
# pquip
## Summary
This Piquit (Post-Quantum Interoperability) working group meeting covered current document status, a hackathon report on post-quantum cryptography (PQC) in certificates, NIST PQC algorithm discussions, and the future of the Piquit working group charter. Key discussion points revolved around FIPS compliance, seed management for private keys, hybrid key exchange, and algorithm naming.
## Key Discussion Points
* **Terminology Document:** The terminology document submission to the IESG is delayed due to late-stage disagreements. The AD is reviewing the unresolved comments.
* **Hybrid Signature Spectrums:** The working group last call is extended to Monday to allow more time for review.
* **PQC for Engineers Draft:**
* The audience is primarily non-IETF engineers using PQC algorithms and system maintainers.
* The document should maintain a technical basis rooted in cryptographic rationale and formal math.
* The document should not make normative recommendations (no "MUST" or "SHOULD").
* Editorial work is required.
* Distinction between PQC algorithms and Quantum Safe security properties needs clarification.
* The term "break" needs to be redefined or replaced.
* **PQC in Certificates Hackathon:**
* Automated testing using Libo QS and Bouncy Castle was updated. New Quantcrypt automation was added
* CMS Chem private key testing revealed inconsistencies in seed lengths (32 bytes vs. long form).
* Composite chem and signatures are being tested.
* **NIST PQC Algorithm Discussions (Mike's Presentation):**
* **Lattice Private Keys (Seeds vs. Expanded):**
* Storing seeds is generally preferred over expanded keys due to security benefits.
* FIPS compliance is confusing but ultimately allows seed storage.
* **Types of Seeds (Direct vs. Derived):**
* Currently, only direct seeds (output directly from a DRBG) are allowed. Derived seeds are not FIPS compliant.
* Expanding 32-byte seeds to 64-byte seeds for ML-KEM is not allowed.
* Combining ML-KEM and X25519 with a single seed in X-Wing is not allowed.
* Using an MLS ratchet tree to derive an ML-KEM seed is not allowed for FIPS compliance.
* **Private Keys, HSMs, P11, and P12:**
* Need to ensure hardware vendors expose keygen internal functions.
* Coordination with Oasis PKCS 11 TC is necessary to standardize seed usage.
* **Hybrid Chem Combiner (Elliptic Curve First?):**
* Order matters for FIPS certification but is cryptographically equivalent.
* Aim is for hybrids to be temporary.
* **Real Hash MLDSA:**
* A third undocumented API exists that the IETF prefers, which we will call real hash MLDSA.
* NIST confirmed this.
## Decisions and Action Items
* **Extend Working Group Last Call:** The working group last call for the hybrid signature spectrums document is extended to Monday.
* **PKCS#11 Liaison:** The IETF will engage with the Oasis PKCS 11 TC to discuss private key seed formats. Phil will contact some individuals from the group and work from there.
* **MLS Post:** Mike agreed to co-author a cross post to the MLS mailing list with Britta Hale and someone like Richard to highlight an issue involving seed material.
## Next Steps
* **Complete current documents** Complete working group last call for documents with reviews and discussion on the mailing list.
* **Charter Discussion:** Start the Piquit working group charter discussion in January on the mailing list, including reviewing the current charter.
* **227 Draft Review:** Review the upcoming draft of NIST SP 800-227 to better understand the position regarding hybrid key generation order, as well as direct vs derived seeds.
* **PQIP Charter Review:** Look at documents Lamps, Jose, IP, 7 with their drafts cross referencing each other, but they're not necessarily consistent because they're just referencing. Look at how Piquet might fit with those PQA to help bring that together so there's consistent.