RE: Post Quantum and Related

+1

Incorporating cryptographic flexibility into any future work / work-in-flight looks to be really important.

Best Regards,

Anil

Anil John
Technical Director, Silicon Valley Innovation Program
Science and Technology Directorate
US Department of Homeland Security
Washington, DC, USA

Email Response Time – 24 Hours

[A picture containing graphical user interface  Description automatically generated]<https://www.dhs.gov/science-and-technology>[/Users/holly.johnson/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_1972159395]



From: Mike Prorock <mprorock@mesur.io>
Sent: Wednesday, July 6, 2022 9:56 AM
To: W3C Credentials CG <public-credentials@w3.org>
Subject: Post Quantum and Related

CAUTION: This email originated from outside of DHS. DO NOT click links or open attachments unless you recognize and/or trust the sender. Contact your component SOC with questions or concerns.

All,
Please do be tracking the upcoming changes around crypto primitives, especially signature methods.  See the recent NIST announcement for more details, but effectively, be planning on future support for CRYSTALS-KYBER, and on the signature side of things CRYSTALS-Dilithium, FALCON, and SPHINCS+

NIST Announcement here:
https://csrc.nist.gov/News/2022/pqc-candidates-to-be-standardized-and-round-4<https://urldefense.us/v3/__https:/csrc.nist.gov/News/2022/pqc-candidates-to-be-standardized-and-round-4__;!!BClRuOV5cvtbuNI!R9FfRGivhJPvtFVUmUDTBLcBSdEKeF4lVbAnjyi--w3CWzsRZ1dRghjhR8FzC7W3brxq$>

And a pretty good game plan from CISA with some timing implications here:
https://www.cisa.gov/uscert/ncas/current-activity/2022/07/05/prepare-new-cryptographic-standard-protect-against-future-quantum


The TLDR is to assume that we need hard answers as a community, and at the standards level, on crypto agility by 2024, as well as support for the key algorithms as listed above.

I would also think that any new specs being drafted should reference these coming changes and start to work them in.  I would also be proactive on adding in references as appropriate to specs you might be an editor or author for (or just a contributor).

A draft spec that relates to the signature side of things (esp for JOSE / COSE) use is here (shameless plug - but do note there will be some not insignificant changes going into and out of IETF 114):
https://datatracker.ietf.org/doc/draft-prorock-cose-post-quantum-signatures/<https://urldefense.us/v3/__https:/datatracker.ietf.org/doc/draft-prorock-cose-post-quantum-signatures/__;!!BClRuOV5cvtbuNI!R9FfRGivhJPvtFVUmUDTBLcBSdEKeF4lVbAnjyi--w3CWzsRZ1dRghjhR8FzC9Y0NW_e$>

And one that relates to underlying key storage and representation is here:
https://datatracker.ietf.org/doc/draft-uni-qsckeys/<https://urldefense.us/v3/__https:/datatracker.ietf.org/doc/draft-uni-qsckeys/__;!!BClRuOV5cvtbuNI!R9FfRGivhJPvtFVUmUDTBLcBSdEKeF4lVbAnjyi--w3CWzsRZ1dRghjhR8FzCxChwnna$>

The above specs are likely a good starting place if you need to reference key representations and have links out to the cryptography approaches themselves.

If the community is interested, I am happy to talk to some of the impacts on a main meeting, and / or bring in some of the folks that really know this stuff well to talk to the community about what is different and why.  Lattices are a bit different than the cryptography that you are likely used to, and it is work understanding how this stuff will get deployed in practice, as well as to open some discussion around pros / cons of HSMs, potential FIPS implications, etc.


Mike Prorock
CTO, Founder
https://mesur.io/<https://urldefense.us/v3/__https:/mesur.io/__;!!BClRuOV5cvtbuNI!R9FfRGivhJPvtFVUmUDTBLcBSdEKeF4lVbAnjyi--w3CWzsRZ1dRghjhR8FzC1MRrsys$>