Hello,
On Thu, 24 Jun 2021 at 15:52, Kai Engert <kaie(_at_)kuix(_dot_)de> wrote:
Hello,
I'd like to make you aware of a project call by the German BSI (a
federal agency for IT security), which was brought to my attention.
I've posted some information on it on the Thunderbird planning mailing
list, see the following thread, which has multiple messages from me:
https://thunderbird.topicbox.com/groups/planning/T5abbf135db2f3c1c/the-german-bsi-intends-to-sponsor-pqc-improvements-for-openpgp-in-thunderbird
In my understanding they intend to pay a contractor for a wide set of
tasks to bring PQC to Thunderbird, including the work to standardize the
use of PQC with OpenPGP, including implementations for RNP, Botan, GnuPG
and libgcrypt.
It seems the BSI has already made a suggestion that they want to require
the use of CRYSTALS-Kyber and -Dilithium.
Is that a reasonable choice?
(Disclaimer: I have been involved in the NIST contest with a
submission which made it to the 2nd round. I am
not part of NIST personnel, opinions following are mine only.)
Kyber and Dilithium are two of the finalist algorithms in the current
NIST PQ standardization effort and,
as things stand now, thus potential candidates at the end of this year.
From the latest update on the contest ([*] , slides 10 and 11) they
are both likely to be chosen as standards.
Does it make sense to define a limitation to these methods at this point
of time?
NIST is planning to announce the choice of the actual winners at the
end of 2021/early 2022 at the latest.
While writing down actual standards will take a bit more, the cut-down
on the algorithms will be significant.
We expect a single lattice-based KEM and Classic McEliece for
diversity to be selected for KEMs,
and a single lattice based signature to make it in the standard which
will be announced at the end of the year.
NIST also has plans for a fourth stage of the competition, where they
will accept proposals for non-lattice based signatures
and analyze further the current "alternate" candidates.
If the idea is to understand what is the impact of the choices made by
NIST when implementing, it may be a reasonable time to keep thinking
about all the candidates in the NIST PQ standardization process.
An interesting bird's eye view on the sizes of ciphertexts/keypairs
and speed of the current third round candidates is available here[**]
(from slide 100 onwards).
Hope this helps,
Alessandro
[*]
https://csrc.nist.gov/CSRC/media/Presentations/status-update-on-the-3rd-round/images-media/session-1-moody-nist-round-3-update.pdf
[**]
https://csrc.nist.gov/CSRC/media/Projects/post-quantum-cryptography/documents/round-3/seminars/oct-2020-gaj-kris-presentation.pdf
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp