Minutes of the September 3rd, 2024 Meeting

[johngray-dev]

Participants: Carl Wallace, Christopher Wildfeuer, Markku-Juhani Saarinen (TAU), Grazia Donghia, Abel C. H. Chen, Alex Shaindlin (TAU), Hendrik Brockhaus, Daniel Van Geest, Alexander Railien, Julien Prat, Nicola Tuveri, Kiron Mirdha

• New algorithms are out. Most people are working on updates. John mentioned that new OIDs have been updated. It was noted that the pre-hash versions of the OID have not been added.
• automated tested using bouncy castle has been added. The algorithm results table is here: https://ietf-hackathon.github.io/pqc-certificates/pqc_hackathon_results_certs_r3_automated_tests.html.
• Team discussed moving to a new R4 certificate format for the new Standard algorithms to clean up the automated list. We should no longer bother testing the ipd versions and they are irrelevant now.
  • John made a proposed update based on the group discussion. Essentially use the name of the algorithm with the OID, use only DER encoding, include only the final standard algorithms. See Desired properties of V4 format artifact file #112 with proposed content of the new format. Question, do we want the names with the hybrid cert formats as well (so the names are even longer)?

Round Table

Carl Wallace- SLH-DSA - Verified Bouncy castle stuff, two ML-DSA's stuff. Working on PQCrypto updates and Rust updates. Will update Composite. Carl is working towards a release of his Rust path validation code base likely sometime in October.

Christopher - Following the NIST draft releases, and it is much clear how to implement them. Not a lot of changes needed for ML-KEM. There was some group discussion about the slight changes in the encapsulation and decapsulation encoding of the K value in the hashes of algorithm 13 on page 29. ML-DSA also had the same type of change.

Markku - Talked asked about the pre-hash algorithms and asked how that affects the composites.

• So far it shouldn't affect them because the composites are not planning to use the pre-hash versions of ML-DSA. The Composite signature algorithm uses its own pre-hash for the algorithm
• Question from Nicolai about hybrid defined for SLH-DSA. It seems they aren't needed, but there are laws in Europe that says hybrids have to be used. Perhaps some composite combinations of SLH-DSA could be defined.
  • Discussion on Is it okay to use same key for pure or pre-hash algorithms? This is a policy issue - reasonable approach, make it an option to decide if it is okay. Traditionally a key is used for only 1 purpose. The consensus seems to be don't use the same key, separate them.
• Alexander - Pointed out recommendations from BSI - https://raw.githubusercontent.com/avaira77/pq-ietf-usecase/main/decision-tree/pqcrypto-decision-tree.svg

Hendrick - focusing on Hybrid signatures and standards and CMP.

Alexander - Working on CMS related stuff, next hackathon hopes to do a bunch of testing of CMS signatures with the new algorithms and interop tests.

Kiron - Multiple signatures in bouncy castle and open SSL, CMS linkage of signatures based on this RFC: https://datatracker.ietf.org/doc/html/rfc5752

Daniel - Not a lot of updates. LAMPS discussion has been in favor of using seed of private key. The ML-KEM in CMS and ML-DSA in CMS drafts will need to be updated.

Julien - Working on updating the algorithm implementation to the final standards.

John - Waiting for LibOQS to be updated, then will update algorithm imlementations. John also mentioned the composite Signatures and KEM's drafts are changing their OIDS so they can pick up the final ML-DSA and ML-KEM algorithms. There may be some other changes coming to composites signatures, but the OIDs change is the main breaking change at the moment.

Other Discussion

• Daniel pointed out the reason why SLH-DSA-ipd based artifacts did not work was because we used the SPHINCS+ OIDs instead of up-versionoing the OIDs which caused confusion. Some of the 12 SPHINCS+ versions were identical, and some were not. With the new final algorithms being released, this is expected to go away