Merge branch 'main' into kris/dilithium

.github/workflows/LICENSE.md

@@ -0,0 +1 @@
+This project is in the public domain.

.github/workflows/archive.yml

@@ -0,0 +1,42 @@
+name: "Archive Issues and Pull Requests"
+
+on:
+  schedule:
+    - cron: '0 0 * * 0,2,4'
+  repository_dispatch:
+    types: [archive]
+  workflow_dispatch:
+    inputs:
+      archive_full:
+        description: 'Recreate the archive from scratch'
+        default: false
+        type: boolean
+
+jobs:
+  build:
+    name: "Archive Issues and Pull Requests"
+    runs-on: ubuntu-latest
+    steps:
+    - name: "Checkout"
+      uses: actions/checkout@v2
+
+    # Note: No caching for this build!
+
+    - name: "Update Archive"
+      uses: martinthomson/i-d-template@v1
+      env:
+        ARCHIVE_FULL: ${{ inputs.archive_full }}
+      with:
+        make: archive
+        token: ${{ github.token }}
+
+    - name: "Update GitHub Pages"
+      uses: martinthomson/i-d-template@v1
+      with:
+        make: gh-archive
+        token: ${{ github.token }}
+
+    - name: "Save Archive"
+      uses: actions/upload-artifact@v3
+      with:
+        path: archive.json

.github/workflows/ghpages.yml

@@ -0,0 +1,58 @@
+name: "Update Editor's Copy"
+
+on:
+  push:
+    paths-ignore:
+    - README.md
+    - CONTRIBUTING.md
+    - LICENSE.md
+    - .gitignore
+  pull_request:
+    paths-ignore:
+    - README.md
+    - CONTRIBUTING.md
+    - LICENSE.md
+    - .gitignore
+
+jobs:
+  build:
+    name: "Update Editor's Copy"
+    runs-on: ubuntu-latest
+    steps:
+    - name: "Checkout"
+      uses: actions/checkout@v3
+
+    - name: "Setup"
+      id: setup
+      run: date -u "+date=%FT%T" >>"$GITHUB_OUTPUT"
+
+    - name: "Caching"
+      uses: actions/cache@v3
+      with:
+        path: |
+          .refcache
+          .venv
+          .gems
+          node_modules
+          .targets.mk
+        key: i-d-${{ steps.setup.outputs.date }}
+        restore-keys: i-d-
+
+    - name: "Build Drafts"
+      uses: martinthomson/i-d-template@v1
+      with:
+        token: ${{ github.token }}
+
+    - name: "Update GitHub Pages"
+      uses: martinthomson/i-d-template@v1
+      if: ${{ github.event_name == 'push' }}
+      with:
+        make: gh-pages
+        token: ${{ github.token }}
+
+    - name: "Archive Built Drafts"
+      uses: actions/upload-artifact@v3
+      with:
+        path: |
+          draft-*.html
+          draft-*.txt

.github/workflows/publish.yml

@@ -0,0 +1,49 @@
+name: "Publish New Draft Version"
+
+on:
+  push:
+    tags:
+      - "draft-*"
+
+jobs:
+  build:
+    name: "Publish New Draft Version"
+    runs-on: ubuntu-latest
+    steps:
+    - name: "Checkout"
+      uses: actions/checkout@v3
+
+    # See https://github.com/actions/checkout/issues/290
+    - name: "Get Tag Annotations"
+      run: git fetch -f origin ${{ github.ref }}:${{ github.ref }}
+
+    - name: "Setup"
+      id: setup
+      run: date -u "+date=%FT%T" >>"$GITHUB_OUTPUT"
+
+    - name: "Caching"
+      uses: actions/cache@v3
+      with:
+        path: |
+          .refcache
+          .venv
+          .gems
+          node_modules
+          .targets.mk
+        key: i-d-${{ steps.setup.outputs.date }}
+        restore-keys: i-d-
+
+    - name: "Build Drafts"
+      uses: martinthomson/i-d-template@v1
+      with:
+        token: ${{ github.token }}
+
+    - name: "Upload to Datatracker"
+      uses: martinthomson/i-d-template@v1
+      with:
+        make: upload
+
+    - name: "Archive Submitted Drafts"
+      uses: actions/upload-artifact@v3
+      with:
+        path: "versioned/draft-*-[0-9][0-9].*"

.github/workflows/setup.yml

@@ -0,0 +1,99 @@
+name: "Perform Initial Repository Setup"
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  setup:
+    name: "Setup Repository"
+    runs-on: ubuntu-latest
+    steps:
+    - name: "Checkout"
+      uses: actions/checkout@v3
+
+    - name: "Precondition Check"
+      id: pre
+      run: |
+        if ! ls draft-* rfc* 2>/dev/null | grep -qv draft-ietf-pquip-pqc-engineers.md; then
+          echo "============================================================="
+          echo "Skipping setup for the first commit."
+          echo
+          echo "Rename draft-ietf-pquip-pqc-engineers.md to start using this repository:"
+          echo
+          echo "    https://github.com/${{github.repository}}/edit/main/draft-ietf-pquip-pqc-engineers.md"
+          echo
+          echo "Change the name of the file and its title."
+          echo "Commit the changes to the 'main' branch."
+          echo
+          echo "============================================================="
+          echo "skip=true" >>"$GITHUB_OUTPUT"
+        elif [ ! -f draft-ietf-pquip-pqc-engineers.md -a -f Makefile ]; then
+          echo "============================================================="
+          echo "Skipping setup for an already-configured repository."
+          echo
+          echo "Delete .github/workflows/setup.yml to avoid running this action:"
+          echo
+          echo "    https://github.com/${{github.repository}}/delete/main/.github/workflows/setup.yml"
+          echo
+          echo "============================================================="
+          echo "skip=true" >>"$GITHUB_OUTPUT"
+        fi
+
+    - name: "Git Config"
+      if: ${{ steps.pre.outputs.skip != 'true' }}
+      run: |
+        git config user.email "[email protected]"
+        git config user.name "I-D Bot"
+
+    - name: "Update Draft Name"
+      if: ${{ steps.pre.outputs.skip != 'true' }}
+      run: |
+        for i in draft-*; do
+          if [ "$(head -1 "$i")" = "---" ]; then
+            sed -i -e '2,/^---/{/^###/,/^###/d
+              s|^docname: .*|docname: '"${i%.md}-latest"'|
+              s|^    fullname: Your Name Here|    fullname: "'"$(git show -q --format='format:%aN' @)"'"|
+              s|^    email: your\.email@example\.com|    email: "'"$(git show -q --format='format:%aE' @)"'"|
+            }' "$i"
+          fi
+          sed -i -e "s/draft-todo-yourname-protocol-latest/${i%.md}-latest/g" "$i"
+          git add "$i"
+        done
+        if [ -n "$(git status --porcelain draft-*)" ]; then
+          git commit -m "Update draft labels" draft-*
+        fi
+
+    - name: "Cleanup"
+      if: ${{ steps.pre.outputs.skip != 'true' }}
+      run: |
+        git rm -rf .github/workflows/setup.yml README.md
+        git commit -m "Remove setup files"
+
+    - name: "Clone the i-d-template Repo"
+      if: ${{ steps.pre.outputs.skip != 'true' }}
+      run: |
+        git clone --depth=1 https://github.com/martinthomson/i-d-template lib
+
+    - name: "Run i-d-template Setup"
+      if: ${{ steps.pre.outputs.skip != 'true' }}
+      uses: martinthomson/i-d-template@v1
+      with:
+        make: setup
+
+    - name: "Update Venue Information"
+      if: ${{ steps.pre.outputs.skip != 'true' }}
+      uses: martinthomson/i-d-template@v1
+      with:
+        make: update-venue
+
+    - name: "Update GitHub Pages"
+      if: ${{ steps.pre.outputs.skip != 'true' }}
+      uses: martinthomson/i-d-template@v1
+      with:
+        make: gh-pages
+
+    - name: "Push Changes"
+      if: ${{ steps.pre.outputs.skip != 'true' }}
+      run: |
+        git push

.github/workflows/update.yml

@@ -0,0 +1,36 @@
+name: "Update Generated Files"
+# This rule is not run automatically.
+# It can be run manually to update all of the files that are part
+# of the template, specifically:
+#  - README.md
+#  - CONTRIBUTING.md
+#  - .note.xml
+#  - .github/CODEOWNERS
+#  - Makefile
+#
+#
+# This might be useful if you have:
+#  - added, removed, or renamed drafts (including after adoption)
+#  - added, removed, or changed draft editors
+#  - changed the title of drafts
+#
+# Note that this removes any customizations you have made to
+# the affected files.
+on: workflow_dispatch
+
+jobs:
+  build:
+    name: "Update Files"
+    runs-on: ubuntu-latest
+    steps:
+    - name: "Checkout"
+      uses: actions/checkout@v2
+
+    - name: "Update Generated Files"
+      uses: martinthomson/i-d-template@v1
+      with:
+        make: update-files
+        token: ${{ github.token }}
+
+    - name: "Push Update"
+      run: git push

draft-ietf-pquip-pqc-engineers.md

@@ -181,6 +181,10 @@ informative:
       title: "V. Lyubashevsky, “Fiat-Shamir With Aborts: Applications to Lattice and Factoring-Based Signatures“, ASIACRYPT 2009"
       target: https://www.iacr.org/archive/asiacrypt2009/59120596/59120596.pdf
       date: false
+  SP-1800-38C:
+      title: "Migration to Post-Quantum Cryptography Quantum Readiness: Quantum-Resistant Cryptography Technology Interoperability and Performance Report"
+      target: https://www.nccoe.nist.gov/sites/default/files/2023-12/pqc-migration-nist-sp-1800-38c-preliminary-draft.pdf
+      date: false
 
 --- abstract
 
@@ -353,7 +357,7 @@ where pk is public key, sk is secret key, ct is the ciphertext representing an e
                       | Client  | | Server  |
                       +---------+ +---------+
   +----------------------+ |           |
-  | sk, pk = kemKeyGen()   |-|         |
+  | sk, pk = kemKeyGen() |-|           |
   +----------------------+ |           |
                            |           |
                            | pk        |
@@ -365,7 +369,7 @@ where pk is public key, sk is secret key, ct is the ciphertext representing an e
                            |       ct  |
                            |<----------|
 +------------------------+ |           |
-| ss = kemDecaps(ct, sk)   |-|         |
+| ss = kemDecaps(ct, sk) |-|           |
 +------------------------+ |           |
                            |           |
 ~~~~~
@@ -563,7 +567,7 @@ The next table compares traditional vs. PQC Signature schemes in terms of securi
 
 As one can clearly observe from the above tables, leveraging a PQC KEM/Signature significantly increases the key sizes and the ciphertext/signature sizes compared to traditional KEM(KEX)/Signatures. But the PQC algorithms do provide the additional security level in case there is an attack from a CRQC, whereas schemes based on prime factorization or discrete logarithm problems (finite field or elliptic curves) would provide no level of security at all against such attacks.
 
-These increased key and signatures sizes could introduce problems in protocols. As an example, IKEv2 uses UDP as the transport for its messages. One challenge with integrating PQC key exchange into the initial IKEv2 exchange is that IKE fragmentation cannot be utilized. To address this issue, {{!RFC9242}} introduces a solution by defining a new exchange called the 'Intermediate Exchange' which can be fragmented using the IKE fragmentation mechanism. {{!RFC9370}} then uses this Intermediate Exchange to carry out the PQC key exchange after the initial IKEv2 exchange and before the IKE_AUTH exchange.
+These increased key and signatures sizes could introduce problems in protocols. As an example, IKEv2 uses UDP as the transport for its messages. One challenge with integrating PQC key exchange into the initial IKEv2 exchange is that IKE fragmentation cannot be utilized. To address this issue, {{!RFC9242}} introduces a solution by defining a new exchange called the 'Intermediate Exchange' which can be fragmented using the IKE fragmentation mechanism. {{!RFC9370}} then uses this Intermediate Exchange to carry out the PQC key exchange after the initial IKEv2 exchange and before the IKE_AUTH exchange. Another example from {{SP-1800-38C}} section 6.3.3 shows that increased key and signature sizes cause protocol key exchange messages to span more network packets, therefore it results in a higher total loss probability per packet. In lossy network conditions this may increase the latency of the key exchange.
 
 # Post-Quantum and Traditional Hybrid Schemes
 
@@ -580,7 +584,7 @@ The PQ/T Hybrid Confidentiality property can be used to protect from a "Harvest
 
 Various instantiations of these two types of hybrid key agreement schemes have been explored and will be discussed further. One must be careful when selecting which hybrid scheme to use.  The chosen schemes at IETF are IND-CCA2 robust, that is IND-CCA2 security is guaranteed for the scheme as long as at least one of the component algorithms is IND-CCA2 secure.
 
-## PQ/T Hybrid Authentication 
+## PQ/T Hybrid Authentication
 
 The PQ/T Hybrid Authentication property can be utilized in scenarios where an on-path attacker possesses network devices equipped with CRQCs, capable of breaking traditional authentication protocols. This property ensures authentication through a PQ/T hybrid scheme or a PQ/T hybrid protocol, as long as at least one component algorithm remains secure to provide the intended security level. For instance, a PQ/T hybrid certificate can be employed to facilitate a PQ/T hybrid authentication protocol. However, a PQ/T hybrid authentication protocol does not need to use a PQ/T hybrid certificate {{?I-D.ounsworth-pq-composite-keys}}; separate certificates could be used for individual component algorithms {{?I-D.ietf-lamps-cert-binding-for-multi-auth}}.
 
@@ -625,7 +629,7 @@ Post-quantum algorithms selected for standardization are relatively new and they
 
 ## Caution: Ciphertext commitment in KEM vs DH
 
-The ciphertext generated by a KEM is not necessarily inherently linked to the shared secret it produces. In contrast, in some other cryptographic schemes like Diffie-Hellman, a change in the public key results in a change in the derived shared secret. The reader is expected not to assume any properties of cryptographic primitives that they are not targeting, if you are trying to hybridize KEMs with DH, or migrating directly to KEMs from DH, be sure to explicitly commit to ciphertexts (and probably public keys too) as part of the protocol, as KEMs inherently will not do this.
+The ciphertext generated by a KEM is not necessarily inherently linked to the shared secret it produces. In contrast, in some other cryptographic schemes like Diffie-Hellman, a change in the public key results in a change in the derived shared secret.
 
 # Further Reading & Resources