Hi, There was significant interest from several countries to have a side-meeting on PQC at IETF 122 Bangkok, so Ericsson will organize such a meeting on Monday 17 March 15.15 - 16.45 Bangkok time in Meeting Room 2 [40 seats] (overlapping with Monday Session III). It is possible to attend remotely. https://trello.com/c/nH9exeWo
Potential discussion topics are listed below. There might be a few short presentations to foster discussion, but the plan is to focus on dialogue and discussion between people in the IETF and government stakeholders. Cheers, John Preuß Mattsson Expert, Cryptographic Algorithms and Security Protocols, Ericsson Description Time: 15:15-16:45 Meeting Title: PQC Dialogue with Government Stakeholders IETF Webex: https://ietf.webex.com/meet/ietfsidemeeting2 Meeting Organizer: John Preuß Matsson, Ericsson and Alexander Engström, NDRE Email address: john.matts...@ericsson.com<mailto:john.matts...@ericsson.com> Meeting Description: Potential discussion topics: * Recommended PQC algorithms (KEMs and signatures) o ML-KEM, ML-DSA, SLH-DSA, FN-DSA, Classic McEliece, FrodoKEM, BIKE/HQC, XMSS/LMS, … o Security category 1,2,3,4,5? Does it depend on algorithm and use case? * Timelines for PQC migration o When should migration begin? When will it be required? o Does it depend on user, use case, protection lifetime, hardware vs software, migration complexity, value of the protected node and data, scheduled hardware replacement, etc.? * Hybridization or standalone PQC o Difference between KEMs and Signatures o Differences between algorithms (e.g., lattice-based vs. hash-based) o Differences between use cases (e.g., confidentiality vs. authentication) o Is hybridization a short-term necessity or a long-term strategy? * Hybridization of PQC KEMs o Single vs. multiple PQC algorithms? Role of symmetric keys? o KEM combiners: general-purpose vs. optimized designs o Which traditional curves? X25519/X448, NIST P-curves, Brainpool, … * Hybridization of signatures o Role of symmetric keys? o Signature combiners, general or optimized? o Desired properties: SUF-CMA? Other security properties? o Which traditional signatures? EdDSA, ECDSA, RSA? * KDF and hash functions o ML-KEM and ML-DSA mandate SHA-3. o Time to move away from SHA-2/HMAC/HKDF/MGF?
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
