Brainpool removed from crypto-refresh PQC spec

Aron Wussler aron at wussler.it
Tue May 28 06:12:22 CEST 2024 

Hello everyone,

Commenting as author on the decision taken here.

This was done in the best interest of a simple specification and implementation. The Brainpool and NIST curves were moved to a separate draft, alongside the ECDSA specification.

We consider curves to be a fallback for the PQ security, and I personally don't think they represent the core focus of the specification. In particular, this applies to signatures, where there is not clear consensus regarding composite and the situation may be more experimental.

This decision was proposed already at the IETF 119 meeting, considering the feedback gathered on the list.

Cheers,
Aron


--
Aron Wussler
Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930



On Monday, 27 May 2024 at 17:49, Andrew Gallagher via LibrePGP-discuss <librepgp-discuss at librepgp.org> wrote:

> On 27 May 2024, at 15:20, Werner Koch via LibrePGP-discuss librepgp-discuss at librepgp.org wrote:
> 
> > The IETF OpenPGP WG just released draft-ietf-openpgp-pqc-03.txt with
> > this surprising change [1]:
> > 
> > * Removed NIST and Brainpool curve hybrids, dropped ECDSA from the
> > current specification.
> > 
> > I wonder why the BSI now favors dropping of Brainpool as part of the
> > composite encryption algorithms and demand a Bernstein curve - one of
> > the authors works at the BSI.
> 
> 
> They don’t intend to drop brainpool. The discussion got bogged down in how many curves to include in the draft, so in order to speed the adoption process (and the interop process) it was decided at IETF-119 to remove the optional curves (brainpool, NIST) in order to concentrate on generic mechanisms [1]. AIUI, the BSI authors still intend to specify brainpool as it is relatively easy to do at a later date.
> 
> A
> 
> [1] https://mailarchive.ietf.org/arch/msg/openpgp/VVlAGdu3vBs417RNtFrn2x9WuNI/
> 
> _______________________________________________
> LibrePGP-discuss mailing list
> LibrePGP-discuss at librepgp.org
> https://librepgp.org/mailman/listinfo/librepgp-discuss

More information about the LibrePGP-discuss mailing list