From: danilog at item.ntnu.no (Danilo Gligoroski) Date: Sat, 3 Sep 2016 16:10:54 +0200 Subject: [Pqc-forum] Comment on Post-Quantum Cryptography Requirements and Evaluation Criteria In-Reply-To: <7a946b1e-c044-d6c1-383d-c6c2626ad7ae@item.ntnu.no> References: <7a946b1e-c044-d6c1-383d-c6c2626ad7ae@item.ntnu.no> Message-ID: <6a857687-f993-d06b-4e03-55361bcabbb8@item.ntnu.no> Dear NIST, I have the following two suggestions for the draft requirements and evaluation criteria for NIST post-quantum standardization process. 1. For the part "Algorithm Specifications And Supporting Documentation". In Section 2.B.1. paragraph 3 the current text is: "To facilitate the analysis of these algorithms by the cryptographic community, submitters are encouraged to also specify parameter sets that provide lower security levels, and to provide concrete examples that demonstrate how certain parameter settings affect the feasibility of known cryptanalytic attacks." I suggest this sentence to be moved as a separate section (or paragraph) that states the following: "To facilitate the analysis of the submitted algorithms by the cryptographic community, submitters are *required* to specify parameter sets that provide lower security levels, and to provide concrete examples that demonstrate how certain parameter settings affect the feasibility of known cryptanalytic attacks." 2. Then in connection with this change, in the part "Proposed Evaluation Process" in Section 5.A the paragraph "When evaluating algorithms, NIST will make every effort to obtain public input and will encourage the review of the submitted algorithms by outside organizations; however, the final decision as to which (if any) algorithm(s) will be selected for standardization is the responsibility of NIST." to be changed to the following paragraph "When evaluating algorithms, NIST will make every effort to obtain public input and will encourage the review of the submitted algorithms by outside organizations; NIST encourages the reviewers to demonstrate their findings and attacks both on the versions with parameters that achieve full security levels, **as well as with practical attacks** on the provided parameter sets with lower security levels; however, the final decision as to which (if any) algorithm(s) will be selected for standardization is the responsibility of NIST." Rationale for these suggestions: NIST crypto competitions are highly respected events in the cryptographic and information security community. It is a prestige to participate in the competition and to publish attacks on the proposed algorithms. In the heat of the debates and the competition, there will be a lot of overrated attacks that actually are not so efficient as the attackers would claim. I am proposing the above changes in order to protect the dignity of both the submitters and the attackers and to save a precious time and efforts by the NIST employees and the whole crypto community to validate those attacks. If in the submission documentation there are obligatory test parameters that have very low security margin, any published attack on the schemes is encouraged to be demonstrated *practically* on those low level parameters. That will be seen as a correct and honest attempt to analyze the scheme, not just as a malicious attempt to discredit the attacked algorithm. Additionally, providing parameters with low and very low security levels is in the line of a long tradition in public-key cryptography where many systems have been proposed accompanied with parameters with low and very low security levels, asking the cryptographers to practically break the systems with those low-level security parameters. Best regards, Danilo!