Naming of pre-standard PQC algorithms #3697
Comments
|
There now exists a naming scheme for the PQC algorithm pre-final versions at https://github.com/ietf-wg-pquip/state-of-protocols-and-pqc#algorithm-names. From my point of view it would make sense to apply that in Botan, too. It should match already for the current implementation. |
|
I agree, and vote for the final algorithms to adopt the NIST-proposed naming. For instance, from what I can tell, people have started to use ML-KEM to refer to what is to be released by NIST in 2024. |
Definitely ML-KEM is reserved as the name for the final standard. |
|
Some of the pre-standard algorithm revisions ("round 3") have seen some usage with early adopters and remain supported for some time. For sure until Botan 4 and perhaps longer, depending on its usage. There are implementations of the Round 3 submissions of Kyber (SHAKE and 90s), Dilithium (SHAKE and AES) and SPHINCS+ (SHAKE and SHA2). The 90s and AES variants of Kyber and Dilithium are already marked as deprecated since Botan 3.5.0. The implementations of the "initial public draft" versions of ML-KEM, ML-DSA, SLH-DSA were never merged into master and thus were never released. Hence, implementations of those algorithm revisions aren't provided by the library. The final standardized versions are referred to as ML-KEM, ML-DSA and SLH-DSA in the library. For any new system, this is what should be used. |
I would like to encourage a discussion about the naming of the pre-standard PQC algorithms in Botan's API. There are currently implementations, obviously still based on the submission papers that now will most likely be updated to the NIST initial draft versions. Later there might be another pre-final draft and certainly at some point there will be the final drafts.
If the updates according to these version changes are done by silently modifying the behaviour of existing implementations, this would cause hard-to-trace incompatibilities with other implementations when updating the Botan version. Thus I suggest to provide new names for any new algorithm versions. For the updates of Kyber, Dilithium and SPHINCS⁺ according to the initial draft standards, I propose to simply move to the new official names together with a suffix to indicate the draft version
"ML-KEM-pre1", "ML-DSA-pre1" and "SLH-DSA-pre1" or a similar naming scheme(see here for the naming scheme proposed in PQUIP).That does not mean that I would expect any single Botan version to feature multiple versions of a given algorithm. The main goal is to provide a clear failure at the time of algorithm instantiation by the application rather than operating with a different algorithm under the same name.
The text was updated successfully, but these errors were encountered: