**Session Date/Time:** 06 Nov 2025 19:30

# PQUIP

## Summary

The PQUIP working group session focused on updates to its current drafts, reports from related external PQC efforts, and a significant discussion on the working group's role in providing general "post-quantum migration guidance." The working group has two drafts nearing completion: "Hash-Based Signatures State Management" and "Post-Quantum Cryptography for Constrained Devices." A presentation on ETSI's Quantum Safe Cryptography activities provided an overview of their work. A draft titled "Post-Quantum Algorithms Guidance" was presented, aiming to centralize comparative information on PQC algorithms. The majority of the session was dedicated to a discussion, initiated by the chairs, on whether PQUIP should adopt documents offering broad guidance for PQC migration, with a strong sentiment from those present against doing so.

## Key Discussion Points

*   **Opening Remarks and Notewell:** Standard IETF notewell and meeting guidelines were presented.
*   **Agenda Overview:** The agenda included updates on completed documents, external projects, current working group drafts, a presentation on ETSI PQC work, and a discussion on post-quantum guidance.
*   **Completed Documents:**
    *   **Terminology RFC:** Already published and widely read.
    *   **Hybrid Signature Spectrum & PQC for Engineers:** Both are in the RFC Editor's Queue and are expected to become RFCs before the next meeting.
*   **Related Outside Projects:**
    *   **PQC Interoperability Testing (John Gray, IETF Hackathon):** Reported on three years of hackathon activity. Recent focus included composite OIDs (six groups working on implementations), CMS testing for signatures and KEMs (automated testing with artifact format), and private key format discussions. Noted that about half of implementations support seeds and expanded format. The group meets monthly (first Tuesday) and supports remote participation.
    *   **PQ DNSSEC:** The informal research group did not meet, but the mailing list remains active.
    *   **CFRG:** Met earlier in the week and was scheduled to meet again, covering many post-quantum topics.
*   **Working Group Drafts:**
    *   **draft-ietf-pquip-hbs-state (Hash-Based Signatures State Management) - presented by Tolvejors:**
        *   **Recent Changes:** Added a comparison to ETSI/prior research, incorporated suggestions from Scott and Alicia, added text on interval-based state preservation, and suggested adding warnings for threshold amounts of available signatures. Noted the importance of careful parameter consideration.
        *   **Scoping Decisions:** Decided not to deep-dive into parameter selection (due to its vastness) or implementation tricks (beyond the document's scope and audience), instead advising readers to conduct their own research or reach out to authors directly for implementation details.
        *   **NIST SP 800-208:** NIST has not responded to inquiries, indicating reduced bandwidth. Authors concluded that the draft's content does not conflict with potential NIST work and are leaning towards letting this issue go.
        *   **Discussion:** The co-chair agreed that implementation tricks and deep parameter selection were out of scope for the current draft, though interest in such a document might exist for a future PQUIP or other draft. Deirdre supported moving to Working Group Last Call (WGLC). A general sense of those present indicated support for WGLC. The chairs agreed to initiate a WGLC soon, while still trying to inform NIST.
    *   **draft-ietf-pquip-pqc-constrained-devices (PQC for Constrained Devices) - presented by Dan Wing:**
        *   **Status:** Working on issue 38 (signing rejection sampling) and awaiting an update from NIST on FIPS 206 (FNDDSA recovery modes). The scope has expanded slightly to cover other small, low-powered devices beyond HSMs.
        *   **Discussion:** The co-chair questioned whether to wait indefinitely for NIST FIPS 206, suggesting alternatives if an update wasn't imminent. Tom (HBS-state author) noted FNDDSA is a high priority for NIST and drafts have been circulating, so waiting might be worthwhile. Philippe inquired about UEFI Forum's work on firmware upgrades, but no one present was tracking this. The chairs urged the working group to read and comment on the document *before* WGLC.
*   **ETSI and Quantum Safe Cryptography (presented by MacCompanyer):**
    *   **ETSI TC QSC Overview:** ETSI is a non-European standards organization. The TC QSC was established in 2013, focusing on kicking off PQC standardization, driven by the 20-year transition cycle to new public key algorithms.
    *   **Working Group Structure:** Chaired by MacCompanyer (Amazon), with vice-chairs and a technical officer. Takes on new work items via proposals from members, with an 18-month publication target. Comprises 30-40 participants from corporate, government, and academia.
    *   **Recommendations & Specifications:**
        *   **Analysis (TRs):** Documents on the impact of quantum computing on symmetric cryptography and security proofs.
        *   **Recommendations:** Framework for PQC migration, hybrid/composite schemes, stateful hash-based signatures.
        *   **Normative Standards (TS):** Revision of quantum-safe hybrid key establishment (now focused on NIST ML-KEM in hybrid mode), and an efficient quantum-safe hybrid key exchange with hidden access policies (attribute-based encryption using hybrid key establishment).
    *   **New Work Items:** Guidance for secure implementations of KEMs/digital signatures (general, ML-KEM, ML-DSA, stateless hash-based signatures), and authenticated hybrid key establishment (including QKD information security retention).
    *   **Access & Events:** ETSI Forge provides reference implementations. Documents are freely available post-publication. The ETSI IQC Quantum Safe Cryptography Conference will next be held in June 2026. ETSI's work focuses on member needs and does not aim to standardize new algorithms or make recommendations to IETF.
*   **Post-Quantum Algorithms Guidance (draft-lucas-pquip-post-quantum-algorithms-guidance) - presented by Lucas:**
    *   **Motivation:** Centralize comparative information on PQC algorithms (beyond NIST), address non-NIST schemes (e.g., European Commission requirements), and provide consistent trade-off comparisons (size, security, maturity).
    *   **Content:** High-level descriptions of KEMs and signatures, summarizing key attributes (parameter sizes, security level, models, standardization status). Focus on clarity for side-by-side comparison, not a technical deep dive.
    *   **Changes since IETF 123:** Added comments on SUF-CMA security and general details about symmetric signatures and KEMs.
    *   **Feedback from IETF 123:** Objective of neutrality (no recommendations), preference for a searchable, regularly updated "living document" format, initial scope limited to NIST and ISO algorithms, with openness to extending.
    *   **Questions for WG:** Criteria for algorithm selection, scope extension, specific schemes to add, and suggestions for clarity/structure. Requested a call for adoption.
    *   **Discussion (Mike Ossworth):** Pointed out that the draft's title ("Guidance") conflicts with the stated objective of keeping the draft neutral (i.e., not providing prescriptive guidance), suggesting the title be changed to reflect objective information. Tony Lee asked a related question about hash truncation, which was deemed more appropriate for CFRG or the mailing list.
*   **Discussion on Guidance for Adopting Post-Quantum (Chairs' Discussion):**
    *   **Chairs' Perspective:** Paul Wouters expressed skepticism about PQUIP's ability to provide useful, long-term general migration guidance given the diverse environments, inability to predict the future, and the abundance of existing external advice (consultants, articles). Questioned what PQUIP could contribute that would be uniquely valuable and trustworthy as an RFC.
    *   **General Sentiment (various speakers):**
        *   Rich Salls: Strongly opposed. Too many factors, no consensus possible within the WG, any outcome would be vague and useless, and local/commercial requirements would override it.
        *   Mike Ossworth: Agreed, calling it a "bike shed factory" and suggesting PQUIP's only useful guidance might be "go hire a cryptographer."
        *   Chris Patkowski (author of a guidance draft): Suggested if PQUIP does something, it should be protocol-agnostic, focus on compliant migration (e.g., when to go hybrid vs. pure PQC) to minimize cost and steps, and be comprehensive. Clarified this meant providing comparative data and process advice, not prescriptive algorithm choices.
        *   Richard Barnes: Agreed with skepticism, noting similar sentiment at a Dispatch session and that many have already migrated successfully without such IETF guidance.
        *   Tim: Agreed, stating such work would add confusion, slow things down, and be unproductive.
        *   Flo Driscoll: Agreed, suggesting specific *technical* guidance might be possible later, once migration challenges become clearer, but not general guidance now.
        *   Ecker: Advised against, suggesting the WG might be looking for work after its initial impulses are complete, reiterating "always be closing."
        *   David Adrian: Agreed, noting that such drafts wouldn't tangibly change actions, making them unnecessary.
        *   Scott Cadzow: Acknowledged significant confusion and bad advice in the industry, suggesting there's a need for clarity, but did not specify what PQUIP could contribute.
    *   **Chairs' Conclusion:** Paul Wouters and Sophia decided that the strong sense of the room was against PQUIP adopting general guidance documents on PQC migration. They agreed not to bring such a proposal to the mailing list, viewing it as an "attractive nuisance." Rich Salls requested that this significant decision be confirmed on the mailing list. The chairs agreed to confirm the sentiment of the meeting on the list. Mike Ossworth suggested considering re-chartering to narrow the WG's scope.

## Decisions and Action Items

*   **HBS State Document:** The working group will proceed with a Working Group Last Call for `draft-ietf-pquip-hbs-state` in the near future. Authors will continue efforts to engage NIST regarding SP 800-208.
*   **General Guidance Documents:** A strong sense of those present indicates the PQUIP working group should *not* adopt documents providing general guidance for post-quantum migration due to varying environments, lack of consensus, and potential for limited usefulness.
*   **Chairs Action:** The chairs will confirm the working group's sentiment regarding general guidance documents on the mailing list.

## Next Steps

*   **HBS State:** Authors to prepare for Working Group Last Call.
*   **PQC for Constrained Devices:** Authors to continue addressing outstanding issues (e.g., signing rejection sampling) and monitor NIST FIPS 206 updates. Working group members are encouraged to review and comment on the draft.
*   **Post-Quantum Algorithms Guidance (Lucas's Draft):** The title of this draft may need adjustment to better reflect its neutral, comparative information nature, rather than prescriptive "guidance." Further discussion on its adoption within PQUIP, given the broader sentiment against general guidance, will likely occur on the mailing list.
*   **PQUIP Working Group Future:** Discussion on the mailing list will confirm the WG's position on general guidance documents. Depending on the completion of the two active drafts, there may be future discussions about the working group's charter and potential re-chartering.