We brought PQC (beginning with ML-DSA and ML-KEM) to TPM 2.0! While it’s only been a year since we last published, the big changes needed for PQC have been in the works since 2022. This was a monumental team effort and I’m so proud of the team for getting it done!
I see “only supports RSA” and “TPM” on the same slide and I have Questions
We need more former bartenders in Standards groups too!
🙌
“Mistakes in cryptography are not a sin […]. They’re simply a fact of life. As somebody once said, “cryptography is nightmare magic math that cares what color pen you use.” We’re all going to get stuff wrong if we stick around long enough to do something interesting[.]”
M Night Shyamalan -ass security protocol
Frog and Toad with a box illustration. Badly edited text. Frog put the KEY in a box. "There," he said. "Now we will not SIGN MALICIOUS MESSAGES." "But we can ASK THE HSM," said Toad. "That is true," said Frog.
I miss when you could post Brave Norman Rockwell Townsperson and the caption could be, like, “R.E.M was wrong to leave ‘Fretless’ off of Out of Time” instead of “The secret police should stop murdering people.”
“You wrote a presentation that the authors of RFC 9794 would criticize” might be the “you wrote some code that the authors of the Linux kernel style guide would criticize” of teaching crypto
You can really tell someone spent 3 years perfecting this “Terminology for Post-Quantum Traditional Hybrid Schemes”
> RFC 9794
> “The word "hybrid" is also used in cryptography to describe encryption schemes that combine asymmetric and symmetric algorithms [RFC9180], so using it in the post-quantum context overloads it and risks misunderstandings.”
> Puts the word “hybrid” on everything
I finally reached the end. This was a super good episode and it gave me all the warm fuzzies about my internal reactions to getting started with Ossl3 for PQC.
As a former windows NCrypt provider maintainer, I really thought all my “magic strings to throw at a generic API” was behind me 😭
6 more weeks of elliptic curve cryptography
just when I was learning to tolerate the EVP
Me several days ago: “why do all the ML-DSA signing test vectors have only up to 2 of ( key seeds, hedging randomness, and mu values )”
Me now: “ok guess I’m sending a PR to Wycheproof
Oh 100%
I should clarify: “correctly implementing…”
Implementing a protocol that uses cryptography is harder than designing a protocol that uses cryptography.
Normally I use that to explain to people that they need to minimize excessive complexity in their designs but imagine what designs the team responsible for this code is capable of
They believe in nothing.
When you determine your views as being the midpoint between two opposing positions, it just shows that you don't hold actual beliefs or principles.
You found the logo for non-canonicalized EdDSA public keys
Minnesota National Guard members have arrived at a federal building and were directed to distribute donuts, coffee, and hot chocolate to anti-ICE protesters. Guard members were issued reflective vests so they would not be mistaken for federal agents.
At the end of the day, the Black Lives Matter era was about whether people should be killed in the street, and lots of people decided yeah and put those little blue flags on their cars. It spread to everyone because it stopped for no one.
Pro tip: never design a policy-measurement scheme like this. It’s so brittle you will never be able to rotate keys. Imagine trying to bridge this system to PQC
This is why people reflexively dunk on BitLocker. As a product it is stuck on its threat model from the early 2000’s and Microsoft appears uninterested in modernizing it.
But as Swift above, dunking is a bit less warranted in this case because escrow to 1 of N of your other devices is complex
So if you upgrade firmware and it’s signed by a different key that you already trusted, or the same keys you trusted before but used in a different order, PCR 7 will change and send BitLocker to recovery.
![5. Before launching an EFI Driver or an EFI Boot Application (and regardless of whether the launch is due to the EFI Boot Manager picking an image from the DriverOrder or BootOrder UEFI variables or an already launched image calling the UEFI Loadlmage() function), the UEFI firmware SHALL determine if the entry in the EFI_IMAGE_SECURITY_DATABASE_GUID/EF|_ IMAGE_SECURITY_DATABASE variable that was used to validate the EFI image has previously been measured with the EV_EF_VARIABLE_AUTHORITY event type in PCR[7]. If it has not been, it MUST be measured into PCR[7] as follows. If it has been measured previously, it MUST NOT be measured again. The measurement SHALL occur in conjunction with image load.](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:jk43wuenubqwx5gonueklyrn/bafkreigjhy43dr73gezdh6nfyx7xuxlhfc7zlhjkoobphmqrcpj23q64ce)
5. Before launching an EFI Driver or an EFI Boot Application (and regardless of whether the launch is due to the EFI Boot Manager picking an image from the DriverOrder or BootOrder UEFI variables or an already launched image calling the UEFI Loadlmage() function), the UEFI firmware SHALL determine if the entry in the EFI_IMAGE_SECURITY_DATABASE_GUID/EF|_ IMAGE_SECURITY_DATABASE variable that was used to validate the EFI image has previously been measured with the EV_EF_VARIABLE_AUTHORITY event type in PCR[7]. If it has not been, it MUST be measured into PCR[7] as follows. If it has been measured previously, it MUST NOT be measured again. The measurement SHALL occur in conjunction with image load.
Here is the biggest problem I can see. PCR7 contains DB (authority keys and hashes) already but it gets extended again with each key the first time it gets used.
Bonus lore: PCR7 measurements are badly designed partly at the behest of BitLocker ca. mid-2000’s. That problem cannot now be fixed except by updated standards: trustedcomputinggroup.org/wp-content/u...
If you or a loved one are worried about the scenario where a corrupt government official is trying to get into your computer, you should disable online backup, print out the recovery keys, and put them in a box labeled “The Epstein Files”
If you’ve ever dug into the disaster that is the design of PCR7 measurements made by UEFI secure boot, you know how common BitLocker recovery has to be.
Microsoft should invest in an Apple-like “escrow this key to your other devices” feature but this is a significant effort
