Re: [TLS] Options for negotiating hybrid key exchanges for postquantum

Benjamin Kaduk <> Tue, 30 July 2019 20:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5C9CF12022A for <>; Tue, 30 Jul 2019 13:20:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GTnHphNQEavq for <>; Tue, 30 Jul 2019 13:20:40 -0700 (PDT)
Received: from ( [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0CC1D12026D for <>; Tue, 30 Jul 2019 13:20:39 -0700 (PDT)
Received: from pps.filterd ( []) by ( with SMTP id x6UKHOPX031609; Tue, 30 Jul 2019 21:20:33 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : content-transfer-encoding : in-reply-to; s=jan2016.eng; bh=E+KfUowO/1Dm1aE0LFEAiKUotROKBFmGozqAQ46S5jY=; b=WN7W9MI9kAP5TJKUUoiil/s+GLgTSrMnFzKOzf9FC6vagp+oBtG/eCQbZ5Dv5HFJmjFb APFmgJ+m7/qvLn38AQ4Bx0T6PqX8imDOUNZqPfgAIbO6Or9ZMc2FCItU+ByE2kiW5vxE vgaNXwBf2J15iqxt9ltGrl5AELswr0mLIenA0fjUGYCQ+HR8Bg+6xa2eEGiO2BsXUytb qIyjwqIsWNQoXihGASIWHNTHvn0X3NuSs7x6Uy0po8erEkg2npGUGP9UR9YDyJSx83RB izwdzptaMqK2cDt5jkXt4/59HabkAjWW8c07GEKVYKgYnnxp7u6j44ovx2zw25f0dblT 5w==
Received: from prod-mail-ppoint3 ( [] (may be forged)) by with ESMTP id 2u0dv65tq2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 30 Jul 2019 21:20:33 +0100
Received: from pps.filterd ( []) by ( with SMTP id x6UKHnVV010795; Tue, 30 Jul 2019 16:20:32 -0400
Received: from ([]) by with ESMTP id 2u0hy0f836-1; Tue, 30 Jul 2019 16:20:31 -0400
Received: from ( []) by (Postfix) with ESMTP id 5766181422; Tue, 30 Jul 2019 20:20:26 +0000 (GMT)
Received: from bkaduk by with local (Exim 4.86_2) (envelope-from <>) id 1hsYbg-0008KQ-FU; Tue, 30 Jul 2019 15:20:24 -0500
Date: Tue, 30 Jul 2019 15:20:24 -0500
From: Benjamin Kaduk <>
To: "Scott Fluhrer (sfluhrer)" <>
Cc: Andrei Popov <>, David Benjamin <>, Watson Ladd <>, TLS List <>
Message-ID: <>
References: <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-07-30_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1906280000 definitions=main-1907300206
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:5.22.84,1.0.8 definitions=2019-07-30_10:2019-07-29,2019-07-30 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 suspectscore=0 bulkscore=0 mlxlogscore=999 malwarescore=0 adultscore=0 priorityscore=1501 spamscore=0 phishscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1906280000 definitions=main-1907300206
Archived-At: <>
Subject: Re: [TLS] Options for negotiating hybrid key exchanges for postquantum
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 30 Jul 2019 20:20:47 -0000

On Tue, Jul 30, 2019 at 07:44:13PM +0000, Scott Fluhrer (sfluhrer) wrote:
> I believe that one important property (of either of the options I listed) is a nice fallback if an enhanced client talks to an older server.  In both cases, the server will see a series of named groups that it doesn’t know (which it will ignore), and possibility an extension it doesn’t know (which it will ignore); the server will accept either a named group that it does understand (if the client did propose a traditional group as a fall back), or it will come to the correct conclusion that the two sides have no mutually acceptable security policy.
> It is not clear if the proposal you outlined share this property; do you duplicate a payload that an unenhanced server would assume only occurs once?

It's clear that anything we do needs to preserve compat with all four
possibilities in the interop matrix for (old, enhanced) (client,
server).  Your closing note about duplicating payloads is something of a
different creature, though, and perhaps should be considered more

Trying to uplevel a bit, option 1 is essentially introducing another
layer of indirection, with the need to carry the additional lookup table
on the side.  This has the disadvantages of both needing the extra layer
of indirection and also can have unfortunate impact from needing the
extra table on the side in more places than is immediately obvious
(i.e., the ESNI case that David mentioned).  The perceived benefit is
that we allocate fewer codepoints, avoid duplicating some KeyShare
information, and maybe get increased flexibility about how we combine
schemes.  In contrast, option 2 is more smoothly integrated into the
existing negotiation mechanism, but has the potential costs of allocating
more codepoints and duplicating some KeyShare information.

But, what are the KeyShare bits that will get duplicated?  If we're just
doing "X25519 plus one post-quantum", only the X25519 share gets
duplicated, even if we want to do several different post-quantum options
in "X25519 plus one post-quantum" form.  And X25519 shares are pretty
small, all things considered!  I'd find the concern about duplicated
KeyShares more compelling if we think we're going to end up needing to
negotiate between (X25519 plus PQ1 plus PQ2) and (X25519 plus PQ2 plus
PQ3) and (X25519 plus PQ1 plus PQ2 plus PQ3), where the PS shares add up
fast.  It's not clear that the ecosystem will end up in a place where we
need to do the latter.