IETF Logo Mail Archive

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

Watson Ladd <watsonbladd@gmail.com> Mon, 06 November 2023 16:41 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06B8CC232047 for <tls@ietfa.amsl.com>; Mon, 6 Nov 2023 08:41:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OkAJCrvh3r_g for <tls@ietfa.amsl.com>; Mon, 6 Nov 2023 08:41:24 -0800 (PST)
Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com [IPv6:2607:f8b0:4864:20::433]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60592C18E1A6 for <tls@ietf.org>; Mon, 6 Nov 2023 08:40:53 -0800 (PST)
Received: by mail-pf1-x433.google.com with SMTP id d2e1a72fcca58-6b1e46ca282so4994252b3a.2 for <tls@ietf.org>; Mon, 06 Nov 2023 08:40:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699288852; x=1699893652; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=NNPTXhm6/XKP1UEASjtOm8oLogcbh7MzSDotXB11RwU=; b=Tzs9drGcjSHPhZra6kpkKoN2/tgSZfcLy8E4L7+JVgfpYAj38l1Gm9QPJaze6HH43L MHLt5SKuE23bc70FQilMI+f8mHqQbm+PeVBC8c4oJfijK4AkeVCOWThx+s6qJ+1mWZCo gIWE7sEfXWWmSLt4J9GlQhmoY1HTuOAQNMMc+SXRQvQR+6p6S62ezdfi56X0ZbUH5hBk d8096vrqePAh9WGtzzQK2XvlSnGq1lTzVfokpAqOSc5lpRJ6fIIxOxDsp9/wbG9UlD6d gspEJWAmcVIUObuy5S3jOpA+g30x4KI3wnHHKzAct1mlSA2Q75auj/Kp5hHdPCBn9p04 NXrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699288852; x=1699893652; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NNPTXhm6/XKP1UEASjtOm8oLogcbh7MzSDotXB11RwU=; b=UgaR85+ZRdcs1JmtLlrE48NS5QdbGVjFJAx34RPbbnBqwzUK/uXk2PNXDT4GoBgL+c 4Mv2mJzAkGXHvpbrnlHEv+1Liv/2p5JACLo3uneTDYxGdv5aaOAEoMtqn8MRjpfdwFDe sM87pg7AR2ILAqmBdeN43gMyAatCwMFV8C9vYYpqHMxZ7LuuYHm0dcn7LmkVCrZP5MOt zWG7vS08cSx2LBqVurCNVBTQgksX1eez/vnSc3IkiWX7COEEx+q/0ntlxeNfqTAd0m2q vsyJ0A5QTADUprgx0fs+S9kAEoEcYg0bNeZPMr11OcRiWVKFU9xvJjk/b9BEdwrbXRCL YXjA==
X-Gm-Message-State: AOJu0YzZmE1ZdOlfgSQVhWI2YxY/uTQ6wtbgoEBC9hAOfnn7X0A6gphi qOliPJV8WhgUW9d4PlO5W3ZvdY/zFA2lvQ+DGQsZhOLG1Wc=
X-Google-Smtp-Source: AGHT+IGrNtstH3046qXmehdysYmc+4iVnjz4pXrKV6QMArl7fvlF/Om1LwuBFcJNdJiXEUuDkxCJ34cG3w6ZWzCwTm0=
X-Received: by 2002:a05:6a00:b55:b0:6be:314c:16cb with SMTP id p21-20020a056a000b5500b006be314c16cbmr33316391pfo.10.1699288852451; Mon, 06 Nov 2023 08:40:52 -0800 (PST)
MIME-Version: 1.0
References: <169413407847.21904.934194480456263049@ietfa.amsl.com> <GVXPR07MB96787EDDFD97A9E32AC6226389AAA@GVXPR07MB9678.eurprd07.prod.outlook.com> <CAMjbhoV8SnNLjQt0q15boAXxWYkmPy8v-8aCqW4kvdtE89-gtw@mail.gmail.com> <SN7PR14MB64928D0240F21868FEBB951683AAA@SN7PR14MB6492.namprd14.prod.outlook.com> <CAMjbhoUmVdezZbziArzYR9xbKVd3Ld-xcbhz20WB=qPjqKVhQQ@mail.gmail.com> <SN7PR14MB64922E7B96A48B388DA957B583AAA@SN7PR14MB6492.namprd14.prod.outlook.com> <EBF4C6F9-BA8C-41DE-9616-E2AC464BB19C@thomwiggers.nl>
In-Reply-To: <EBF4C6F9-BA8C-41DE-9616-E2AC464BB19C@thomwiggers.nl>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 06 Nov 2023 08:40:40 -0800
Message-ID: <CACsn0cnSwMyP4o5LFkFu5nr-qkmuRA1S9S=1Grexr-yyM2=h+w@mail.gmail.com>
To: Thom Wiggers <thom@thomwiggers.nl>
Cc: Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org>, Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2ibbhprWpkiJtRZx-zxUmeC9aBs>
Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2023 16:41:28 -0000

I'm most interested in Level I which I think is what the current
browser deployments have targeted. Higher security levels are much
less relevant at least for now, and I think the platforms will likely
look different.

I think ML-KEM-768 codepoint and a hybrid one make sense to grab now:
AFAIK it's easy to do. Happy to contribute to drafts, but I think we
have some floating around.

KEMTLS is a great idea, but I think for now we can make do without:
it's ok for the PKI to evolve slower.

On Mon, Nov 6, 2023 at 5:32 AM Thom Wiggers <thom@thomwiggers.nl> wrote:
>
> Hi,
>
> Op 6 nov 2023, om 14:24 heeft Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org> het volgende geschreven:
>
> I’m fine if the cocktail napkin says “we’ll either do A or B, we’re still figuring that out”.
>
>
> I’m not sure if we will be able to say this as strictly as “A xor B”, we might need to do A and B in different environments. CNSA 2.0’s requirement of level-V parameters results in very different behaviour than what we see at NIST level I, for example. The platforms on which we deploy things are also subject to wildly varying constraints.
>
> Cheers,
>
> Thom
>
>
>
>
>
> What I’m trying to avoid is the situation where everyone has a different notional quantum-safe TLS design in their heads, but nobody realizes it because nobody has bothered to try to write down the details, even at a very high level.
>
> If it changes in the future due to new events or analysis, that’s ok too.
>
> -Tim
>
> From: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>
> Sent: Monday, November 6, 2023 1:14 PM
> To: Tim Hollebeek <tim.hollebeek@digicert.com>
> Cc: John Mattsson <john.mattsson@ericsson.com>; TLS@ietf.org
> Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
>
>
>
> (3)-(5) are exactly the hard problems I’ve been thinking a lot about lately.  I’d actually be tempted to say that AuthKEM vs signatures is something we should figure out ASAP.  I read AuthKEM again this morning, and it has a lot of attractive features, but I’m not quite sure what the right answer is yet.
>
>
> I don't think we can settle the future of PQ authentication in TLS just yet — there are still many unknowns. To name a few:
>
> 1. What signature schemes are on the horizon? MAYO [1] from the NIST signatures on-ramp would be great, if it doesn't turn out to be broken.
>
> 2. How will the confidence in existing schemes develop? AuthKEM will look different depending on whether it can use Kyber-512 or Kyber-1024. Also, will it replace Dilithium5 or Dilithium2?
>
> 3. What other higher level changes is the ecosystem able to adopt? For instance Merkle Tree Certs [2].
>
> These are all hard questions, and although I do not believe we can answer them now, we should be thinking about them right now. I think we should have different pots on the fire, so to say.
>
> Best,
>
>  Bas
>
> [1] https://pqmayo.org/params-times/
> [2] https://datatracker.ietf.org/doc/draft-davidben-tls-merkle-tree-certs/
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
Astra mortemque praestare gradatim

v2.23.0 | Report a Bug | By Email