Re: [TLS] Options for negotiating hybrid key exchanges for postquantum
Watson Ladd <watsonbladd@gmail.com> Tue, 30 July 2019 20:03 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C04A12001E for <tls@ietfa.amsl.com>; Tue, 30 Jul 2019 13:03:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jDXhTqSLAkBp for <tls@ietfa.amsl.com>; Tue, 30 Jul 2019 13:03:24 -0700 (PDT)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6910C12001A for <tls@ietf.org>; Tue, 30 Jul 2019 13:03:23 -0700 (PDT)
Received: by mail-lj1-x22e.google.com with SMTP id i21so63309248ljj.3 for <tls@ietf.org>; Tue, 30 Jul 2019 13:03:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KAR9jJY042a42hx+A+kSpyWjMssoZDkg5AQTIBbtuRo=; b=GUGCpjnUlMRWqTMaUyzEf5EmayqY9NhIseP9syoJfGw/881i0oywru7cgTD+xRy3Np 0UXetwSMRp9P/BSaUK+JO8ylM5DQ2PiDLU5T1cWQIkSX1saoZR6y+ES+4gj4YQbui4P5 +KOY+/14xckAfzlUogVli4yROxg6bkHZ/UftzQD69rSEAzX5dbXMCi3ycd04W5ux4e5u TG/ypP+rnctlMWAfgLOv521rdbMAI4h/IaGonI7DST9S6ahsR06RYfC+cECfjACJ9uOH 0YaDaTYV68WHK1ypt5V0IfzCmP5hIE3b4tR5hSMDCXmV1IQ2fpALRq6z36V78mVr9pmu 2W8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KAR9jJY042a42hx+A+kSpyWjMssoZDkg5AQTIBbtuRo=; b=rthZ6SMW5vc09YSfHHdXvEqeT9C80vaIPsVTJLGo8jLvwmM/DhavMExzldq+Heqkh2 OFRIL7fnq5xMRWFXcCOb4G2CGf3YJP151KF1mR6F6cEQB4cgQnQuKZQq7h6krmJWFVSv r/vr8RdMc/kPjAd/FfqG0ksXSEbE/7atymvr24MLrqQoBAG5xfnAUPf0Hm3klLOB7tHj IDdB26uChrhuYUzl3iiLInUTizQS7/QJqCO4A+l7oxAGvIXUN9MVz7jVbOk468dGOuc8 ClC8njbWiU41QdMToGEoh3w/QiwsrAgyajfIuOXfZFzKi0vs2PYLEk0y5s7e7yy7hUeu hT+g==
X-Gm-Message-State: APjAAAUpMnewEjy9FeF+L488SydryQqqDmxCkyt/+uvnSEPuHcTeWTjV uBP/hrN3xEzU77/GlLCtxt6gaHVJrrDbIW3d4DE=
X-Google-Smtp-Source: APXvYqzoIw030c7fo3/s2dDkcIrlJDB/WDybkor1UmqHpFcrYq+TZEc5eT/dIfLdLVJlXYLteUNRpJGYHPrWRsca6qw=
X-Received: by 2002:a2e:7c15:: with SMTP id x21mr62362363ljc.55.1564517001517; Tue, 30 Jul 2019 13:03:21 -0700 (PDT)
MIME-Version: 1.0
References: <MN2PR11MB38719A31081434FEF6A84999C1DC0@MN2PR11MB3871.namprd11.prod.outlook.com> <CACsn0c=bmsyDPhTUtCcEv1WnnsR8OmDO67TFTu1aWSxikESOEA@mail.gmail.com> <MN2PR11MB3871829A35631EE2724335C7C1DC0@MN2PR11MB3871.namprd11.prod.outlook.com> <663791e0-1a2a-27cd-f1c7-20658eb0b9f5@cs.tcd.ie>
In-Reply-To: <663791e0-1a2a-27cd-f1c7-20658eb0b9f5@cs.tcd.ie>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 30 Jul 2019 13:03:09 -0700
Message-ID: <CACsn0ckgNPqP28g54+hXkUVD1tFujiP7+iy0NrFsg_beV3U=fA@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>, TLS List <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001ee144058eeb8051"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/4LMM57TxKhCU8OPi0FLymfRqEXw>
Subject: Re: [TLS] Options for negotiating hybrid key exchanges for postquantum
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2019 20:03:26 -0000
On Tue, Jul 30, 2019, 12:52 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > I'm neutral as to how we represent this stuff for the moment > as I think it's too early to tell until we get closer to the > end of the algorithms competition. > Part of the input being provided is deployability experiments happening now in TLS. > > That said, I do want to second this... > > On 30/07/2019 19:41, Scott Fluhrer (sfluhrer) wrote: > > Here is one opinion (mine, but I'm pretty sure it is shared by > > others): the various NIST candidates are based on hard problems that > > were only recently studied (e.g. supersingular isogenies, Quasicyclic > > codes), or have cryptanalytic methods that are quite difficult to > > fully assess (e.g. Lattices). Even after NIST and CFRG have blessed > > one or more of them, it would seem reasonable to me that we wouldn't > > want to place all our security eggs in that one basket. We currently > > place all our trust in DH or ECDH; however those have been studied > > for 30+ years - we are not there yet for most of the postquantum > > algorithms. > > > > Hence, it seems reasonable to me that we give users the option of > > being able to rely on multiple methods. > The only person with whom I've spoken who said he'd plan to > deploy some of this soon is a VPN operator who explicitly > wanted to start early and use >1 PQ scheme (3-4 is what he > said) plus a current scheme. His expectation was that that'd > settle down to one PQ scheme, or one PQ and a current one, > in time, but that time may be a decade after he'd like to > start. > > So, to the extent it matters, count me as a +1 for supporting > that. > > Cheers, > S. > >
- [TLS] Options for negotiating hybrid key exchange… Scott Fluhrer (sfluhrer)
- Re: [TLS] Options for negotiating hybrid key exch… Watson Ladd
- Re: [TLS] Options for negotiating hybrid key exch… David Benjamin
- Re: [TLS] Options for negotiating hybrid key exch… Scott Fluhrer (sfluhrer)
- Re: [TLS] Options for negotiating hybrid key exch… Andrei Popov
- Re: [TLS] Options for negotiating hybrid key exch… David Benjamin
- Re: [TLS] Options for negotiating hybrid key exch… Andrei Popov
- Re: [TLS] Options for negotiating hybrid key exch… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Options for negotiating hybrid key exch… Panos Kampanakis (pkampana)
- Re: [TLS] Options for negotiating hybrid key exch… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Options for negotiating hybrid key exch… Andrei Popov
- Re: [TLS] Options for negotiating hybrid key exch… Scott Fluhrer (sfluhrer)
- Re: [TLS] Options for negotiating hybrid key exch… Andrei Popov
- Re: [TLS] Options for negotiating hybrid key exch… Stephen Farrell
- Re: [TLS] Options for negotiating hybrid key exch… Watson Ladd
- Re: [TLS] Options for negotiating hybrid key exch… Scott Fluhrer (sfluhrer)
- Re: [TLS] Options for negotiating hybrid key exch… Benjamin Kaduk
- Re: [TLS] Options for negotiating hybrid key exch… Martin Thomson
- Re: [TLS] Options for negotiating hybrid key exch… Hubert Kario