IETF Logo Mail Archive

Re: [TLS] ML-KEM key agreement for TLS 1.3

Orie Steele <orie@transmute.industries> Thu, 07 March 2024 04:30 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E42FEC14F707 for <tls@ietfa.amsl.com>; Wed, 6 Mar 2024 20:30:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CAqPAUtSGL4c for <tls@ietfa.amsl.com>; Wed, 6 Mar 2024 20:30:05 -0800 (PST)
Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6108C14F6A9 for <tls@ietf.org>; Wed, 6 Mar 2024 20:30:05 -0800 (PST)
Received: by mail-pj1-x1033.google.com with SMTP id 98e67ed59e1d1-29acdf99d5aso224602a91.2 for <tls@ietf.org>; Wed, 06 Mar 2024 20:30:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1709785805; x=1710390605; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=qq/4ASjh3ZRuoo1iIZjIupMUrh7PgThWt638lIfitSQ=; b=TkWvxGguW5FOjAEWz41XohKBr8LyBxK+Cx9BEyDJ7JtQssMQjPOluSKzfd1RfES3IK jtmv1/YD6aHiqEa5kpXUtvQ7bH8b1rr6opwYkFKn/PY3baiy0AeyzPpzATZm3tQVF/BL M1unfadLJ5tZSLES+P6y5fciCqB4dY08Te1AVT4WBNHJ7VxvfNh9t5T0A7Eqxik3SfdP bCY87fd+1htrMCqVKccJYQC2ElePLc4io6oeuL85T0sdyJVjRLrUy8oHEMpr0+lw9cto wo4eqmon7OEI4h8MER6CJZY86SZiuAkx5MQfTPPDl5kgeiBjsCvVN9Hw90UimAJvrLj8 PzVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709785805; x=1710390605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qq/4ASjh3ZRuoo1iIZjIupMUrh7PgThWt638lIfitSQ=; b=EqN1Dr7cQbBX7cCE1of3GFlTm9vm+aGqG/fWet2WlJIVKFOCLCU3l8OL9AVJdy6Kdo ay06XetfuBqpS08NOf3vsP/iByfXtbPj6sJdiDIZ//+8mggeEXfE4gozPWlwU9gQdTYA NHRMsMCJ5zuHsSvxqwhf3Jvvu0OauS1vfYZA9WYfRSoVj6YMAeYmoG8lTID58G5oFqek FvGchZtVly5JrLrzFv2Ixm2zJp/Kk/U5rTw+q/Auqvq6xIF6eAG9m8Uk1yCMFtq9MRFi dH+oQIJ0vGrnlhnObUnj8dt3QV+7hqwZ7Jvih6dhcvXTjchHsvwbkyO3AWnHVbC5ftrd wTAQ==
X-Forwarded-Encrypted: i=1; AJvYcCUlx/GZJXxbFXRKN73PvgYYVy5zqF9wknRv+yqant/tPBIRf6clR4XxdFR/GwwqfrrPXTNgcJr6/MsMPCM=
X-Gm-Message-State: AOJu0Yx0oJe4XrReBYNazuEkPTUO5KZq5eoXoZZ2ROgv4th4yLpN6zVI SYWnECDoyDP9kgjEgMoJcQTnUEa2c79PUwXGuW85xUCbk1m44DTQGhf1ohGjaksvfW1ofxngaQi a9P/oVCGYBN7IxJR6W9h4al2/o3JyMYWwvO4ohA==
X-Google-Smtp-Source: AGHT+IEVolbOXTkiC8qVAMbuBrzGyahTjfTSmdkKpU+zMrt/hfTD22LAos2Sf6asKMPYReEmxd2FlVrYoGIOXCthv3s=
X-Received: by 2002:a17:90a:8c89:b0:29b:242d:b123 with SMTP id b9-20020a17090a8c8900b0029b242db123mr13785823pjo.33.1709785804821; Wed, 06 Mar 2024 20:30:04 -0800 (PST)
MIME-Version: 1.0
References: <CAFR824wL3sZKoD6OzVpOi8=HZ+aFjqVi4L8UsF8b0p18KOEqVA@mail.gmail.com> <CAMjbhoWKke7Z41zi6tTqqpW=XFB8cgW6VfwrTECtw2tcdJPpMA@mail.gmail.com>
In-Reply-To: <CAMjbhoWKke7Z41zi6tTqqpW=XFB8cgW6VfwrTECtw2tcdJPpMA@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Wed, 06 Mar 2024 22:29:53 -0600
Message-ID: <CAN8C-_Lk3+AkOephbUJvjnAEtHUzZkjb3=2Qqpzn9GA-gqJSXA@mail.gmail.com>
To: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>
Cc: Deirdre Connolly <durumcrustulum@gmail.com>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000089f29506130a877c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5MHkVqPkuW0sWB3rxTZKTHNYk28>
Subject: Re: [TLS] ML-KEM key agreement for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Mar 2024 04:30:10 -0000

Does the argument about hybrid code points first generalize to all PQ Code
points?

Is it equally true of hybrid signatures?

I don't understand why registering composite components first wouldn't be
assumed.

Isn't support for the component mandatory to support the hybrid anyway?

Let's assume CRQC drops tomorrow, why did we not register ML-KEM first?

Assume it never drops, you still needed to implement ML-KEM to use the
hybrid.

If the goal is to prohibit ML-KEM without a traditional component, just
register it as prohibited.

OS

On Wed, Mar 6, 2024, 10:10 PM Bas Westerbaan <bas=
40cloudflare.com@dmarc.ietf.org> wrote:

> Back to the topic at hand. I think it'd very bad if we'd have a codepoint
> for pure ML-KEM before we have a codepoint for an ML-KEM hybrid. Process
> wise, I think that's up to the designated experts of the IANA registry.
>
> Best,
>
>  Bas
>
>
> On Wed, Mar 6, 2024 at 3:16 AM Deirdre Connolly <durumcrustulum@gmail.com>
> wrote:
>
>> I have uploaded a preliminary version of ML-KEM for TLS 1.3
>> <https://datatracker.ietf.org/doc/draft-connolly-tls-mlkem-key-agreement/>
>> and have a more fleshed out
>> <https://github.com/dconnolly/draft-tls-mlkem-key-agreement> version to
>> be uploaded when datatracker opens. It is a straightforward new
>> `NamedGroup` to support key agreement via ML-KEM-768 or ML-KEM-1024, in a
>> very similar style to -hybrid-design
>> <https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/>.
>>
>> It will be nice to have pure-PQ options (that are FIPS / CNSA 2.0
>> compatible) ready to go when users are ready to use them.
>>
>> Cheers,
>> Deirdre
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email