Re: [TLS] Comments on draft-celi-wiggers-tls-authkem-00.txt

Watson Ladd <> Wed, 14 July 2021 04:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 477903A0C7B for <>; Tue, 13 Jul 2021 21:39:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4f3WmfUVxwON for <>; Tue, 13 Jul 2021 21:39:27 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1D6FE3A0C6F for <>; Tue, 13 Jul 2021 21:39:26 -0700 (PDT)
Received: by with SMTP id ec55so1321928edb.1 for <>; Tue, 13 Jul 2021 21:39:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MxvIJikcs5Dk1b5+aQQa59Oq9Q50Sbc7B87An3ThBhs=; b=D9Keo59361tMTe8Fx9OPpdKH/2iUGLAmsZB8GQfF46fU/XuSQy5Nch9y0ukJCBfkap 6APx9i56ERAr9NFJdyGkGguTWh/h0Us5Aka/YsiuobJJODEA2zB1Fi0hAeyATgZgVgIP 8c8cFZS7Ns/C7jht6AQbNVT9nso28W7WpKBftPUXB/M4mT+XQVDxFQgMpogfwtdb2VbZ 5485FPCaoEjgoVQ5T5awet4skZ7+oxk4p8/itFnhWoKznBopVx8QxcLdKEgRRezIqDua Fptg6J6+Gvu4vsvq5x4x9ZN0uqQ/cbMOLrwcZeORwci0aspB7N+usTvmZ5dWMQWmXPxN wFPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MxvIJikcs5Dk1b5+aQQa59Oq9Q50Sbc7B87An3ThBhs=; b=GLUs9QbdhRFlhM3Afibw+y32ItadNuCIw9CFNdT5beeMC4zzEkbl+RHNBXmzQRxjql JRkFSteGpYN1doSt5mVraFtSCvUMM9tEZnvaqUoao9md6HFAWVEw9QZ7WKpccGj4CjfR Fhu7hb+WYYXIeg15HX2CL/mrAWBZ5povdrIPedNjyCN9BlZOYzAvaHTC0StKlcS3+yA/ sANKc4dkOtUsFZ6pxAx2V/sAWgAf3+nHKhSI7mCNvFou5Gy+PA4ld53S28fjz/nB0LLW pt/+JaDudaFNMzBxWQ7nrI2FlAFqVQSkNp7aUDUiQrK+McwhuaNq6RbQIt2QsUdpWm9q 6S8g==
X-Gm-Message-State: AOAM533kR19o+oCdPTbwMQ/zUXJ+GAQENFKn9CgRAuWhXItFzOzJNor7 JPYht4H7qP3FtOcm1hTBJTpNdoAQp/qRajX8VTizgqM/GtA=
X-Google-Smtp-Source: ABdhPJxBhf1w3qdN1mUNKcs/+K5nUQ6rMnhBNX4Sy08p00rRQjOJevE6ODkGVJsW1W8GkNb+hJMbhWv+O0/1l0N+hOA=
X-Received: by 2002:a05:6402:11cd:: with SMTP id j13mr10576395edw.154.1626237564277; Tue, 13 Jul 2021 21:39:24 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <>
In-Reply-To: <>
From: Watson Ladd <>
Date: Tue, 13 Jul 2021 21:39:12 -0700
Message-ID: <>
To: "Kampanakis, Panos" <>
Cc: Eric Rescorla <>, "<>" <>
Content-Type: multipart/alternative; boundary="00000000000056dc5a05c70df011"
Archived-At: <>
Subject: Re: [TLS] Comments on draft-celi-wiggers-tls-authkem-00.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 14 Jul 2021 04:39:33 -0000

On Mon, Jul 12, 2021 at 9:10 PM Kampanakis, Panos <kpanos=> wrote:

> > So, while I'm not that enthusiastic about paying a few K, I think on
> balance it's a better than doing this kind of major rearchitecture of TLS.
> +1. KEMTLS is a great scheme but significantly changes the TLS state
> machine. It introduces implicit and explicit auth concepts which do not
> exist in TLS 1.3 and would need further security proofs and study. Also, it
> may save ~1-2KB of data (Falcon, Dilithium assumed), but still uses PQ Sigs
> in the PKI which means we go to 10+ KB for the cert chain. So we alleviate
> 1-2KB, but still have to deal with 10+. Also note which
> makes the argument that the more the data the more the slowdown in lossy
> environments (which intuitively makes sense as the loss probability (1-(1-p)
> n) increases with more packets). Imo the draft-celi-wiggers-tls-authkem
> should be considered for future versions of TLS as the drastic changes do
> not justify the marginal benefit.

Part of what came out of the work on TLS 1.3 is a reusable formal model of
TLS, and at least some of the work in KEMTLS has repeated this formal

> And a couple of comments regarding Ekr’s points:
> > - If you are doing TLS over TCP, then the server can use IW10 as
> specified in RFC 6928. This will allow the server's first flight to be
> about 14 KB, which should be large enough.
> That is not completely accurate. The smallest Dilithium parameters will
> fit in 10MSS only when doing plain TLS (no SCTs, no OCSP staples) with up
> to 2 ICAs. Anything else will go beyond 14KB. Now if we talk web (include
> SCTs), then only 1 ICA would fit with Dilithium-II.
> Having said that, if we talk about the other lattice based NIST PQ Sig
> Finalist, Falcon-512, then there are more TLS cases (up to 3 ICAs) where
> the data would fit in an TCP initcwnd.  For Falcon-1024 that is not the
> case either.
> > - If you are doing QUIC, then the server is restricted to 3x the
> client's initial message, which is potentially a problem with very large
> server first flights, but the client can add extra bytes to its Initial
> messages to increase the limit [0]
> Padding to the client initial message to 1200B would mean the QUIC
> amplification attack protection would kick in for any PQ KEM Round 3
> Finalist and any PQ Sig Finalist, even Falcon-512 which is the smallest
> one. The smallest PQ Sig will still be >3x when used with X25519+the
> biggest PQ KEM Finalists. I am not sure what dummy key exchange data and
> how much of it someone could put in the client message in order to reach
> 2.5KB in the request in order for the response to fit in the 3x2.5 window
> necessary (assuming 2 ICAs).

SQISign is short! It's just slow to sign, which KEMTLS avoids. Also with a
known set of intermediates the public keys do not need transmission, and
the tradeoffs between signature, public key, verification, and signing
speed further shift. One could conceivably use XMSS roots to sign SQISign
intermediates of moderate duration signing FALCON or Dilthium KEM keys,
balancing security and performance at each level. I think this fits in 14KB
with realistic conditions. We shouldn't assume that NIST candidate
signature schemes are the last word here.

I think the best answer to the extra round-trip problems which are
> inevitable for PQ Sigs (as shown in ,
> <>doi
> <>/10.1145/3386367.3431305
> <>) is Martin’s draft-
> <>thomson
> <>-
> <>tls
> <>-sic
> <> which
> should be revived imo.
> Cert compression will not help as these big certs mostly consist of big
> keys or sigs which are random sequences and thus do not benefit from
> compression.

In some sense draft-thompson-tls-sic is compression with a dictionary of
known intermediates.

> Rgs,
> Panos

Watson Ladd
Astra mortemque praestare gradatim