IETF Logo Mail Archive

Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?

John Mattsson <john.mattsson@ericsson.com> Wed, 08 November 2023 06:23 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81885C1B0306 for <tls@ietfa.amsl.com>; Tue, 7 Nov 2023 22:23:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b9-E0wpQA8lM for <tls@ietfa.amsl.com>; Tue, 7 Nov 2023 22:23:07 -0800 (PST)
Received: from EUR03-AM7-obe.outbound.protection.outlook.com (mail-am7eur03on2081.outbound.protection.outlook.com [40.107.105.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDE42C1B0328 for <tls@ietf.org>; Tue, 7 Nov 2023 22:23:06 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=U65l1Jf/zcvviBhps77ciBaaTqv1r8aHkPsw1HM49RRDXv+2dpmVLM8I59QGPbjKQA4PI3FdtqYo+gP+JiZTbc8b+T6Q24eVL2WYfxgtX87/HIVrNAgASEB0mzApyH18aRTgF7Oqgm47fjP8W5k+tXDDJMVGBOUqo34J9rJdL7zMoWJN0Ex0lAQU8KW+wtKxEvvsRacqgWZI1mGNdLCNArYPxzk+b/05PP3SqklTUGL4CSSuyBWgMeNAM+KHN4/ExwLG9VHsjzBa7nfTaqV5j90orBfyJwRgKXxo+rq03DTPcK4KCAWUyrgY2m41H+MrfNZCu7gLWNqBJZXKpuQgQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=W8TtzeEgFp/TcT4wVqU/T3JTsfCD8bDR1XN6bfQjGH8=; b=k+BP9XGkLX4QIz/MJZOVyYh64vPdtTeUNocW8i/sgxjuEXlo9PEk2MRPdIjaVzSBX6hqt7tgiyzebbOomK2jF1TWasgshM6trhImLO2wigrDWC6UGtFLKgzzn6nmBkKDD37ffFJlYU6QDPq7VMlH4XZaqIY519/M5Q/FiIWwNpduXw+m8rUIW4Ie5vZcGwPsSDe9r7PifjrmM25RqP9oj7hMlw59vwpLxfoo24TNtVdxqfmMbjMQOT8ovOW9vWTO2Mc+VSB8XKBZFMaG2vlvrxHNsv2IAboG8yRqJTN5bkS4rOGvHWU8RqhpscJWYGRrQL0etZiK2flPJa84I9A7MQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=W8TtzeEgFp/TcT4wVqU/T3JTsfCD8bDR1XN6bfQjGH8=; b=PMbrJwmaHcJmstcc61GtXsG1MRnCPeMvxxtP7LhuqEQWYaxE32QPhUXlWCAl6qVaAljtg+ZfZMue4lJS3yZZbXoL7hoQAWMbitW1vkRaPyFNBLHHcEOwsvGsSo85xs+8Qvh1PAognaGCV0W2QMkSNYHigyiDYflU38AAImO16l9aOofWmj5IPqYChqlo28/eqqHP37CsmEpXFNFSJqZ4fdaZ6D/ZEHEAMPuSexWrl806QOJ1wR3MWX6e+4qIbxhuGRjMubMuv3V4KmXIAt4etL42egtm7dJFox6958lsZGgTb4N1I/VwH70Y/PvckXKExSOBIakL0lGT32TMve7wQw==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by PR3PR07MB6684.eurprd07.prod.outlook.com (2603:10a6:102:2f::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.28; Wed, 8 Nov 2023 06:23:02 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::5b7e:93e:145a:7cbb]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::5b7e:93e:145a:7cbb%2]) with mapi id 15.20.6954.029; Wed, 8 Nov 2023 06:23:02 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>
CC: "TLS@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
Thread-Index: AQHaEJDz6/DbjxAcXU+Uz3jNUE3libBtKhWAgALMaEI=
Date: Wed, 08 Nov 2023 06:23:02 +0000
Message-ID: <GVXPR07MB967891A38CA61008DD45F4E189A8A@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <169413407847.21904.934194480456263049@ietfa.amsl.com> <GVXPR07MB96787EDDFD97A9E32AC6226389AAA@GVXPR07MB9678.eurprd07.prod.outlook.com> <CAMjbhoV8SnNLjQt0q15boAXxWYkmPy8v-8aCqW4kvdtE89-gtw@mail.gmail.com>
In-Reply-To: <CAMjbhoV8SnNLjQt0q15boAXxWYkmPy8v-8aCqW4kvdtE89-gtw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|PR3PR07MB6684:EE_
x-ms-office365-filtering-correlation-id: de301db9-d25e-4c95-2ebf-08dbe0232971
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: RqUaZqxNV+B72e0/4W/BTQtMEbzaNTF69N5C4sNmRVIJtciVpKDdqb1WV++idcD+uihGOlyPWXEyXoSnq5W5b4bsnI/cuNWDulV66fRlTLQDsOVRzJCjocgPKwFNf+Irx+/5+wHU5j/8j6og0ZsYUu9ApBd2dZtq9JvdDCPhfwiBida/RfE2Sn5aewQdYfo/v3kXJv7hMX3+IqzXAkQMJgH1GdKR33CUMcEOUmyGRIR73w63QRs+J++BqwSw3dFQnGF/z9wd+li//Q1HJweF8/pNAn+f4JIuAO8vVVXfcU5FPEjmfaVD0AOijdDnGtJD+AST33Nof11RVrFL3NDJ1qqgUBlONKNQ3CevkeabY0Z2lJyu/XYUkR1UsQpcVr4Dj7udh5KRwCGQ3J+ARsTJNWo000IcQoMBIiFXSO00EnoqQD2KzwBO+852why9cWUk98ySVYx6mAP1HHVT3z0hCNw+a67FJ0U6ha7TUPh7GKlE8GAesGsZ86N5grkTDjv/wAlhVb72iEiCJlBo6qWe6r3tWhsKj0ldkdD+yW0QEiODHENy2UfLCLt26wgclchh8y2kXUt2oeBvgTiW1behjrbMnsniIq9PIgYMtrw6QdeU5FoqoeAWY+REvPp2WD6C+mVa0RhpgSu0rafuGNYtPdxoBtM9CaT+QZYYGB7Y21zl5zGaQ1qQOyv0ZAIyv7j3
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(366004)(376002)(346002)(396003)(136003)(230922051799003)(451199024)(186009)(1800799009)(64100799003)(66574015)(44832011)(66899024)(55016003)(9686003)(53546011)(6506007)(966005)(71200400001)(7696005)(83380400001)(33656002)(122000001)(166002)(478600001)(82960400001)(38100700002)(86362001)(316002)(76116006)(4326008)(66946007)(41300700001)(21615005)(66476007)(66556008)(64756008)(66446008)(5660300002)(2906002)(26005)(38070700009)(8676002)(8936002)(52536014); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Wx78P/Z8AclnhM+kz9lHfP3DwbRZEU5yOKHoKxDf8EHJL9DmqGvLzaj6C2u/nTzOoU3g/IWD0JEE2K6ZcezElPM6lZkfhuQvdUji+fBdCc+IvclSaTrbbuGcJSjB83ng4xCsOw8nfMgp861XWDycFKs6q+Y8n4P1mwK2xurk+tyjPV2n091GChv53DThiwYbBEjJ5wUvDOjYfQ75ox4J1OVl32dtCty6/ofJ/ifNX5JWv9zpdYEIaTusT+sEVJCBFmAoz75A7RNR++ozHyVQ3JpUzGyGgYwJ7pEz2acPTxP5kmWTrr2dwYWA7DXvjbnLknTsCsnUDhFaLrFdEqRWq+KIaCSdTzY609vsOyhEQSL75SLdi+b03BEcDhT5BZPhFz+xlHloljAX6V+UtKVKZ0OOLgCCXW+K5Rk3oCQ4uqOpHObzY4EpizEdkCAPgw1sFsAaUX2mMluO8fTadplMrUdHKbiTZb6D7UgP9RTTzpS+yNF27QxbYj6ft0rea0dB7CV4kTUhl2v8g5QO/u3+MmYDpuOjypAvlJCD9cerZWK8Ei7yp/iS5uKE66ytxt6vO4eSz66cpLLiDx13k8cqS3VJ5JUOGrAvsRaeGFaYO7saB7w853Tprl8sQO/mw9tciEU+DvUiuiu5iylCl1Kav+eTxaxpvKJWG5dOkeZP5WclUzcjSgt47xeWzVg8l1Irg/NI73TCJuMYKnHc2360eJf08ET5NnZLpCkRs9Ppv5ChR3cyPX9IufcpXHjsRlhbe3wqvedkuraC1lI67Jv7MttCzRBFHn3DzohkO0WwPuXnY2gF91kZhUjBqcfVo0xwP0vIWzhJuw1n6UnJJeR27822vN6qeTyBkkKYnA8ud8Eis83N3HoVij0jGNK50z4ZyWTZ7f83L3QF1W6iMFVWj/0zc10X722h7vaRE1W9TwkvJrOR8kMS3kQjQyf9ktRPFbco7pb7OSWw4EoiXvrLNIO67jn1QF5zKwHUr5fQUkP3AYofSsk3rHba3c/lhuc5MdyHzJYiElSAWjYl24TCl8NJWyKUTDf0twhO+seM/8YyISQWAycK2Q65VmTyTeyH4z11JCuXWwjZsH6Cdk3nOrRN3kLmEwCWpR9xO/KZtWZVwJ4lcQH2uN6lES6rf9kVx5zhKcbbKBDq2PZY6mJHcRTTc5Hrs4XEknmKpbS4vkwVe+CB/2TNsTAwT+0E9v1OXZjxHGxCEy0gEqQHYtS7IbMF+pkrJQEdvsWCpSYoCbWYU+yOk2coMpG9WhfRfe7MjYvkfI6Y0vKuRu6FmWaCF+My/lPUAO61/ci1MKDgUjy62TJZ7ABBBpKbqveFWa9/T4/q5vsNxjSJ++W7tQzWKpSQUNLSqnMidsa/2nuDNbO4rop97qxqRBCmJdalMVi4fxN2SZwRamjrXUYGCvtVDYSSn16g2H0++ISESCSD4qnescXmBu8Fjzc05XiunW6ifVTJHqtThuGDsQrwRk4K7yupPD3k5trTseELJ3gRRYnh+lUqDWdE08UptAOw8G1S8GBA+3NdPO8y5zyWxwC4Nk4bQ9k1EKeQ2vahnX9eqeAa3lCe+Uvb6IVERqEXcQgSL0Eiyc02fUef7ZViSnMCWt6FS5C3WII+Bws2YLbwLoU=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB967891A38CA61008DD45F4E189A8AGVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: de301db9-d25e-4c95-2ebf-08dbe0232971
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Nov 2023 06:23:02.6233 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: itVcJV3X2G/oSWSm3zj6bDOXhsyKfUm/ikxADd4oGhhxMM36dWEtQfAceu9R/ekmTTOEH11HvOmeEove93vYyp8YDD00K532QNO1e9NeEKk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR07MB6684
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/6NR8D58ygaory2dIYsP8XAQKKFs>
Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Nov 2023 06:23:11 -0000

Hi Bas,

Thanks for adding some structure.

1. Do we want rfc describing the final NIST standards? And for which? I'm

ok with that — in this order of priority: ml-kem, ml-dsa, slh-dsa.

I would definitely want standard track RFCs for ML-KEM and ML-DSA. I think other standards using TLS (IETF and other SDOs like 3GPP) might be hesitant to commit to quantum-resistant TLS based on just code point. I don’t care much for early code points, for me the code points could actually wait until we have standard track RFCs. I

I think the use of major algorithms like ML-KEM and ML-DSA should be specified in standard track RFCs. There are also quite a lot of technical considerations here, TLS has never had any KEMs (a new thing is for example that the server cannot reuse its key share, which I think is a great privacy feature), TLS has never had hybrid algorithms, and the large sizes might need consideration as well. That said, I think the non-hybrid case is relatively simple.

I personally don’t see a strong need for SLH-DSA in TLS. I think the use case for that would mostly be root keys.


2. For which algorithms do we want to assign codepoints once the NIST

standards are out? Codepoints are cheap and use cases/rules are different,

but especially with the hybrids, I'd encourage us to try to be disciplined

and keep the list as short as we can for now, so that early adopters for

which it doesn't matter, all choose the same thing. The DNS mechanism

of draft-davidben-tls-key-share-prediction helps on the performance side,

but it doesn't solve the duplicate engineering/validation if there are a

dozen essentially equivalent KEMs.

I would like non-hybrid code points for all ML-KEM and ML-DSA algorithms NIST standardized. Very likely that will be ML-KEM-512, ML-KEM-768, ML-KEM-1024, ML-DSA-44, ML-DSA-65, and ML-DSA-87. I think that is a likely end state.

Any algorithms specified in the future would either be backup algorithms for cryptographic agility (BIKE, HQC), more conservative algorithms (FrodoKEM, Classic McEliece), or algorithms with smaller sizes (MAYO, SQISign). The trust in any algorithm with smaller sizes would likely be less than in ML-KEM and ML-DSA. I think ML-KEM and ML-DSA are here to stay.

I would strongly want ML-KEM-512 and ML-KEM-1024 in TLS. NIST’s current assesment is that the cost of breaking ML-KEM-512 is higher than the cost to break AES-128 (I agree with that) and UK government just stated that ML-KEM-512 is approved for UK government use. If I want performance, I would use ML-KEM-512. ML-KEM-1024 is absolutely needed for CNSA 2.0 compliance.

If hybrids are specified as single code points, I agree that we should keep the list relatively short. I agree with Bas that the P-curves are not needed. I would go for X25519 and X448 only.


3. Do we want to standardise non-hybrid KEMs for TLS? I don't care for them

yet, but others might.

I agree with Uri, absolutely yes. . I think ML-KEM and ML-DSA is a likely end state.

4. Do we need hybrid signatures for the TLS handshake? I don't see the use,
but could be convinced otherwise.

I don’t see the need for hybrid signatures in the TLS handshake. I can see the need in other use cases.

5. What is the future of AuthKEM? That's definitely a different e-mail
thread.

Yes. AuthKEM is definitly a different discussion (which I think is interesting to have). AuthKEM is a BIG change. It is not really “TLS 1.3” anymore… If such a mode is added I think that should probably be as part of TLS 1.4. And given that KEM keys require changes to certificate issuance, I think a SIGMA-I mode with signatures would still be needed.

Cheers,
John

From: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>
Date: Monday, 6 November 2023 at 12:37
To: John Mattsson <john.mattsson@ericsson.com>
Cc: TLS@ietf.org <tls@ietf.org>
Subject: Re: [TLS] What is the TLS WG plan for quantum-resistant algorithms?
Thanks for bringing this up. There are a bunch of (implicit) questions in your e-mail.

1. Do we want rfc describing the final NIST standards? And for which? I'm ok with that — in this order of priority: ml-kem, ml-dsa, slh-dsa.

2. For which algorithms do we want to assign codepoints once the NIST standards are out? Codepoints are cheap and use cases/rules are different, but especially with the hybrids, I'd encourage us to try to be disciplined and keep the list as short as we can for now, so that early adopters for which it doesn't matter, all choose the same thing. The DNS mechanism of draft-davidben-tls-key-share-prediction helps on the performance side, but it doesn't solve the duplicate engineering/validation if there are a dozen essentially equivalent KEMs.

3. Do we want to standardise non-hybrid KEMs for TLS? I don't care for them yet, but others might.

4. Do we need hybrid signatures for the TLS handshake? I don't see the use, but could be convinced otherwise.

5. What is the future of AuthKEM? That's definitely a different e-mail thread.

Concretely, after ML-KEM is finished, I was planning to update draft-schwabe-cfrg-kyber to match it, and proposing to register a codepoint for a single ML-KEM-768 hybrid in draft-ietf-tls-hybrid-design.

Best,

 Bas


On Mon, Nov 6, 2023 at 10:10 AM John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> wrote:
Hi,

NIST has released draft standards for ML-KEM, ML-DSA, and ML-SLH. Final standards are expected in Q1 2024.
https://csrc.nist.gov/news/2023/three-draft-fips-for-post-quantum-cryptography

I would like to have standard track TLS (and DTLS, QUIC) RFCs for ML-KEM and ML-DSA (all security levels standardized by NIST) as soon as possible after the final NIST standards are ready. 3GPP is relying almost exclusively on IETF RFCs for uses of public key cryptography (the exception is ECIES for IMSI encryption but that will likely use HPKE with ML-KEM in the future).

Looking at the TLS document list, it seems severely lacking when it comes to ML-KEM, ML-DSA…

The adopted draft-ietf-tls-hybrid-design is an informal draft dealing with the pre-standard Kyber.
https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/
AuthKEM is a quite big change to TLS
https://datatracker.ietf.org/doc/draft-wiggers-tls-authkem-psk/

This is not adopted, informal, and dealing with the pre-standard Kyber.
https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-kyber/

What is the TLS WG plan for quantum-resistant algorithms? My current view is that I would like ML-KEM-512, ML-KEM-768, ML-KEM-1024, ML-DSA-44, ML-DSA-65, and ML-DSA-87 registered asap. For hybrid key exchange I think X25519 and X448 are the only options that make sense. For hybrid signing, ECDSA, EdDSA, and RSA could all make sense.

Cheers,
John

From: TLS <tls-bounces@ietf.org<mailto:tls-bounces@ietf.org>> on behalf of internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Date: Friday, 8 September 2023 at 02:48
To: i-d-announce@ietf.org<mailto:i-d-announce@ietf.org> <i-d-announce@ietf.org<mailto:i-d-announce@ietf.org>>
Cc: tls@ietf.org<mailto:tls@ietf.org> <tls@ietf.org<mailto:tls@ietf.org>>
Subject: [TLS] I-D Action: draft-ietf-tls-hybrid-design-09.txt
Internet-Draft draft-ietf-tls-hybrid-design-09.txt is now available. It is a
work item of the Transport Layer Security (TLS) WG of the IETF.

   Title:   Hybrid key exchange in TLS 1.3
   Authors: Douglas Stebila
            Scott Fluhrer
            Shay Gueron
   Name:    draft-ietf-tls-hybrid-design-09.txt
   Pages:   23
   Dates:   2023-09-07

Abstract:

   Hybrid key exchange refers to using multiple key exchange algorithms
   simultaneously and combining the result with the goal of providing
   security even if all but one of the component algorithms is broken.
   It is motivated by transition to post-quantum cryptography.  This
   document provides a construction for hybrid key exchange in the
   Transport Layer Security (TLS) protocol version 1.3.

   Discussion of this work is encouraged to happen on the TLS IETF
   mailing list tls@ietf.org<mailto:tls@ietf.org> or on the GitHub repository which contains
   the draft: https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-c404f4af2592f2f4&q=1&e=367fabf2-370b-4cec-b657-05a8499decf6&u=https%3A%2F%2Fgithub.com%2Fdstebila%2Fdraft-ietf-tls-hybrid-design.

The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-tls-hybrid-design-09.html

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-tls-hybrid-design-09

Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts


_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email