IETF Logo Mail Archive

Re: [TLS] A suggestion for handling large key shares

tirumal reddy <kondtir@gmail.com> Tue, 19 March 2024 06:14 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F362C14F6B8 for <tls@ietfa.amsl.com>; Mon, 18 Mar 2024 23:14:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id caVX4oB91HK9 for <tls@ietfa.amsl.com>; Mon, 18 Mar 2024 23:14:51 -0700 (PDT)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3AC0C14F682 for <tls@ietf.org>; Mon, 18 Mar 2024 23:14:51 -0700 (PDT)
Received: by mail-lj1-x22b.google.com with SMTP id 38308e7fff4ca-2d480338206so9508581fa.0 for <tls@ietf.org>; Mon, 18 Mar 2024 23:14:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710828890; x=1711433690; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3zrlBzaEWxetrl8+UJGBm8Bh7KcQOYA9NaF64mP2uDw=; b=Sh55UH8ZydLbLoRi6sh6DanksQaSwcPUPpkXoDycgwUr72p3H03cMoKbLfUtOmwHM+ gvm+CKWtdYKT1t/FreczBFsFtnlR+oc7LGw9gubI2DuuCJDGEimmSH+0YdN7bshRCqzc /uH3HvqKW4h7x8veJO6sYoUU80/t153DG4dZz4PcUSr/3S4AxsaZp2LY7Hrezb2U/ycM 9K/zkkVDbBXvmAwp/k29ir3MTNE52oFBvkf7dfhSXcwfJYutVCw4nTav1f4FXs9hegmm VUJYB/ZH9+/y2mLE/AudL09pbCHj+yHLAgQNSzUObG0gEf9aCPweUl//28UXuk4kFYVB T9lA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710828890; x=1711433690; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3zrlBzaEWxetrl8+UJGBm8Bh7KcQOYA9NaF64mP2uDw=; b=cQBNssGNbeA3rhw2DJsnQwJ6Uojsx3obyM0B5uMg+A8sa4747g35/vQqSWPbROIENc gN5Iib4AhsZxff1i6pglDn2C4ohs+V7NTRwLdsHAlAvjy8WPxEl12hxrBM+ErhmrgKAx BOOnYeruW8OVi1KJK4hVxAN4hQ744obzm5SnUncMR+wVPAh1RnMzgxU2uTUDAgAk4IKN uzzjqymJ81bG4CtTsTluxcwwWRoVf7quPojeVQWxQXwHfX9U5OxH7TFS4nIBiaEF7c8Q P8RCzdXKqjkK62ecd2GISyYEo4LtFTgRZeYx+9H8T09udghr/Ka+vNjEeLAkcE4NxSQb RdyA==
X-Forwarded-Encrypted: i=1; AJvYcCVymQazm2CU1PAIgWr6yKxzcGhFTyVDYFFJPuhosBIasT7h52TN4t00OUUe39hGw67yXXHjmlKbSoVMg/I=
X-Gm-Message-State: AOJu0Yx9fddUYtPum+Tl1fHSzoJNOVNlfc/skyhZpHLnMZpbAc6gslF2 ib9blaDF1FeMjzibXO3WKvViKhqzbS0Ps48ouAcHqP5wO0u3r2xftWtKjFEeu2ULGvn0FuOtgVw qSQPAWtKsRk8FHHoaqlrvXhVAMPA=
X-Google-Smtp-Source: AGHT+IFeG7nK/sOn/HeZxme/6e6URztlm78lgk9NQmd/VhBPV1fqeppuf2nfgValutX2dTeQxXjuwwXAcnxrd7GOCnQ=
X-Received: by 2002:a2e:8514:0:b0:2d4:4b6c:3312 with SMTP id j20-20020a2e8514000000b002d44b6c3312mr802779lji.2.1710828889277; Mon, 18 Mar 2024 23:14:49 -0700 (PDT)
MIME-Version: 1.0
References: <CH0PR11MB544488B051C041EB32541AB6C12C2@CH0PR11MB5444.namprd11.prod.outlook.com> <CAF8qwaDmYMprxW4aYCiEEWKAw04xoSEZU=6fXCHqOcqjnhG6_w@mail.gmail.com>
In-Reply-To: <CAF8qwaDmYMprxW4aYCiEEWKAw04xoSEZU=6fXCHqOcqjnhG6_w@mail.gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 19 Mar 2024 16:14:12 +1000
Message-ID: <CAFpG3geoSdEw+1vPsJgnwcWCj0ULjLAihtkQ0TxBKn6SjdW+yw@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
Cc: "Scott Fluhrer (sfluhrer)" <sfluhrer=40cisco.com@dmarc.ietf.org>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000378f8d0613fd64dc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7iAGbFzqrQWesvTTikg5diEMb8E>
Subject: Re: [TLS] A suggestion for handling large key shares
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2024 06:14:55 -0000

On Tue, 19 Mar 2024 at 15:27, David Benjamin <davidben@chromium.org> wrote:

> > If the server supports P256+ML-KEM, what Matt suggested is that, instead
> of accepting P256, it instead a ClientHelloRetry with P256+ML_KEM.  We then
> continue as expected and end up negotiating things in 2 round trips.
>
> I assume ClientHelloRetry was meant to be HelloRetryRequest? If so, yeah,
> a server which aims to prefer P256+ML-KEM over P256 should, well, prefer
> P256+ML-KEM over P256. :-) See the discussions around
> draft-davidben-tls-key-share-prediction. In particular, RFC 8446 is clear
> on the semantics of such a ClientHello:
>
>    This vector MAY be empty if the client is requesting a
>    HelloRetryRequest.  Each KeyShareEntry value MUST correspond to a
>    group offered in the "supported_groups" extension and MUST appear in
>    the same order.  However, the values MAY be a non-contiguous subset
>    of the "supported_groups" extension and MAY omit the most preferred
>    groups.  Such a situation could arise if the most preferred groups
>    are new and unlikely to be supported in enough places to make
>    pregenerating key shares for them efficient.
>
> rfc8446bis contains further clarifications:
> https://github.com/tlswg/tls13-spec/pull/1331
>
> Now, some servers (namely OpenSSL) will instead unconditionally select
> from key_share first. This isn't wrong, per se. It is how you implement a
> server which believes all of its supported groups are of comparable
> security level and therefore prioritizes round trips. Such a policy is
> plausible when you only support, say, ECDH curves. It's not so reasonable
> if you support both ECDH and a PQ KEM. But all the spec text for that is in
> place, so all that is left is that folks keep this in mind when adding PQ
> KEMs to a TLS implementation. A TLS stack that always looks at key_share
> first is not PQ-ready and will need some changes before adopting PQ KEMs.
>
> Regarding the other half of this:
>
> > Suppose we have a client that supports both P-256 and P256+ML-KEM.  What
> the client does is send a key share for P-256, and also indicate support
> for P256+ML-KEM.  Because we’re including only the P256 key share, the
> client hello is short
>
> I don't think this is a good tradeoff and would oppose such a SHOULD here.
> PQ KEMs are expensive as they are. Adding a round-trip to it will only make
> it worse. Given the aim is to migrate the TLS ecosystem to PQ, penalizing
> the desired state doesn't make sense. Accordingly, Chrome's Kyber
> deployment includes X25519Kyber768 in the initial ClientHello. While this
> does mean paying an unfortunate upfront cost, this alternative would
> instead disincentivize servers from deploying post-quantum protections.
>
> If you're interested in avoiding the upfront cost, see
> draft-davidben-tls-key-share-prediction-01. That provides a mechanism for
> clients to predict more accurately, though it's yet to even be adopted, so
> it's a bit early to rely on that one. Note also the Security Considerations
> section, which further depends on the server expectations above.
>

The scenario of handling large key sizes is disussed in
https://www.ietf.org/archive/id/draft-reddy-uta-pqc-app-02.html#section-4

-Tiru


>
> David
>
> On Tue, Mar 19, 2024 at 2:47 PM Scott Fluhrer (sfluhrer) <sfluhrer=
> 40cisco.com@dmarc.ietf.org> wrote:
>
>> Recently, Matt Campagna emailed the hybrid KEM group (Douglas, Shay and
>> me) about a suggestion about one way to potentially improve the performance
>> (in the ‘the server hasn’t upgraded yet’ case), and asked if we should add
>> that suggestion to our draft.  It occurs to me that this suggestion is
>> equally applicable to the pure ML-KEM draft (and future PQ drafts as well);
>> hence putting it in our draft might not be the right spot.
>>
>>
>>
>> Here’s the core idea (Matt’s original scenario was more complicated):
>>
>>
>>
>>    - Suppose we have a client that supports both P-256 and P256+ML-KEM.
>>    What the client does is send a key share for P-256, and also indicate
>>    support for P256+ML-KEM.  Because we’re including only the P256 key share,
>>    the client hello is short
>>    - If the server supports only P256, it accepts it, and life goes on
>>    as normal.
>>    - If the server supports P256+ML-KEM, what Matt suggested is that,
>>    instead of accepting P256, it instead a ClientHelloRetry with P256+ML_KEM.
>>    We then continue as expected and end up negotiating things in 2 round trips.
>>
>>
>>
>> Hence, the non-upgraded scenario has no performance hit; the upgraded
>> scenario does (because of the second round trip), but we’re transmitting
>> more data anyways (and the client could, if it communicates with the server
>> again, lead off with the proposal that was accepted last time).
>>
>>
>>
>> Matt’s suggestion was that this should be a SHOULD in our draft.
>>
>>
>>
>> My questions to you: a) do you agree with this suggestion, and b) if so,
>> where should this SHOULD live?  Should it be in our draft?  The ML-KEM
>> draft as well (assuming there is one, and it’s not just a codepoint
>> assignment)?  Another RFC about how to handle large key shares in general
>> (sounds like overkill to me, unless we have other things to put in that
>> RFC)?
>>
>>
>>
>> Thank you.
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email