Re: [TLS] PQC key exchange sizes
Sofía Celi <cherenkov@riseup.net> Wed, 27 July 2022 22:22 UTC
Return-Path: <cherenkov@riseup.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39A5AC14F726 for <tls@ietfa.amsl.com>; Wed, 27 Jul 2022 15:22:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.11
X-Spam-Level:
X-Spam-Status: No, score=-7.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=riseup.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7rji0Y1PXXRf for <tls@ietfa.amsl.com>; Wed, 27 Jul 2022 15:22:51 -0700 (PDT)
Received: from mx0.riseup.net (mx0.riseup.net [198.252.153.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AC78C14792E for <tls@ietf.org>; Wed, 27 Jul 2022 15:22:49 -0700 (PDT)
Received: from fews2.riseup.net (fews2-pn.riseup.net [10.0.1.84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mail.riseup.net", Issuer "R3" (not verified)) by mx0.riseup.net (Postfix) with ESMTPS id 4LtSvs38S6z9s1V for <tls@ietf.org>; Wed, 27 Jul 2022 22:22:49 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1658960569; bh=Inppenq4G+ZYKrRbro2SuTNkq3IJvYQJO9QjxXQACEs=; h=Date:Subject:To:References:From:In-Reply-To:From; b=JKmMwilHq6l02iLcELwe+VByAOtawNGbMV0qaipDiE9t0cuJo+3AgTogYo2KGijlG JopCWp5MgtaaUddhimbLOaRyq+rS1x58Y5BqA4MjQkk1XrKkui8Yq0OnX9QFjHIf69 YhGRAGOyNBKka+a73vf4K9A/PAIH8c0P8fFrQKEs=
X-Riseup-User-ID: EFCA408A3D9F879C985DF909ED60FD575BA024F9948004A784BBDEC8F14D6642
Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews2.riseup.net (Postfix) with ESMTPSA id 4LtSvs08blz1yWZ for <tls@ietf.org>; Wed, 27 Jul 2022 22:22:48 +0000 (UTC)
Message-ID: <acc49e75-50be-3048-b911-d0185445bc74@riseup.net>
Date: Wed, 27 Jul 2022 23:22:47 +0100
MIME-Version: 1.0
To: tls@ietf.org
References: <CABzBS7nsbEhR-bmHG_ViSJFSH-0_5p0O3vKndS4+wFR=iGQzhw@mail.gmail.com> <YuABORXSaes9Wqwo@LK-Perkele-VII2.locald> <a643450d5fdb40cf8af3f5b96cdbd922@amazon.com> <YuFOm9bUWkPBOBw3@LK-Perkele-VII2.locald> <0bebb6b80caa4ad6804b94bb74959675@amazon.com> <CAMjbhoVALmeJPokkFvVe2R3ePCc82MzzQf0P=nL0FxnWM8DfZQ@mail.gmail.com> <CAChr6SxnJ2oDk3YRZ+LmLn2=gwVhqWjRgPWOmQDyDN63LyNvNA@mail.gmail.com>
From: Sofía Celi <cherenkov@riseup.net>
In-Reply-To: <CAChr6SxnJ2oDk3YRZ+LmLn2=gwVhqWjRgPWOmQDyDN63LyNvNA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9DdoKoxgpOaMmU_WCAJLQ439y-U>
Subject: Re: [TLS] PQC key exchange sizes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2022 22:22:55 -0000
Dear, all, I wrote some of the open challenges of putting post-quantum cryptography into protocols over here: https://sofiaceli.com/thoughts/Taxonomy.pdf The document is very open ended atm but the idea is to develop into a list of concrete problems. As I mentioned on our talk at the TLS WG meeting, I am planning a next instation of this workshop for around November to precesily talk about these challenges (the website is not yet updated as some people have asked ;)): https://sofiaceli.com/PQNet-Workshop/ I'll send a reminder to this list once there is more information about it. Thank you, On 27/07/2022 21:54, Rob Sayre wrote: > Hi, > > There's also data from the old Chrome/Cloudflare experiment, in the > discussion section: > https://blog.cloudflare.com/the-tls-post-quantum-experiment/ > <https://blog.cloudflare.com/the-tls-post-quantum-experiment/> > > I /think/ the discussion says that sending handshake messages somewhat > above the MTU didn't matter much, except on the slowest connections. > They do hesitate to settle on a reason for that. > > As for compatibility in general, it seems premature to worry about. If > an implementation adds PQC support, and finds it doesn't work for > underlying fragmentation reasons, they'll surely have to fix that too. > > thanks, > Rob > > > On Wed, Jul 27, 2022 at 12:06 PM Bas Westerbaan > <bas=40cloudflare.com@dmarc.ietf.org > <mailto:40cloudflare.com@dmarc.ietf.org>> wrote: > > On the QUIC side, there is the "*Q*uantum Ready" interop test: > > https://docs.google.com/spreadsheets/d/1D0tW89vOoaScs3IY9RGC0UesWGAwE6xyLk0l4JtvTVg/edit#gid=438405370 > <https://docs.google.com/spreadsheets/d/1D0tW89vOoaScs3IY9RGC0UesWGAwE6xyLk0l4JtvTVg/edit#gid=438405370> > > > > On Wed, Jul 27, 2022 at 8:57 PM Kampanakis, Panos > <kpanos=40amazon.com@dmarc.ietf.org > <mailto:40amazon.com@dmarc.ietf.org>> wrote: > > Gotcha. This is a reasonable explanation for a potential > problem, but I would also like to see experimental proof that > DTLS implementation X, Y, Z have the problem. TLS > implementations don't deal with big ClientHellos today so we > could assume they would have a problem, but when tested they do > OK for the most part. > > > -----Original Message----- > From: TLS <tls-bounces@ietf.org <mailto:tls-bounces@ietf.org>> > On Behalf Of Ilari Liusvaara > Sent: Wednesday, July 27, 2022 10:42 AM > To: <tls@ietf.org <mailto:tls@ietf.org>> <tls@ietf.org > <mailto:tls@ietf.org>> > Subject: RE: [EXTERNAL][TLS] PQC key exchange sizes > > CAUTION: This email originated from outside of the organization. > Do not click links or open attachments unless you can confirm > the sender and know the content is safe. > > > > On Wed, Jul 27, 2022 at 02:27:12AM +0000, Kampanakis, Panos wrote: > > Hi Ilari, > > > > > - DTLS-level fragmentation. There are buggy implementations > that > > > break if one tries this. > > > > DTLS servers have been fragmenting and sending cert chains > that don’t > > fit in the MTU for a long time. Is this buggy on the TLS > client side? > > These problems are specific to fragmenting Client Hello. > Handling fragmented DTLS Client Hello is different from handling > fragmented DTLS Certificate (and even more so in DTLS 1.3). I > think DTLS specification just pretends both cases are the same. > They are not. > > > QUIC implementations could have similar issues with multiple > initial packets, but operating QUIC with fast > failure-independent fallback would make failures soft. > > > There is the general principle that if some protocol feature is > not used in the wild, it tends to break, even if required part > of the protocol. Either by implementation being poorly tested > and buggy, assuming the feature does not exist, or being missing > entierely. > Combine this with interop failures having outsize impact and old > versions sticking around far longer than desriable. And I do not > think fragmented Client Hellos in DTLS or multiple initials in > QUIC are seen much. > > > One trick with DTLS would be sending client hello with no key > shares. Causes extra round-trip, but any server that selects PQC > causing fragmentation would presumably be capable of handling that. > > > > -Ilari > > _______________________________________________ > TLS mailing list > TLS@ietf.org <mailto:TLS@ietf.org> > https://www.ietf.org/mailman/listinfo/tls > <https://www.ietf.org/mailman/listinfo/tls> > _______________________________________________ > TLS mailing list > TLS@ietf.org <mailto:TLS@ietf.org> > https://www.ietf.org/mailman/listinfo/tls > <https://www.ietf.org/mailman/listinfo/tls> > > _______________________________________________ > TLS mailing list > TLS@ietf.org <mailto:TLS@ietf.org> > https://www.ietf.org/mailman/listinfo/tls > <https://www.ietf.org/mailman/listinfo/tls> > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- Sofía Celi @claucece Cryptographic research and implementation at many places, specially Brave. Chair of hprc at IRTF and anti-fraud at W3C. Reach me out at: cherenkov@riseup.net Website: https://sofiaceli.com/ 3D0B D6E9 4D51 FBC2 CEF7 F004 C835 5EB9 42BF A1D6
- [TLS] PQC key exchange sizes Thom Wiggers
- Re: [TLS] PQC key exchange sizes Ilari Liusvaara
- Re: [TLS] PQC key exchange sizes Stephen Farrell
- Re: [TLS] PQC key exchange sizes Martin Thomson
- Re: [TLS] PQC key exchange sizes Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] PQC key exchange sizes Martin Thomson
- Re: [TLS] PQC key exchange sizes Kampanakis, Panos
- Re: [TLS] PQC key exchange sizes Kampanakis, Panos
- Re: [TLS] PQC key exchange sizes Martin Thomson
- Re: [TLS] PQC key exchange sizes Ilari Liusvaara
- Re: [TLS] PQC key exchange sizes Kampanakis, Panos
- Re: [TLS] PQC key exchange sizes Bas Westerbaan
- Re: [TLS] PQC key exchange sizes Rob Sayre
- Re: [TLS] PQC key exchange sizes Sofía Celi
- [TLS] Before we PQC... Re: PQC key exchange sizes Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Scott Fluhrer (sfluhrer)
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Benjamin Kaduk
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Benjamin Kaduk
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Ilari Liusvaara
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Benjamin Kaduk
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Stephen Farrell
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Ilari Liusvaara
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Peter Gutmann
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Bas Westerbaan
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Sofía Celi
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Phillip Hallam-Baker
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Scott Fluhrer (sfluhrer)
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Stephen Farrell
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Robert Relyea
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Rob Sayre
- Re: [TLS] Before we PQC... Re: PQC key exchange s… Thom Wiggers