[TLS] Re: I-D Action: draft-ietf-tls-hybrid-design-15.txt
Yaakov Stein <ystein@allot.com> Thu, 04 September 2025 06:38 UTC
Return-Path: <ystein@allot.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 875A45D2950F for <tls@mail2.ietf.org>; Wed, 3 Sep 2025 23:38:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=allot.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1eKti2PWhTPu for <tls@mail2.ietf.org>; Wed, 3 Sep 2025 23:38:54 -0700 (PDT)
Received: from DU2PR03CU002.outbound.protection.outlook.com (mail-northeuropeazon11021114.outbound.protection.outlook.com [52.101.65.114]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E1E2C5D2950A for <tls@ietf.org>; Wed, 3 Sep 2025 23:38:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=eSPQOPJmJqdqZ6RPCBWHYtdFiJ5zrR4B1DLC3m6Ud4VgAvTYuy4/b6U9OrEnjwiO4WECEP8HsBvhq8M7PSfEm2g3qFJ+VXkJk0qb1TecCOsrN3H0KiE2DXeU1igHSQQ33XPJ0GNODcRs++AcD5UJft4REZvtAA2WVJxkgxoo3dxmOky+yR/vrrm5UHNJ0pCkS1KNFUa9SU3BY3VqEjOLVQLe7oCZqMs805ebAElR0JEAEimHBund6CXHW1eJlIG8bNv0P05eLuiDIqDocueaQ6PpOaWHxWIcttqkjGm3HEgpELQvjCH44QnZgqakKN457wqMXZNg6+zFq2R2jawbJw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/c9A6JhTaB61VZywfjQndaSX2fpuut4aLG9GfKd6h1I=; b=SuP4usDYvp/XLKHD8mMU0cWPKf+jRNAS6L9v4TX9zBWJWSFiYWtaQKAuk2dd3hzw3TGUr0cpAnqpZY9vCKpC3P5IJGgt8VmDGt4JRsP4akt0T54SHg9uu+cSQtf2rBDi4c049L1WTqqXT+kFNDrvCCb+A98ZPA5USH3/ohv1NEM1nSUGS86m5qcUlxy3RvhBIgRdOkv24XWzvrg37HTZTRzvxlgnuQuIyfb0wkraNdcl6npCE/1qCO1w0wyXmuuedknKSb6OZ5fBX+Fx2Fh4Rx7ePN9ultpEibKk/1lP7hhU1vdbne8FQdFeHI7GGXq4QyNkDmfPfEmSfYUmI4jBiA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=allot.com; dmarc=pass action=none header.from=allot.com; dkim=pass header.d=allot.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allot.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/c9A6JhTaB61VZywfjQndaSX2fpuut4aLG9GfKd6h1I=; b=YNh0iYPULyWWFfPJ8/DFeT1mDNwc9dvx86zS7TRZALJPcoAI+ewdUmIRs07dkiCErOzl/fVPYmmWWTAYAYhWju2h54QVQ3aT19I0gIjmATmpDztwl56Fz/u3FsdAo8cEUfTGPmn13DNst0aqbaiZF9GVCN742qhLxow/JoOHt88=
Received: from PA6PR08MB10707.eurprd08.prod.outlook.com (2603:10a6:102:3cb::5) by DBBPR08MB6027.eurprd08.prod.outlook.com (2603:10a6:10:20c::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9094.17; Thu, 4 Sep 2025 06:38:50 +0000
Received: from PA6PR08MB10707.eurprd08.prod.outlook.com ([fe80::ff02:9799:b729:ae6a]) by PA6PR08MB10707.eurprd08.prod.outlook.com ([fe80::ff02:9799:b729:ae6a%5]) with mapi id 15.20.9094.017; Thu, 4 Sep 2025 06:38:50 +0000
From: Yaakov Stein <ystein@allot.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] I-D Action: draft-ietf-tls-hybrid-design-15.txt
Thread-Index: AQHcHWaSpbVTCIPqZ02LkK3mD/le0Q==
Date: Thu, 04 Sep 2025 06:38:50 +0000
Message-ID: <PA6PR08MB10707E86354F91C0BDA4DE4E7D300A@PA6PR08MB10707.eurprd08.prod.outlook.com>
References: <175690475844.2093391.10369333528706642393@dt-datatracker-67876766b7-bkzgr>
In-Reply-To: <175690475844.2093391.10369333528706642393@dt-datatracker-67876766b7-bkzgr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=allot.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PA6PR08MB10707:EE_|DBBPR08MB6027:EE_
x-ms-office365-filtering-correlation-id: a266c7f2-06d1-439d-f2cd-08ddeb7db574
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|4022899009|376014|1800799024|38070700018|7053199007;
x-microsoft-antispam-message-info: jT4St/6ZKv32RMYmGhhDC1o3wQUpPp7bnkwgyVvN+0U4qYkQACgPfNa5Ve3FRGxbyaC2t1+QJhfjnU8CTo0nfIzkyXk3zCh2fcvyqwECl+eYITI3bt2Tdfjgc5GHDY7ypZMeo38XmKz4TCtmj/XmModWEbqoVHk4TRlMoQWC0HBg6X7icAFRAwRco/iWtLdPEpFAcyA+Wyjm9MNuWQFYBUhOc49sSGR2AWqldgAZDN1v6txvm140VkHI+F++GG4XGVyy0ydtHi6cmfFhWQc5xTcTJqr5v4uQP6RqcpexMpAx8XMpJVwJZN8fTKqV0uD7JRJahq52Dp55eS2KJ8Ofxr34EcJE4N0HGSOBYawck2QyFFRvTP3QTB0qe8ea7lLCuJvtcI3l/5X32vFJhBH23tPfgRqZHFSaloMBP1QUpbvlVU00iRJnyRf+3PCVCYGZfrFv/yT8QXYWUkFD/azX3elAi9j9ElCaMQhSqYaaz54wFh9xxJzQM20qrUzyYTWM8SOsT/dRF2+OroML0JcRQqlJMHbxGra+slt/433UeNbhV9X2gmmGbzVwUFTVvUnXNjXL8Q+msGIsgwav4+7DtB9o9PxzdTVERYAC8zd6k4GTDh45NwJ7CQk3jx7ZJn8eRBY2NdUIloUeggz5lcZiV3F7TL29zwv8Fr+3+Pg8+9Xaad8aH/hAwnRuR8JDsdOvY5/P53JGFXmJU+yueK6B/ik8jcKR4mey80uNJg7fdiBT1hdFMDdl0YIo+qpnl/oiSmD1edF4GqJdCqeGXbL3T1UMXDMOAE9Xv+ujk3XEXVMre/zIcxbp2OKgEEGg0S799judU/3G2wYb3v2U+5FwwtR0Lqy++/uif3rXSMsAguT42gXfz5KoBo+1OOKDQrjEadLjLDLVP63KbGPAt0oZWon9cIow0ZQ1mq6r4/0D1g0qLZqUpdSpY+PYhYxCbGdOW8eEfa41XwPglzEJBORzuKqWzVPTPg5xtYH2Kd7g6+fXNcpdyHfN7e67g70wALD3hrolIawkLfDGztNZ4qJ6yOyiwUZI0DYb/lVUPhyhIoGzHGMySOSZQRUol22huXhG/5p8fG8+whQHwD+XQF0Zx0Qdgstviwt2ugOaNRClVGA9OwgbN6PCSaHWwDvqrHLqUhJ+R0qDAO7xnKv6Cmfkj3EOnpkHur3pb6sLb3dKU/SZg3cMJBwN2Hm9yNPlY02wfSkcZv40swUIz54RdSQ3eT+A3SiJZz30tSaPPqiCXMVS/WIa3hlTUolB2Mp/zS8yCDhOD1W+sXVzBZfhtFt7TA+1hx8HOwCVj7IYKqyY/piPCXUGZizkHHp4dLfdwWuOBmO98kLhxkfH6gt6YHYuYwHo7OY2Hk4dgUUH0eSTtDU5XBhVLtpaLrUlMXxA2c03upQXfNXjG4DEFognj1Nrdza/TjZ50dX3/lDHMjjKjKQ=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PA6PR08MB10707.eurprd08.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(4022899009)(376014)(1800799024)(38070700018)(7053199007);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 5sDGONzLOqZTrhtA33AxOGQpWRTbrJg96OW9BcmrPoydnIPiwPHSAu3T+iuqY9A4uiD9/fB8UcIn+xNgK5pQdAjoD9yIcR4ae/s4eKuvwLwWMbRhivTP9DKzxpKJLyRRhu7kFne6d311I37D5GbbRckQIHEiXxuCX3qe9hUiVnG15RNJ8EkosSTaJh9eSLFSZ5w3mV4qv9DmCx7NYDo/k5Q1ZSwPSehnBnJRhKjKWcNfhukxoaGDnz33zL7wws7kz0zMLXpOZlLBtbjhYnT3NssypPjsdn9vLwOj0Sjs2hvbMH+owcYj3eqtG3pZTl51zGQ3XxzG2Xv8WIYo5yYlsTDheMJesbk4Zuese7f4RLiyK5Nwt/g7OiLO3OH0NJPXnC4KyTa+9t5zWldHy+f5YIGrHraYdJqCBaYyY9OTUisjTIdw1kLFJxRwNJgtMCMpjm3GX9qPTGCAYbSQoZMwZZZGySqzaYsRf/bBuBZV3IhrBijds43OkHogefQuS6IGQI5OwWsRysE3CyOxHPW+IR+Y6eltVYJ4rXYLjTL5OE0+rgB92RRw0cuEls0qFHOvKVpzEhkSFqKRnTJnpwyjn3Dv6Hve3aabe/aMdRSCzfD11OZFOWtv/nZacNuYCpMj+cZakCqcVdZIRozWlu8A/aKf7b6edI7gZjdcUKGcd8fL1XoPqOXEtuHuRgb/WGLqBJafok00CeOhg7EBf4wLsHTbaRI4EXynGCOSbWXuvwU4pP1TbF2v9YcOFve3/kfl9xiIxxaG8BkbhEf+xtCvTu3GlOn3at9vytpup04n4Y490T1g836MNB6rAtyBeZhwYepCRWaSmFxsM5guoFfAiQWIjQuFWNwHnA83ta3Vx88vHh5Q1LcGZiFN754Po1CtSOnoPGXw/Da4dVC1iFMALNPmuwOI/1X+cw0943qer5PIlTZ0BWCYDV7zuFCeLnXOVNFBU/pL6OzspyuwiB/PfyNq6AEonHMStS88kPdq29J3dDj6Ygr12sSDRybdGUACr2r8wWemJ1w/4xopGWQd/KFKY0Qe0aQaNpVNj0EBlTIFOK81g6arKcPJm1YzraOJ0qVHSWqJ1ZU1zdctgsfUPdW9ovc5fNeXggsjsgWT00r+6cS545/oCRsfWk/oHb3BxEGp5539AD9mVHPAGHK7FO+bKKULrrkERtyPhkZhhbO5wTqUbNcaz5BFB0MIGlqFhmrvqRXdWjIoMPgjBLlqUOjC3ztQwPhPlZp2nt4ga1VF/gPiSL2+PQGhml8u6fJwZ89fFma/Xxak3hnMKm1H9vW9GMucUmyGwfibRHWO/JEwbowm69KRQBWp6HN9PxbVF7KiFC8Y59DHZ0Cg1ousQoIE2QQFziq9+Paam54p4IDHmXtlHJbl3faBOG5HkHEpAH7/Olkp5R8dqK7PWCWRBGEcVga0mIPlRY+QzrnGNfm7X7n6QMVbC1AtcJ+hGXcPauQhb2OHgUtRLm3RIWls+rTO7OF9nLXSjcLlNpDCi0K1nZBAQskqeWSYtnRprNTwOxPDe/OsUZhHpJrq7w0qoTWjgo28bUKRVWWLI9nGVAI=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: allot.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PA6PR08MB10707.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a266c7f2-06d1-439d-f2cd-08ddeb7db574
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Sep 2025 06:38:50.3638 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 789e5ff8-0396-414e-803b-13a424e9f5d2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: so0av1eyIuqk9eCHsDAX6sDBJfxo4l1hN2x+0EUocKZM/tjLfivaZazK4rL4pdowYktk2yOR1MP7mXASeYa99w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR08MB6027
Message-ID-Hash: LIEMCBSHUSFRZTRLQC77DJEPPM3OXGM5
X-Message-ID-Hash: LIEMCBSHUSFRZTRLQC77DJEPPM3OXGM5
X-MailFrom: ystein@allot.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: I-D Action: draft-ietf-tls-hybrid-design-15.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9LFnTZaaTtFzugKO8EiT12Cl8pM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Just a few notes on the latest version of the hybrid-design draft.
Section 1.2 introduces a very general definition of hybrid key exchange,
with traditional+PQC as merely one example.
This begs the question of what other possibilities there may be
(and of what, precisely, is meant by "different cryptographic assumptions" -
would RSA+ECC or ML-KEM+HQC be considered hybrids under this definition?).
I suggest giving an additional example, such as QKD+PQC (which is actually used in some circles).
I don't understand the rationale behind the terminology "next generation" in this document.
Next generation crypto need not be PQ.
If I come up with a completely new 1-way function, which has advantages over existing schemes
but is still a special case of the hidden subgroup problem,
then this is NG but not PQ.
Section 1.3 uses the term "retroactive decryption" which is usually (and in draft-ietf-pquip-pqc-engineers) called HNDL.
The term is fine, but the more usual one should at least be mentioned.
Section 1.5 introduces the key-share size issue as a sub-issue of latency,
but it could alternatively be considered a performance issue.
Or even better is an issue unto itself.
Actually, latency is determined by the computational complexity and the key sizes
and is thus not a separate issue at all.
Section 4 states "all defined parameter sets for ML-KEM [NIST-FIPS-203] have public
keys and ciphertexts that fall within the TLS constraints."
It is worthwhile mentioning that ML-KEM and its hybrids
can expand CHs that were previously a single packet into multiple packets,
and hence disrupt the functionality of middleboxes that make assumptions about CHs.
Y(J)S
-----Original Message-----
From: internet-drafts@ietf.org <internet-drafts@ietf.org>
Sent: Wednesday, September 3, 2025 4:06 PM
To: i-d-announce@ietf.org
Cc: tls@ietf.org
Subject: [TLS] I-D Action: draft-ietf-tls-hybrid-design-15.txt
External Email: Be cautious do not click links or open attachments unless you recognize the sender and know the content is safe
Internet-Draft draft-ietf-tls-hybrid-design-15.txt is now available. It is a work item of the Transport Layer Security (TLS) WG of the IETF.
Title: Hybrid key exchange in TLS 1.3
Authors: Douglas Stebila
Scott Fluhrer
Shay Gueron
Name: draft-ietf-tls-hybrid-design-15.txt
Pages: 23
Dates: 2025-09-03
Abstract:
Hybrid key exchange refers to using multiple key exchange algorithms
simultaneously and combining the result with the goal of providing
security even if a way is found to defeat the encryption for all but
one of the component algorithms. It is motivated by transition to
post-quantum cryptography. This document provides a construction for
hybrid key exchange in the Transport Layer Security (TLS) protocol
version 1.3.
The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/
There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-tls-hybrid-design-15.html
A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-tls-hybrid-design-15
Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-leave@ietf.org
This message is intended only for the designated recipient(s). It may contain confidential or proprietary information. If you are not the designated recipient, you may not review, copy or distribute this message. If you have mistakenly received this message, please notify the sender by a reply e-mail and delete this message. Thank you.
- [TLS] I-D Action: draft-ietf-tls-hybrid-design-15… internet-drafts
- [TLS] Re: I-D Action: draft-ietf-tls-hybrid-desig… Yaakov Stein
- [TLS] Re: I-D Action: draft-ietf-tls-hybrid-desig… Loganaden Velvindron