IETF Logo Mail Archive

Re: [TLS] ML-KEM key agreement for TLS 1.3

Deirdre Connolly <durumcrustulum@gmail.com> Thu, 14 March 2024 20:03 UTC

Return-Path: <neried7@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75ACBC14F6BD for <tls@ietfa.amsl.com>; Thu, 14 Mar 2024 13:03:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.854
X-Spam-Level:
X-Spam-Status: No, score=-1.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L5oG-eBCd8Yj for <tls@ietfa.amsl.com>; Thu, 14 Mar 2024 13:03:32 -0700 (PDT)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91F4BC14F5F9 for <tls@ietf.org>; Thu, 14 Mar 2024 13:03:32 -0700 (PDT)
Received: by mail-ed1-x530.google.com with SMTP id 4fb4d7f45d1cf-563c595f968so1800142a12.0 for <tls@ietf.org>; Thu, 14 Mar 2024 13:03:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710446610; x=1711051410; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=aoXg6BsirodvH06GeCKT8NPB637f+zY33puNwc3IwGM=; b=M/rGKvCSHYrVGYi0U30Y+L8UpIDnEipqUIjeIVoNv5Dqs935ZzjkNJwMyjs/hzLcSS vTLjXSDwjsK587+Nqh+Hys1aUY6HNLFwcObTpWi2Q2rJ0Oh38ZyMBmqkXvrfRkDeswVF /TuUwNlwdJwHq//0Z+W2ouhJ5PvFraxJZkobkayXZsuwfU/3dgkvij9+XkT/x5nekToa CPoXai/XNDXoI3LS6J+RE8drOwV2KBq/WN6oiG/dtJ4zetmY5ow37Qisns1Nyeap/1hX PoUizXOm+zoD+COMu44gCdbQJelrdlPWzix7KPIS4LDi7p9lJhwqRD8uogM977hVxiaF V8RQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710446610; x=1711051410; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=aoXg6BsirodvH06GeCKT8NPB637f+zY33puNwc3IwGM=; b=RLEu6aPx0ql6j57uS3N6jXttBcmcf7aIjLH0yExb9S7z/w5q9hYvYGcLUd8nOlkDCR 7eN7P/XLCF5nfHxCqGjlNOAn8S2CgBU3GxAJ3IWZ+hB+7sIoe7B8tnW1fZbSytUIGaPb AjEYTfAfowSBljbRZZmnDR5t+FT7d0kcdKoky8tiu/KOxTF3PzKf3t71vqqJJMQDbsCE v3eHwrRYflq+vHaGkEwJZMUfDNtm4LM42d5HWYjlnZRdo8RkM2niYPiF45LU8dflCgZ8 B8m7v0cR4DbJsoHrEjTkM4dV3PjYFV/of5vYpzCaxGBarEh6vIU3roOymz3HGZ5jvucB 2VxA==
X-Forwarded-Encrypted: i=1; AJvYcCVQE2Fr7QBmVn3G5ON6Rro+/gc8Y0u0v97G5kCZp7UIPxg0Un+wUDc2P0xrQUsmMdCRDS6PMmK0kBWx5V0=
X-Gm-Message-State: AOJu0YwF9vbt0UWxJPeY8ZNyO9I6i+hWvW9cwFvX1v07gkgnsaN7b44H YxRuj2+9XstpMuHvKl6egjfJHlgMAexgyV36xglCrRuR8ltuA7/B9Khv0FRFLWC5157T0QgXtjW FRWFtJBOKXd+qnziVGxscLfuIdxpsiPAu
X-Google-Smtp-Source: AGHT+IH9TPHCRDSEJaMbveDRvbIk9jS+ITn6QzG8d5Z4tTyDi5cRBqjmEsqDhxHxSuWj0Wx0C+ojOVozBF/Ng1WoNgY=
X-Received: by 2002:a05:6402:159b:b0:568:8e7c:8d8a with SMTP id ij27-20020a056402159b00b005688e7c8d8amr940805edb.41.1710446610051; Thu, 14 Mar 2024 13:03:30 -0700 (PDT)
MIME-Version: 1.0
References: <CAFR824wL3sZKoD6OzVpOi8=HZ+aFjqVi4L8UsF8b0p18KOEqVA@mail.gmail.com> <PH8PR09MB929495934EEC8829232EE5DCFC2A2@PH8PR09MB9294.namprd09.prod.outlook.com> <CAFR824ySu7+kA4a_3n9ytg6=3Ow-CPHR+dUJxYOhyh3wOnt1VQ@mail.gmail.com> <8ccc5807-d958-4d9d-8d8c-9b181f0fd708@nist.gov> <CAEEbLAbBB-BkjPWKw2DXJbTG8z4vdJ4sHiVd2Od+6tS0sGNThA@mail.gmail.com>
In-Reply-To: <CAEEbLAbBB-BkjPWKw2DXJbTG8z4vdJ4sHiVd2Od+6tS0sGNThA@mail.gmail.com>
From: Deirdre Connolly <durumcrustulum@gmail.com>
Date: Thu, 14 Mar 2024 16:03:16 -0400
Message-ID: <CAFR824y2jh=P267vqSPOE2gXZxgzFnasXzOvJ705GKgKL8MQjg@mail.gmail.com>
To: Sophie Schmieg <sschmieg@google.com>
Cc: "David A. Cooper" <david.cooper=40nist.gov@dmarc.ietf.org>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000997bd10613a46298"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/B1dG4fzjouSo1I1nhRKYaQv7Y3M>
Subject: Re: [TLS] ML-KEM key agreement for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2024 20:03:33 -0000

Good points. I've included these notes in the GitHub tracking issue, and
will leave the document as-is for now.

On Thu, Mar 14, 2024, 3:41 PM Sophie Schmieg <sschmieg@google.com> wrote:

> There was a push to change the parsing logic for ML-KEM public keys to
> never fail, by silently reducing, without changing the hash of the public
> key. I am not sure if NIST ended up adopting that change for their final
> standard (I hope they did, I think it's the best way to handle this
> problem), which would mean that any appropriately sized binary string is a
> valid ML-KEM public key. For ciphertexts, this property is already the
> case, due to the compression that is applied in ML-KEM. If NIST
> incorporated this change, there would be no way for the ML-KEM based key
> agreement to fail explicitly, any failure would result in an implicit
> rejection.
> In the end, this seems to be the same as with elliptic curves as is as
> well, point-not-on-curve checks can result in an explicit rejection of a
> keyshare (for the curves where it can occur), and manipulation of the
> keyshare (by an attacker or some accidental bit flip that somehow was not
> caught) would result in an implicit rejection here as well, with server and
> client computing a different shared secret. The only new possible error
> path I see is due to random decryption failure of a KEM, but given the
> cryptographically low chance, I'm not certain if this failure needs special
> handling in any case, and shouldn't be treated the same as a corrupted key
> share. After all, they are so unlikely that "cosmic rays flipped all the
> right bits for QUIC error correction to not notice" is far more likely to
> result in a decryption error, so treating it the same as a decryption
> failure due to a corrupted ciphertext seems fine to me.
>
> On Thu, Mar 14, 2024 at 11:43 AM David A. Cooper <david.cooper=
> 40nist.gov@dmarc.ietf.org> wrote:
>
>> I do not believe that "decode_error" would be the correct alert. As the
>> text currently says:
>>
>> *Failures* Some post-quantum key exchange algorithms, including ML-KEM,
>> have non-zero probability of failure, meaning two honest parties may derive
>> different shared secrets. This would cause a handshake failure. ML-KEM has
>> a cryptographically small failure rate; implementers should be aware of the
>> potential of handshake failure. Clients can retry if a failure is
>> encountered.
>>
>> At least in the case of ML-KEM, decapsulation failures are implicit. As
>> noted in the text above, the parties would derive different shared secrets
>> (but they wouldn't know it). So, the client would not know that
>> decapsulation failed, it would just be unable to decrypt the encrypted
>> extensions, certificate, etc. The client would have no way of knowing
>> whether this happened because of an ML-KEM decapsulation failure (extremely
>> unlikely) or because some data was changed in transit (much more likely).
>>
>> Given how small the ML-KEM decapsulation failure rate is (2^-139 or
>> less), I wouldn't be surprised if random bit flips in transit that aren't
>> caught by a CRC or other check are more likely than ML-KEM decapsulation
>> failures. Since the two are indistinguishable to the client, the client
>> would have to handle them in the same way. So, I would suggest either
>> omitting this paragraph or just note that a decapsulation failure would be
>> indistinguishable from a scenario in which some data was changed in
>> transit, and so would be handled in the same way.
>>
>> On 3/13/24 7:08 PM, Deirdre Connolly wrote:
>>
>> 4. In the Discussion section (on github), does the portion on failures
>>> need to contain more information about how a failure should be handled in
>>> TLS? Should a decrypt_error alert be sent?
>>
>>
>> Oh very good point, DH doesn't usually fail like this; either because of
>> fundamental (incredibly unlikely) decapsulation failure rates, or just a
>> bug, this is good to handle, and we should probably update -hybrid-design
>> to match. I've tracked this in this GitHub issue
>> <https://github.com/dconnolly/draft-connolly-tls-mlkem-key-agreement/issues/1>
>> for now. For my own sake, here's the `decode_error` defintion from RFC
>> 8446:
>>
>> decode_error:  A message could not be decoded because some field was
>>
>>       out of the specified range or the length of the message was
>>
>>       incorrect.  This alert is used for errors where the message does
>>
>>       not conform to the formal protocol syntax.  This alert should
>>
>>       never be observed in communication between proper implementations,
>>
>>       except when messages were corrupted in the network.
>>
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
>
> --
>
> Sophie Schmieg | Information Security Engineer | ISE Crypto |
> sschmieg@google.com
>
>

v2.23.0 | Report a Bug | By Email